CIS AWS 1.4.0 | Lacework Documentation

📄️ 1.1

Maintain current contact details (Manual)

📄️ 1.2

📄️ 1.3

📄️ 1.4

Ensure no 'root' user account access key exists (Automated)

📄️ 1.5

Enable Multi-Factor Authentication (MFA) for the 'root' user account (Automated)

📄️ 1.6

Enable hardware Multi-Factor Authentication (MFA) for the 'root' user account (Manual)

📄️ 1.7

Eliminate use of the 'root' user for administrative and daily tasks (Automated)

📄️ 1.8

Ensure Identity and Access Management (IAM) password policy requires minimum length of 14 or greater (Automated)

📄️ 1.9

Ensure Identity and Access Management (IAM) password policy prevents password reuse (Automated)

📄️ 1.10

Enable Multi-Factor Authentication (MFA) for all Identity and Access Management (IAM) users that have a console password (Automated)

📄️ 1.11

Do not setup access keys during initial user setup for all Identity and Access Management (IAM) users that have a console password (Automated)

📄️ 1.12

Disable credentials unused for 45 days or greater (Automated)

📄️ 1.13

Ensure there is only one active access key available for any single Identity and Access Management (IAM) user (Automated)

📄️ 1.14

Rotate access keys every 90 days or less (Automated)

📄️ 1.15

Ensure Identity and Access Management (IAM) Users Receive Permissions Only Through Groups (Automated)

📄️ 1.16

This rule also encompasses lacework-global-485 and lacework-global-486. See Adjusted Controls for CIS AWS 1.4.0 or Adjusted Controls for AWS FSBP Standard for further details.

📄️ 1.17

Create a support role to manage incidents with AWS Support (Automated)

📄️ 1.18

Use Identity and Access Management (IAM) instance roles for AWS resource access from instances (Manual)

📄️ 1.19

Remove all the expired SSL/Transport Layer Security (TLS) certificates stored in AWS Identity and Access Management (IAM) (Automated)

📄️ 1.20

Enable Identity and Access Management (IAM) Access analyzer for all regions (Automated)

📄️ 1.21

Manage Identity and Access Management (IAM) users centrally via identity federation or AWS Organizations for multi-account environments (Manual)

📄️ 2.1.1

Ensure all S3 buckets employ encryption-at-rest (Automated)

📄️ 2.1.2

Deny HTTP requests in S3 Bucket Policies (Automated)

📄️ 2.1.3

Enable Multi-Factor Authentication (MFA) Delete on S3 buckets (Automated)

📄️ 2.1.4

Discover, classify, and secure all data in Amazon S3 when required (Manual)

📄️ 2.1.5

Configure S3 Buckets with 'Block public access (bucket settings)' (Automated)

📄️ 2.2.1

Enable volume encryption for Elastic Block Store (EBS) (Automated)

📄️ 2.3.1

Enable encryption for Relational Database Service (RDS) Instances (Automated)

📄️ 3.1

Enable CloudTrail in all regions (Automated)

📄️ 3.2

Enable CloudTrail log file validation (Automated)

📄️ 3.3

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Automated)

📄️ 3.4

Integrate CloudTrail trails with CloudWatch Logs (Automated)

📄️ 3.5

This rule also encompasses lacework-global-497. See Adjusted Rules for CIS AWS 1.4.0 for further details.

📄️ 3.6

Enable S3 bucket access logging on the CloudTrail S3 bucket (Automated)

📄️ 3.7

Encrypt CloudTrail logs at rest using Customer-Managed Key Management Service (KMS) Keys (Automated)

📄️ 3.8

Enable rotation for Key Management Service (KMS) Keys (Automated)

📄️ 3.9

Enable Virtual Private Cloud (VPC) flow logging in all VPCs (Automated)

📄️ 3.10

Enable Object-level logging for write events on S3 buckets (Automated)

📄️ 3.11

Enable Object-level logging for read events on S3 buckets (Automated)

📄️ 4.1

Ensure a log metric filter and alarm exist for unauthorized API calls (Automated)

📄️ 4.2

Ensure a log metric filter and alarm exist for Management Console sign-in without Multi-Factor Authentication (MFA) (Automated)

📄️ 4.3

Ensure a log metric filter and alarm exist for usage of 'root' account (Automated)

📄️ 4.4

Ensure a log metric filter and alarm exist for Identity and Access Management (IAM) policy changes (Automated)

📄️ 4.5

Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Automated)

📄️ 4.6

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Automated)

📄️ 4.7

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of Key Management Service (KMS) Keys (Automated)

📄️ 4.8

Ensure a log metric filter and alarm exist for S3 bucket policy changes (Automated)

📄️ 4.9

Ensure a log metric filter and alarm exist for AWS Config configuration changes (Automated)

📄️ 4.10

Ensure a log metric filter and alarm exist for security group changes (Automated)

📄️ 4.11

Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Automated)

📄️ 4.12

Ensure a log metric filter and alarm exist for changes to network gateways (Automated)

📄️ 4.13

Ensure a log metric filter and alarm exist for route table changes (Automated)

📄️ 4.14

Ensure a log metric filter and alarm exist for Virtual Private Cloud (VPC) changes (Automated)

📄️ 4.15

Ensure a log metric filter and alarm exists for AWS Organizations changes (Automated)

📄️ 5.1

Ensure no Network Access Control Lists (ACL) allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)

📄️ 5.2

Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)

📄️ 5.3

Ensure the default security group of every Virtual Private Cloud (VPC) restricts all traffic (Automated)

📄️ 5.4

Ensure routing tables for Virtual Private Cloud (VPC) peering are "least access" (Manual)