Use the table below as a quick reference to map the CIS AWS Foundations Benchmark recommendations to the
sections above.
# | Section | Description |
1.1 |
Answer security questions and complete contact details | Complete the contact details on the AWS account page |
1.2 |
Answer security questions and complete contact details | Complete the security contact information on the AWS account page |
1.3 |
Answer security questions and complete contact details | Answer the security questions on the AWS account page |
1.4 |
Apply the account-baseline-root baseline to the root
account Apply the account-baseline-security to the security
account Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your
accounts. This will ensure that the Security Hub service is enabled,
which will notify you if the root user has access keys set |
1.5 | Enable MFA for the root account | Manually configure MFA for the root user |
1.6 | Enable MFA for the root account | Use a Yubikey (or other hardware MFA) for the root user |
1.7 | Manual steps | Take manual steps to complete this recommendation |
1.8-9 |
Apply the account-baseline-security to the security
account | Use the account-baseline-security module to set up the
IAM password policy |
1.10 | Configure authentication | Configure authentication using SAML or IAM |
1.11 |
Apply the account-baseline-security to the security
account | Use the account-baseline-security module to create users |
1.12 |
Apply the account-baseline-root baseline to the root
account , Apply the account-baseline-security to the security
account , Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your
accounts. This will ensure that there are no unused credentials |
1.13 |
Apply the account-baseline-root baseline to the root
account , Apply the account-baseline-security to the security
account , Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your
accounts. This will ensure that there are no extra access keys |
1.14 |
Apply the account-baseline-root baseline to the root
account , Apply the account-baseline-security to the security
account , Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your
accounts. This will ensure that there are no unused access keys |
1.15 |
Apply the account-baseline-security to the security
account | Use the account-baseline-security module to create users
and groups |
1.16 |
Apply the account-baseline-security to the security
account | Use the account-baseline-security module to ensure no
full-access policies are attached to any groups or users |
1.17 |
Apply the account-baseline-security to the security
account | Use the account-baseline-security module to create a
support group |
1.18 | Use IAM roles for EC2 instances | Use Gruntwork modules to ensure EC2 instances use roles for access |
1.19 |
Cleanup Expired SSL/TLS certificates | Use Gruntwork modules to automatically remove expired certificates
from IAM |
1.20 | IAM Access Analyzer | Use Gruntwork modules to enable IAM Access Analyzer across regions |
1.21 |
Apply the account-baseline-root baseline to the root
account , Apply the account-baseline-security to the security
account , Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your
accounts. This will ensure IAM users are managed centrally through the
user of AWS Organizations. |
2.1.1-2.1.2 | S3 Buckets | Use the private-s3-bucket module |
2.1.3 | S3 Buckets | Use the private-s3-bucket module and follow the
instructions in the README |
2.1.4 |
Apply the account-baseline-root baseline to the root
account , Apply the account-baseline-security to the security
account , Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your
accounts. This will ensure Amazon Macie is enabled. |
2.1.5 | S3 Buckets | Use the private-s3-bucket module |
2.2.1 | Configure EBS Encryption | Use Gruntwork modules to configure AWS EBS encryption |
2.3.1 | Configure RDS Encryption | Use Gruntwork modules to configure AWS RDS encryption |
3.1-3.4 |
Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to ensure CloudTrail
is enabled and configured in all regions |
3.5 |
Apply the account-baseline-security to the security
account | Use the account-baseline-security module to ensure AWS
Config is enabled in all regions |
3.6 |
Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to ensure CloudTrail
S3 bucket has access logging enabled |
3.7 |
Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to ensure CloudTrail
logs are encrypted at rest using KMS CMKs |
3.8 |
Enable key rotation for KMS keys | Use the KMS module |
3.9 | Create VPC flow logs | Use the Gruntwork CIS-compliant vpc service to provision
VPCs with flow logs enabled |
3.10-3.11 |
Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to ensure Object-level
logging is enabled for S3 buckets for read and write events |
4.1-4.15 |
Maintaining compliance by following Monitoring best practices | The CloudWatch Logs metrics filters wrapper module will satisfy each
recommendation |
5.1 |
Maintaining compliance by following Networking best practices | Use the Gruntwork CIS-compliant vpc service to ensure
there is no public remote access |
5.2 |
Maintaining compliance by following Networking best practices | Use the Gruntwork CIS-compliant vpc service for a secure
network configuration |
5.3 |
Maintaining compliance by following Networking best practices | Use the cloud-nuke tool to remove all default security
groups |
5.4 |
Maintaining compliance by following Networking best practices | Use the Gruntwork CIS-compliant vpc service to configure
least-privilege routing by default |