CIS 8.1 - AWS
This page lists all 115 policies in the CIS 8.1 pack for AWS.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| ec2-stopped-instance-30-days | Ensure EC2 instances are stopped after 30 days to maintain asset inventory hygiene. | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| ssm-managed-instance-compliance-association-compliant | Ensure SSM managed instances have compliance association to maintain proper asset management. | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| vpc-eip-associated | Ensure VPC elastic IPs are associated with resources to maintain proper asset inventory. | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| vpc-network-acl-unused | Ensure VPC network ACLs are not unused to maintain proper network security asset management. | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| vpc-security-group-associated-to-eni | Ensure VPC security groups are associated to ENI (network interfaces) to maintain proper network security asset management. | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| guardduty-enabled | Ensures AWS GuardDuty is enabled with malware detection capabilities for threat protection. | 1.2 | Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. |
| elasticbeanstalk-managed-updates-enabled | Elastic Beanstalk environments must have managed platform updates enabled | 2.2 | Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. |
| alb-http-to-https-redirection-check | Ensure ALB HTTP listeners redirect to HTTPS for secure data transmission. | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| elb-acm-certificate-required | Ensure ELB Classic Load Balancers use ACM certificates for HTTPS/SSL listeners. | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| elb-disallow-unencrypted-traffic | Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic. | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| elbv2-acm-certificate-required | Ensure ELBv2 (ALB/NLB) HTTPS listeners use ACM certificates for automated certificate management. | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| s3-bucket-ssl-enforcement-required | S3 buckets must enforce SSL/TLS for all requests to ensure encryption in transit | 3.1 | Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| neptune-clusterinstance-no-public-access | Checks that Neptune Cluster Instances public access is not enabled. | 3.3 | Ensure that database instances are not publicly accessible. |
| rds-cluster-instance-disallow-public-access | Checks that RDS Cluster Instances public access is not enabled. | 3.3 | Ensure that database instances are not publicly accessible. |
| rds-instance-disallow-public-access | Checks that RDS Instance public access is not enabled. | 3.3 | Ensure that database instances are not publicly accessible. |
| autoscaling-launch-config-public-ip-disabled | Ensure Auto Scaling launch configurations have public IP address assignment disabled to prevent direct internet access and maintain proper data access control. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| dms-replication-instance-not-publicly-accessible | Ensures DMS replication instances are not publicly accessible to maintain security. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| ebs-snapshot-not-publicly-restorable | Ensure EBS snapshots are not publicly restorable to prevent unauthorized data access. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| ec2-instance-iam-profile-attached | Ensure EC2 instances have IAM instance profiles attached for proper access control and security. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| ec2-instance-in-vpc | EC2 instances must be placed in VPC for network isolation | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| ec2-instance-not-publicly-accessible | Ensure EC2 instances do not have public IP addresses for enhanced security. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| ec2-imdsv2-required | EC2 instances must use IMDSv2 | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| ecs-task-definition-user-for-host-mode-check | ECS task definitions must use non-privileged user for host mode | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| eks-cluster-endpoint-restrict-public-access | Ensure EKS cluster endpoints are not publicly accessible for enhanced security. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| elasticsearch-in-vpc-only | Elasticsearch domains must be deployed in VPC for network isolation | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| emr-cluster-master-nodes-no-public-ip | EMR clusters must not be deployed in public subnets that auto-assign public IP addresses | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| emr-kerberos-enabled | Ensure EMR clusters have Kerberos authentication enabled for enhanced security. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| iam-no-inline-policy-check | Ensure IAM roles and users do not use inline policies for better security and manageability. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| iam-policy-no-statements-with-full-access | Ensure IAM policies do not contain statements with full access permissions for enhanced security. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| iam-user-no-policies-check | Ensure IAM users follow best practices by using groups and roles instead of direct policy attachments. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| lambda-function-public-access-prohibited | Lambda functions must restrict public access through resource-based policies | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| lambda-inside-vpc | Lambda functions must be deployed in VPC for network isolation and security | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| redshift-cluster-public-access-check | Ensures Redshift clusters prohibit public access to prevent unauthorized connections. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| s3-bucket-level-public-access-prohibited | Ensures each S3 bucket has a public access block with all settings enabled | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| s3-bucket-policy-grantee-check | Ensure S3 bucket policies do not grant access to inappropriate principals for proper access control. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| s3-bucket-public-write-prohibited | Ensure S3 buckets do not allow public write access through ACL settings for proper data access control. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| s3-bucket-restrict-public-read-access | Ensure S3 buckets do not allow public read access through ACL settings for proper data access control. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| sagemaker-notebook-no-direct-internet-access | Ensures SageMaker notebook instances have direct internet access disabled. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| subnet-auto-assign-public-ip-disabled | Ensures VPC subnets have auto-assign public IP disabled to prevent unintended internet exposure. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloudwatch-log-group-retention-period-365 | Ensures CloudWatch log groups have appropriate retention periods for compliance. | 3.4 | Retain data according to the enterprise’s documented data management process. Data retention must include both minimum and maximum timelines. |
| rds-cluster-logging-enabled | Ensure RDS clusters have logging enabled for monitoring and audit compliance. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| rds-instance-logging-enabled | Ensure RDS database instances have logging enabled for monitoring and audit compliance. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| cloudtrail-s3-dataevents-enabled | Ensures CloudTrail trails have S3 data events enabled for comprehensive object-level logging. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| cloud-trail-cloud-watch-logs-enabled | Ensures CloudTrail trails have CloudWatch Logs integration enabled for real-time monitoring and analysis. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| ec2-instance-detailed-monitoring-enabled | EC2 instances must have detailed monitoring enabled | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| elasticsearch-logs-to-cloudwatch | Ensure Elasticsearch domains send logs to CloudWatch for monitoring and analysis. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| elb-logging-enabled | Check that ELB Load Balancers uses access logging. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| lambda-concurrency-check | Lambda functions must have concurrent execution limits configured to protect resource availability | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| no-unrestricted-route-to-igw | Ensures VPC route tables restrict public access to internet gateways appropriately. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| rds-logging-enabled | Ensure RDS database instances have logging enabled for monitoring and audit compliance. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| redshift-cluster-configuration-check | Ensure each Redshift cluster has audit logging enabled for security monitoring and compliance. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| restricted-ssh | Ensure security groups restrict SSH access from 0.0.0.0/0 to prevent unauthorized remote access. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| s3-bucket-logging-enabled | Ensure each S3 bucket has access logging enabled for monitoring and audit compliance. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| wafv2-logging-enabled | Ensure WAFv2 web ACLs have logging enabled for security monitoring and analysis. | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| rds-cluster-disallow-unencrypted-storage | Checks that RDS Clusters storage is encrypted. | 3.11 | Encrypt Sensitive Data at Rest |
| api-gw-stage-cache-enabled | Ensure API Gateway stages have caching enabled for performance. | 3.11 | Enable caching on API Gateway stages to improve API performance and reduce backend load. This policy validates the Stage resource configuration. Cache encryption is validated separately via the api-gw-cache-encrypted policy. |
| api-gateway-cache-encryption-enabled | Ensures API Gateway method settings have cache data encryption enabled when caching is configured. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| cloud-trail-encryption-enabled | Ensures CloudTrail trails have encryption enabled using KMS keys. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| cloudwatch-log-group-kms-encryption-enabled | Ensures CloudWatch log groups have encryption enabled using KMS keys. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| dynamodb-kms-encryption-enabled | Ensures DynamoDB tables have encryption enabled using KMS keys. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| efs-encryption-required | Checks that EFS File Systems do not have an unencrypted file system. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| elasticsearch-encryption-enabled | Elasticsearch domains must have encryption at rest enabled | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| ebs-volume-encryption-required | Checks that EBS volumes are encrypted. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| kms-cmk-not-scheduled-for-deletion | Ensure KMS customer-managed keys are not scheduled for deletion to prevent data access loss. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| rds-encryption-enabled | Checks that RDS instance storage is encrypted. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| s3-bucket-encryption | S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| sagemaker-endpoint-kms-encryption-enabled | Ensures SageMaker endpoint configurations have encryption enabled using KMS keys. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| sagemaker-notebook-kms-encryption-enabled | Ensures SageMaker notebook instances have encryption enabled using KMS keys. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| secrets-manager-kms-encryption-enabled | Ensures Secrets Manager secrets have encryption enabled using KMS keys. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| sns-kms-encryption-enabled | Ensures SNS topics have encryption enabled using KMS keys. | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| ebs-volume-unused | EBS volumes must be removed when unused | 4.1 | Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| redshift-maintenance-required | Ensures Redshift clusters have proper maintenance settings configured for automated updates. | 4.1 | Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| cloudtrail-security-trail-enabled | Ensure CloudTrail security trail is enabled for comprehensive audit logging and monitoring. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| autoscaling-health-checks-enabled | Ensures Auto Scaling groups with load balancers have ELB health checks configured for proper monitoring. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| cloud-trail-log-file-validation-enabled | Ensures CloudTrail trails have log file validation enabled to protect audit log integrity. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| kms-key-rotation-enabled | Checks that KMS Keys have key rotation enabled. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| ebs-attached-volume-encryption-enabled | Ensure EBS volumes attached to EC2 instances are encrypted to protect data at rest. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure as Code, and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| iam-policy-no-statements-with-admin-access | Ensure IAM policies do not contain statements with administrative access permissions for enhanced security. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| s3-bucket-public-read-prohibited | Ensure S3 buckets prohibit public read access through comprehensive access controls. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| vpc-security-group-restrict-ingress-ssh-all | Ensure VPC security groups restrict SSH ingress access from all IPs (0.0.0.0/0) to prevent unauthorized access. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| iam-root-user-no-access-keys | Prevents creation of direct IAM user access keys for human users | 4.7 | Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. |
| iam-account-password-policy-strong-min-reuse-24 | Ensure IAM password policy prevents password reuse. | 5.2 | Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. |
| iam-root-user-mfa-enabled | Ensure AWS root user has Multi-Factor Authentication (MFA) device configured for enhanced security. | 5.2 | Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. |
| iam-user-console-access-mfa-enabled | IAM users must have MFA enabled for console access | 5.2 | Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. |
| iam-user-mfa-enabled | Ensure all IAM users have Multi-Factor Authentication (MFA) devices configured for enhanced security. | 5.2 | Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. |
| iam-user-unused-credentials-90 | Ensure IAM user credentials are rotated within 90 days to prevent dormant account usage and enhance security. | 5.3 | Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. |
| iam-policy-no-star-star | Ensure IAM policies do not contain wildcard permissions (Action: *, Resource: *) for enhanced security and least privilege. | 5.4 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. |
| securityhub-enabled | Ensures AWS Security Hub is enabled for continuous monitoring and security assessment. | 7.1 | Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| ssm-managed-instance-compliance-patch-compliant | Ensure SSM managed instances have patch compliance associations configured for vulnerability management. | 7.1; 7.3 | CIS Controls v8 IG1 7.1; 7.3 - Vulnerability Management: Establish and maintain a documented vulnerability management process for enterprise assets, and perform automated operating system patch management on a monthly or more frequent basis. |
| apigateway-stage-logging-enabled | Ensures API Gateway stages have access logging enabled | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cloudfront-distribution-logging-enabled | Ensure CloudFront distributions have access logging enabled to collect audit logs for compliance. | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cloudtrail-trail-enabled | Ensures CloudTrail is enabled with at least one active trail for audit logging. | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cloudtrail-trail-integrated-with-logs | Ensure CloudTrail trails integrate with CloudWatch Logs to collect audit logs for compliance. | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| vpc-flow-logs-enabled | Ensures VPC flow logs use approved destinations for centralized monitoring | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| waf-web-acl-logging-enabled | Ensure WAF web ACLs have logging enabled to collect security audit logs for compliance. | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| dynamodb-pitr-enabled | DynamoDB tables must have point-in-time recovery enabled | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| ebs-optimized-instance | EC2 instances must be EBS optimized | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| rds-db-instance-backup-enabled | Checks that RDS Instances backup retention policy is enabled. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| redshift-backup-enabled | Ensures Redshift clusters have automatic snapshots enabled with minimum 7-day retention period. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| s3-bucket-replication | Ensure S3 buckets have replication enabled for automated backup to different regions. | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| s3-bucket-versioning-enabled | S3 buckets must have versioning enabled using BucketVersioning resource | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| dynamodb-table-in-backup-plan | Ensure DynamoDB tables are included in AWS Backup plans for centralized backup management. | 11.2; 11.4 | CIS Controls v8 IG1 11.2; 11.4 - Data Recovery: Perform automated backups of in-scope enterprise assets weekly or more frequently, and maintain isolated recovery data through version controlling backup destinations via offline, cloud, or off-site systems. |
| ebs-volume-in-backup-plan | Ensure EBS volumes are included in AWS Backup plans for automated backup and recovery capabilities. | 11.2; 11.4 | CIS Controls v8 IG1 11.2; 11.4 - Data Recovery: Perform automated backups of in-scope enterprise assets weekly or more frequently, and maintain isolated recovery data through version controlling backup destinations via offline, cloud, or off-site systems. |
| ec2-instance-ssm-managed | Ensure EC2 instances are managed by AWS Systems Manager for network infrastructure management. | 12.1 | Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network as a service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. |
| acm-certificate-expiration-check | Ensure ACM certificates are configured to prevent expiration-related service disruptions through automatic renewal. | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| dynamodb-autoscaling-enabled | Ensures DynamoDB tables have auto-scaling or on-demand mode enabled for capacity management. | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| ec2-instance-no-public-ip | Checks that EC2 instances do not have a public IP address. | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| elb-cross-zone-load-balancing-enabled | Classic Load Balancers must have cross-zone load balancing enabled | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| elb-deletion-protection-enabled | Load balancers must have deletion protection enabled | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| rds-instance-deletion-protection-enabled | RDS database instances must have deletion protection enabled to prevent accidental deletion and ensure data availability | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| rds-multi-az-support | Ensures RDS instances have Multi-AZ deployment enabled for high availability | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| redshift-enhanced-vpc-routing-enabled | Ensures Redshift clusters have enhanced VPC routing enabled for network isolation. | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| alb-waf-enabled | Ensure Application Load Balancers have WAF protection enabled for application layer defense. | 13.1 | Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. |
| codebuild-project-envvar-awscred-check | Ensure CodeBuild project environment variables do not contain AWS credentials. | 16.1 | Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| codebuild-project-source-repo-url-check | Ensure CodeBuild project source repository URLs use secure and trusted sources. | 16.1 | Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
