Service Screener

CIS Amazon Web Services Foundations Benchmark

The CIS Amazon Web Services Foundations Benchmark is a set of security configuration best practices for AWS accounts and resources. The benchmark covers identity and access management, logging and monitoring, networking, data protection, and incident response.
Read more

Summary: [Not available:1] | [Compliant:13] | [Need Attention:24]

Breakdown

Framework. CIS Amazon Web Services Foundations Benchmark

Category	Rule ID	Compliance Status	Description	Reference
CloudTrail.	1	Compliant	[NeedToEnableCloudTrail] [HasOneMultiRegionTrail]
CloudTrail.	2	Need Attention	[RequiresKmsKey] - Enable SSE [ap-southeast-1]Cloudtrail::SWOCloudTrail-Organizational	Encrypt CloudTrail using AWS KMS CloudTrail Security Best Practices
CloudTrail.	4	Compliant	[LogFileValidationEnabled]
CloudTrail.	5	Need Attention	[CloudWatchLogsLogGroupArn] - CloudWatch for CloudTrail [ap-southeast-1]Cloudtrail::SWOCloudTrail-Organizational	Using CloudWatch Logs with CloudTrail
CloudTrail.	6	Compliant	[EnableS3PublicAccessBlock]
CloudTrail.	7	Compliant	[EnableTrailS3BucketLogging]
CloudWatch.	1	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMAroot1]	CIS Cloudwatch Controls
CloudWatch.	4	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMAalarm4]	CIS Cloudwatch Controls
CloudWatch.	5	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMATrail5]	CIS Cloudwatch Controls
CloudWatch.	6	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMAAuthFail6]	CIS Cloudwatch Controls
CloudWatch.	7	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMACMK7]	CIS Cloudwatch Controls
CloudWatch.	8	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMAS3Policy8]	CIS Cloudwatch Controls
CloudWatch.	9	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMAConfig9]	CIS Cloudwatch Controls
CloudWatch.	10	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMASecGroup10]	CIS Cloudwatch Controls
CloudWatch.	11	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMANACL11]	CIS Cloudwatch Controls
CloudWatch.	12	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMAGateway12]	CIS Cloudwatch Controls
CloudWatch.	13	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMARouteTable13]	CIS Cloudwatch Controls
CloudWatch.	14	Need Attention	[NeedToEnableCloudTrail] [trailWithoutCWLogs] - CloudTrail to have CloudWatch Log [us-east-1]ctLog::arn:aws:cloudtrail:us-east-1:737844837112:trail/SWOCloudTrail-Organizational [trailWithCWLogsWithoutMetrics] [trailWOMAVPC14]	CIS Cloudwatch Controls
Config.	1	Need Attention	[EnableConfigService] [PartialEnableConfigService] - Enable AWS Config [GLOBAL]Account::Config	Enable AWS Config
EC2.	2	Need Attention	[SGDefaultDisallowTraffic] - Default Security Group with Rules [us-east-1]SG::sg-03ec10c6bdf83dac6	VPC default security group rules
EC2.	6	Compliant	[VPCFlowLogEnabled]
EC2.	7	Compliant	[EBSEncrypted]
EC2.	21	Need Attention	[NACLSensitivePort] - Remove unrestricted ingress access to sensitive port [ap-southeast-1]NACL::acl-0207f50a6471f4506, NACL::acl-0493fbf62f74c5350, NACL::acl-04e953ccbb7ab1f17, NACL::acl-030c820fa876e7041, NACL::acl-07dd5ff3672f413fd, NACL::acl-06e1dac21726223b1	Amazon Elastic Compute Cloud controls
IAM.	1	Need Attention	[FullAdminAccess] - Limit permissions. [GLOBAL]Role::aws-controltower-AdministratorExecutionRole, Role::AWSControlTowerExecution, Role::AWSReservedSSO_AWSAdministratorAccess_6ad2f92126b0c1d0, Role::AWSReservedSSO_YoPayment-AWS-Admin-Pgw-Dev_999b53209cafbc21, Role::stacksets-exec-bb8cf4473e8495ef76fab8d8a00a5618	AWS Docs Organization GuardRail Blog
IAM.	3	Need Attention	[hasAccessKeyNoRotate90days] - Rotate credentials regularly [GLOBAL]User::yopayment-dev-ses-user	Rotate access key
IAM.	4	Compliant	[rootHasAccessKey]
IAM.	5	Compliant	[mfaActive]
IAM.	9	Need Attention	[rootMfaActive] - Enable MFA on root user [GLOBAL]User::root_id	AWS MFA IAM Best Practices
IAM.	15	Compliant	[passwordPolicyLength]
IAM.	16	Need Attention	[passwordPolicyReuse] - Set a stronger password policy [GLOBAL]Account::Config	IAM Password Policy
IAM.	18	Not available	Please refer to the CIS control section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective CIS control.
IAM.	22	Need Attention	[consoleLastAccess45] [consoleLastAccess90] - Validate IAM user console access [GLOBAL]User::root_id [consoleLastAccess365]	Finds unused credentials
KMS.	4	Compliant	[KeyRotationEnabled]
RDS.	3	Compliant	[StorageEncrypted]
S3.	1	Compliant	[S3AccountPublicAccessBlock]
S3.	5	Need Attention	[TlsEnforced] - Enforce Encryption of Data in Transit [ap-southeast-1]Bucket::262130478988-pgw-dev-tf-state, Bucket::archiver-system.dev.sg.pgw, Bucket::images-upload.dev.sg.pgw, Bucket::images-upload.dev.sgp-pay1-wallet, Bucket::logs.dev.sg.pgw, Bucket::payment-gateway-dev-tf-state, Bucket::pgw-config.dev.sg.pgw	AWS Docs
S3.	8	Compliant	[PublicAccessBlock]
S3.	20	Need Attention	[MFADelete] - Enable MFA Delete [ap-southeast-1]Bucket::262130478988-pgw-dev-tf-state, Bucket::archiver-system.dev.sg.pgw, Bucket::images-upload.dev.sg.pgw, Bucket::images-upload.dev.sgp-pay1-wallet, Bucket::logs.dev.sg.pgw, Bucket::payment-gateway-dev-tf-state, Bucket::pgw-config.dev.sg.pgw	Prevention for Accidental Deletions on S3 AWS Docs