github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/aws-cis-1.4.yaml (about) 1 spec: 2 id: aws-cis-1.4 3 title: AWS CIS Foundations v1.4 4 description: AWS CIS Foundations 5 version: "1.4" 6 relatedResources: 7 - https://www.cisecurity.org/benchmark/amazon_web_services 8 controls: 9 - id: 2.1.3 10 name: require-mfa-delete 11 description: Buckets should have MFA deletion protection enabled. 12 checks: 13 - id: AVD-AWS-0170 14 severity: LOW 15 - id: "1.12" 16 name: disable-unused-credentials-45-days 17 description: |- 18 AWS IAM users can access AWS resources using different types of credentials, such as 19 passwords or access keys. It is recommended that all credentials that have been unused in 20 45 or greater days be deactivated or removed. 21 checks: 22 - id: AVD-AWS-0166 23 severity: LOW 24 - id: "1.13" 25 name: limit-user-access-keys 26 description: No user should have more than one active access key. 27 checks: 28 - id: AVD-AWS-0167 29 severity: LOW 30 - id: "1.14" 31 name: rotate-access-keys 32 description: Access keys should be rotated at least every 90 days 33 checks: 34 - id: AVD-AWS-0146 35 severity: LOW 36 - id: "1.15" 37 name: no-user-attached-policies 38 description: IAM policies should not be granted directly to users. 39 checks: 40 - id: AVD-AWS-0143 41 severity: LOW 42 - id: "1.16" 43 name: no-policy-wildcards 44 description: IAM policy should avoid use of wildcards and instead apply the principle of least privilege 45 checks: 46 - id: AVD-AWS-0057 47 severity: HIGH 48 - id: "1.17" 49 name: require-support-role 50 description: Missing IAM Role to allow authorized users to manage incidents with AWS Support. 51 checks: 52 - id: AVD-AWS-0169 53 severity: LOW 54 - id: "1.19" 55 name: remove-expired-certificates 56 description: Delete expired TLS certificates 57 checks: 58 - id: AVD-AWS-0168 59 severity: LOW 60 - id: "1.20" 61 name: enable-access-analyzer 62 description: Enable IAM Access analyzer for IAM policies about all resources in each region. 63 checks: 64 - id: AVD-AWS-0175 65 severity: LOW 66 - id: "1.4" 67 name: enforce-user-mfa 68 description: IAM Users should have MFA enforcement activated. 69 checks: 70 - id: AVD-AWS-0145 71 severity: MEDIUM 72 - id: "1.4" 73 name: no-root-access-keys 74 description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account. 75 checks: 76 - id: AVD-AWS-0141 77 severity: CRITICAL 78 - id: "1.5" 79 name: enforce-root-mfa 80 description: |- 81 The "root" account has unrestricted access to all resources in the AWS account. It is highly 82 recommended that this account have MFA enabled. 83 checks: 84 - id: AVD-AWS-0142 85 severity: CRITICAL 86 - id: "1.6" 87 name: enforce-root-hardware-mfa 88 description: |- 89 The "root" account has unrestricted access to all resources in the AWS account. It is highly 90 recommended that this account have hardware MFA enabled. 91 checks: 92 - id: AVD-AWS-0165 93 severity: MEDIUM 94 - id: "1.7" 95 name: limit-root-account-usage 96 description: |- 97 The "root" account has unrestricted access to all resources in the AWS account. It is highly 98 recommended that the use of this account be avoided. 99 checks: 100 - id: AVD-AWS-0140 101 severity: LOW 102 - id: "1.8" 103 name: set-minimum-password-length 104 description: IAM Password policy should have minimum password length of 14 or more characters. 105 checks: 106 - id: AVD-AWS-0063 107 severity: MEDIUM 108 - id: "1.9" 109 name: no-password-reuse 110 description: IAM Password policy should prevent password reuse. 111 checks: 112 - id: AVD-AWS-0056 113 severity: MEDIUM 114 - id: "3.10" 115 name: enable-object-write-logging 116 description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. 117 checks: 118 - id: AVD-AWS-0171 119 severity: LOW 120 - id: "3.11" 121 name: enable-object-read-logging 122 description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. 123 checks: 124 - id: AVD-AWS-0172 125 severity: LOW 126 - id: "3.3" 127 name: no-public-log-access 128 description: The S3 Bucket backing Cloudtrail should be private 129 checks: 130 - id: AVD-AWS-0161 131 severity: CRITICAL 132 - id: "3.4" 133 name: ensure-cloudwatch-integration 134 description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs 135 checks: 136 - id: AVD-AWS-0162 137 severity: LOW 138 - id: "3.6" 139 name: require-bucket-access-logging 140 description: You should enable bucket access logging on the CloudTrail S3 bucket. 141 checks: 142 - id: AVD-AWS-0163 143 severity: LOW 144 - id: "4.10" 145 name: require-sg-change-alarms 146 description: Ensure a log metric filter and alarm exist for security group changes 147 checks: 148 - id: AVD-AWS-0156 149 severity: LOW 150 - id: "4.1" 151 name: require-unauthorised-api-call-alarm 152 description: Ensure a log metric filter and alarm exist for unauthorized API calls 153 checks: 154 - id: AVD-AWS-0147 155 severity: LOW 156 - id: "4.11" 157 name: require-nacl-changes-alarm 158 description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 159 checks: 160 - id: AVD-AWS-0157 161 severity: LOW 162 - id: "4.12" 163 name: require-network-gateway-changes-alarm 164 description: Ensure a log metric filter and alarm exist for changes to network gateways 165 checks: 166 - id: AVD-AWS-0158 167 severity: LOW 168 - id: "4.13" 169 name: require-network-gateway-changes-alarm 170 description: Ensure a log metric filter and alarm exist for route table changes 171 checks: 172 - id: AVD-AWS-0159 173 severity: LOW 174 - id: "4.14" 175 name: require-vpc-changes-alarm 176 description: Ensure a log metric filter and alarm exist for VPC changes 177 checks: 178 - id: AVD-AWS-0160 179 severity: LOW 180 - id: "4.15" 181 name: require-org-changes-alarm 182 description: Ensure a log metric filter and alarm exist for organisation changes 183 checks: 184 - id: AVD-AWS-0174 185 severity: LOW 186 - id: "4.2" 187 name: require-non-mfa-login-alarm 188 description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA 189 checks: 190 - id: AVD-AWS-0148 191 severity: LOW 192 - id: "4.3" 193 name: require-root-user-usage-alarm 194 description: Ensure a log metric filter and alarm exist for usage of root user 195 checks: 196 - id: AVD-AWS-0149 197 severity: LOW 198 - id: "4.4" 199 name: require-iam-policy-change-alarm 200 description: Ensure a log metric filter and alarm exist for IAM policy changes 201 checks: 202 - id: AVD-AWS-0150 203 severity: LOW 204 - id: "4.5" 205 name: require-cloud-trail-change-alarm 206 description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes 207 checks: 208 - id: AVD-AWS-0151 209 severity: LOW 210 - id: "4.6" 211 name: require-console-login-failures-alarm 212 description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures 213 checks: 214 - id: AVD-AWS-0152 215 severity: LOW 216 - id: "4.7" 217 name: require-cmk-disabled-alarm 218 description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys 219 checks: 220 - id: AVD-AWS-0153 221 severity: LOW 222 - id: "4.8" 223 name: require-s3-bucket-policy-change-alarm 224 description: Ensure a log metric filter and alarm exist for S3 bucket policy changes 225 checks: 226 - id: AVD-AWS-0154 227 severity: LOW 228 - id: "4.9" 229 name: require-config-configuration-changes-alarm 230 description: Ensure a log metric filter and alarm exist for AWS Config configuration changes 231 checks: 232 - id: AVD-AWS-0155 233 severity: LOW 234 - id: "5.3" 235 name: restrict-all-in-default-sg 236 description: Default security group should restrict all traffic 237 checks: 238 - id: AVD-AWS-0173 239 severity: LOW