github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/aws-cis-1.2.yaml (about) 1 spec: 2 id: aws-cis-1.2 3 title: AWS CIS Foundations v1.2 4 description: AWS CIS Foundations 5 version: "1.2" 6 relatedResources: 7 - https://www.cisecurity.org/benchmark/amazon_web_services 8 controls: 9 - id: "1.1" 10 name: limit-root-account-usage 11 description: |- 12 The "root" account has unrestricted access to all resources in the AWS account. It is highly 13 recommended that the use of this account be avoided. 14 checks: 15 - id: AVD-AWS-0140 16 severity: LOW 17 - id: "1.10" 18 name: no-password-reuse 19 description: IAM Password policy should prevent password reuse. 20 checks: 21 - id: AVD-AWS-0056 22 severity: MEDIUM 23 - id: "1.11" 24 name: set-max-password-age 25 description: IAM Password policy should have expiry less than or equal to 90 days. 26 checks: 27 - id: AVD-AWS-0062 28 severity: MEDIUM 29 - id: "1.12" 30 name: no-root-access-keys 31 description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account. 32 checks: 33 - id: AVD-AWS-0141 34 severity: CRITICAL 35 - id: "1.13" 36 name: enforce-root-mfa 37 description: |- 38 The "root" account has unrestricted access to all resources in the AWS account. It is highly 39 recommended that this account have MFA enabled. 40 checks: 41 - id: AVD-AWS-0142 42 severity: CRITICAL 43 - id: "1.16" 44 name: no-user-attached-policies 45 description: IAM policies should not be granted directly to users. 46 checks: 47 - id: AVD-AWS-0143 48 severity: LOW 49 - id: "1.2" 50 name: enforce-user-mfa 51 description: IAM Users should have MFA enforcement activated. 52 checks: 53 - id: AVD-AWS-0145 54 severity: MEDIUM 55 - id: "1.3" 56 name: disable-unused-credentials 57 description: Credentials which are no longer used should be disabled. 58 checks: 59 - id: AVD-AWS-0144 60 severity: MEDIUM 61 - id: "1.4" 62 name: rotate-access-keys 63 description: Access keys should be rotated at least every 90 days 64 checks: 65 - id: AVD-AWS-0146 66 severity: LOW 67 - id: "1.5" 68 name: require-uppercase-in-passwords 69 description: IAM Password policy should have requirement for at least one uppercase character. 70 checks: 71 - id: AVD-AWS-0061 72 severity: MEDIUM 73 - id: "1.6" 74 name: require-lowercase-in-passwords 75 description: IAM Password policy should have requirement for at least one lowercase character. 76 checks: 77 - id: AVD-AWS-0058 78 severity: MEDIUM 79 - id: "1.7" 80 name: require-symbols-in-passwords 81 description: IAM Password policy should have requirement for at least one symbol in the password. 82 checks: 83 - id: AVD-AWS-0060 84 severity: MEDIUM 85 - id: "1.8" 86 name: require-numbers-in-passwords 87 description: IAM Password policy should have requirement for at least one number in the password. 88 checks: 89 - id: AVD-AWS-0059 90 severity: MEDIUM 91 - id: "1.9" 92 name: set-minimum-password-length 93 description: IAM Password policy should have minimum password length of 14 or more characters. 94 checks: 95 - id: AVD-AWS-0063 96 severity: MEDIUM 97 - id: "2.3" 98 name: no-public-log-access 99 description: The S3 Bucket backing Cloudtrail should be private 100 checks: 101 - id: AVD-AWS-0161 102 severity: CRITICAL 103 - id: "2.4" 104 name: ensure-cloudwatch-integration 105 description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs 106 checks: 107 - id: AVD-AWS-0162 108 severity: LOW 109 - id: "2.5" 110 name: enable-all-regions 111 description: Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed 112 checks: 113 - id: AVD-AWS-0014 114 severity: MEDIUM 115 - id: "2.6" 116 name: require-bucket-access-logging 117 description: You should enable bucket access logging on the CloudTrail S3 bucket. 118 checks: 119 - id: AVD-AWS-0163 120 severity: LOW 121 - id: "3.1" 122 name: require-unauthorised-api-call-alarm 123 description: Ensure a log metric filter and alarm exist for unauthorized API calls 124 checks: 125 - id: AVD-AWS-0147 126 severity: LOW 127 - id: "3.10" 128 name: require-sg-change-alarms 129 description: Ensure a log metric filter and alarm exist for security group changes 130 checks: 131 - id: AVD-AWS-0156 132 severity: LOW 133 - id: "3.11" 134 name: require-nacl-changes-alarm 135 description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 136 checks: 137 - id: AVD-AWS-0157 138 severity: LOW 139 - id: "3.12" 140 name: require-network-gateway-changes-alarm 141 description: Ensure a log metric filter and alarm exist for changes to network gateways 142 checks: 143 - id: AVD-AWS-0158 144 severity: LOW 145 - id: "3.13" 146 name: require-network-gateway-changes-alarm 147 description: Ensure a log metric filter and alarm exist for route table changes 148 checks: 149 - id: AVD-AWS-0159 150 severity: LOW 151 - id: "3.14" 152 name: require-vpc-changes-alarm 153 description: Ensure a log metric filter and alarm exist for VPC changes 154 checks: 155 - id: AVD-AWS-0160 156 severity: LOW 157 - id: "3.2" 158 name: require-non-mfa-login-alarm 159 description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA 160 checks: 161 - id: AVD-AWS-0148 162 severity: LOW 163 - id: "3.3" 164 name: require-root-user-usage-alarm 165 description: Ensure a log metric filter and alarm exist for usage of root user 166 checks: 167 - id: AVD-AWS-0149 168 severity: LOW 169 - id: "3.4" 170 name: require-iam-policy-change-alarm 171 description: Ensure a log metric filter and alarm exist for IAM policy changes 172 checks: 173 - id: AVD-AWS-0150 174 severity: LOW 175 - id: "3.5" 176 name: require-cloud-trail-change-alarm 177 description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes 178 checks: 179 - id: AVD-AWS-0151 180 severity: LOW 181 - id: "3.6" 182 name: require-console-login-failures-alarm 183 description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures 184 checks: 185 - id: AVD-AWS-0152 186 severity: LOW 187 - id: "3.7" 188 name: require-cmk-disabled-alarm 189 description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys 190 checks: 191 - id: AVD-AWS-0153 192 severity: LOW 193 - id: "3.8" 194 name: require-s3-bucket-policy-change-alarm 195 description: Ensure a log metric filter and alarm exist for S3 bucket policy changes 196 checks: 197 - id: AVD-AWS-0154 198 severity: LOW 199 - id: "3.9" 200 name: require-config-configuration-changes-alarm 201 description: Ensure a log metric filter and alarm exist for AWS Config configuration changes 202 checks: 203 - id: AVD-AWS-0155 204 severity: LOW 205 - id: "4.1" 206 name: no-public-ingress-sgr 207 description: An ingress security group rule allows traffic from /0. 208 checks: 209 - id: AVD-AWS-0107 210 severity: CRITICAL