CIS AWS 1.4.0 Benchmark
Lacework provides compliance policies based on CIS Amazon Web Services Foundations Benchmark v1.4.0 (or CIS AWS 1.4.0 Benchmark for short).
Once you have integrated your Amazon Web Services (AWS) environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.
Visibility and Usage in the Lacework Console
You can use the CIS AWS 1.4.0 Benchmark in the following ways:
- Enable or disable policies through the Policies page (see CIS AWS 1.4.0 Benchmark Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled CIS AWS 1.4.0 Benchmark policies (when violations occur).
- The Cloud Compliance Dashboard provides assessment results for each framework, including the CIS AWS 1.4.0 Benchmark.
- The Reports page lists all reports that are configured for your environment. Create a report configuration with the CIS AWS 1.4.0 Benchmark as the template to generate a daily report that is retained for up to 90 days.
Prerequisites
Ensure you have integrated your AWS environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS AWS 1.4.0 Benchmark:
- Integrate Lacework with AWS
- A Configuration integration is the minimum requirement for your accounts/organizations to gain access to our Compliance platform functionality.
Previous Integrations using Terraform
If you have previously integrated AWS with Lacework using Terraform before this benchmark was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgrade
to initialize the working directory (containing the Terraform files). - Run
terraform plan
and review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform apply
to upgrade the modules.
CIS AWS 1.4.0 Benchmark Policies
All policies in the CIS AWS 1.4.0 Benchmark are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:cis-aws-1-4-0 tag to filter for CIS AWS 1.4.0 policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.
Enable or Disable Policies using the Lacework CLI
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the CIS AWS 1.4.0 policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-aws-1-4-0
lacework policy disable --tag framework:cis-aws-1-4-0
Enable or disable specific CIS AWS 1.4.0 policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-37
lacework policy disable lacework-global-37
Policy Mapping for CIS AWS 1.4.0
The CIS AWS 1.4.0 controls are mapped to Lacework policies, as listed in the following tables.
Table key:
- Control ID - The CIS AWS 1.4.0 Benchmark security control identifier.
- Title - The policy/control title.
- Lacework Policy ID - The Lacework policy identifier.
- CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
- Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
- 1. Identity and Access Management (IAM)
- 2. Storage
- 3. Logging
- 4. Monitoring
- 5. Networking
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
1.1 | Maintain current contact details | lacework-global-31 | Manual | Manual | Low |
1.2 | Register security contact information | lacework-global-32 | Manual | Manual | Low |
1.3 | Register security questions in the AWS account | lacework-global-33 | Manual | Manual | Low |
1.4 | Ensure no 'root' user account access key exists | lacework-global-34 | Automated | Automated | Critical |
1.5 | Enable Multi-Factor Authentication (MFA) for the 'root' user account | lacework-global-35 | Automated | Automated | Critical |
1.6 | Enable hardware Multi-Factor Authentication (MFA) for the 'root' user account | lacework-global-69 | Automated | Manual | Critical |
1.7 | Eliminate use of the 'root' user for administrative and daily tasks | lacework-global-36 | Automated | Automated | Low |
1.8 | Ensure Identity and Access Management (IAM) password policy requires minimum length of 14 or greater | lacework-global-37 | Automated | Automated | Medium |
1.9 | Ensure Identity and Access Management (IAM) password policy prevents password reuse | lacework-global-38 | Automated | Automated | Low |
1.10 | Enable Multi-Factor Authentication (MFA) for all Identity and Access Management (IAM) users that have a console password | lacework-global-39 | Automated | Automated | High |
1.11 | Do not setup access keys during initial user setup for all Identity and Access Management (IAM) users that have a console password | lacework-global-40 | Manual | Automated | Medium |
1.12 | Disable credentials unused for 45 days or greater | lacework-global-41 | Automated | Automated | Medium |
1.13 | Ensure there is only one active access key available for any single Identity and Access Management (IAM) user | lacework-global-42 | Automated | Automated | High |
1.14 | Rotate access keys every 90 days or less | lacework-global-43 | Automated | Automated | Medium |
1.15 | Ensure Identity and Access Management (IAM) Users Receive Permissions Only Through Groups | lacework-global-44 | Automated | Automated | Low |
1.16 | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to users | lacework-global-45 (Users) lacework-global-485 (Groups) lacework-global-486 (Roles) | Automated | Automated | High |
1.17 | Create a support role to manage incidents with AWS Support | lacework-global-46 | Automated | Automated | Low |
1.18 | Use Identity and Access Management (IAM) instance roles for AWS resource access from instances | lacework-global-70 | Manual | Manual | Medium |
1.19 | Remove all the expired SSL/Transport Layer Security (TLS) certificates stored in AWS Identity and Access Management (IAM) | lacework-global-47 | Automated | Automated | High |
1.20 | Enable Identity and Access Management (IAM) Access analyzer for all regions | lacework-global-48 | Automated | Automated | Medium |
1.21 | Manage Identity and Access Management (IAM) users centrally via identity federation or AWS Organizations for multi-account environments | lacework-global-71 | Manual | Manual | Medium |
- 2.1 Simple Storage Service (S3)
- 2.2 Elastic Compute Cloud (EC2)
- 2.3 Relational Database Service (RDS)
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
2.1.1 | Ensure all S3 buckets employ encryption-at-rest | lacework-global-72 | Manual | Automated | Medium |
2.1.2 | Deny HTTP requests in S3 Bucket Policies | lacework-global-73 | Manual | Automated | Medium |
2.1.3 | Enable Multi-Factor Authentication (MFA) Delete on S3 buckets | lacework-global-49 | Automated | Automated | Medium |
2.1.4 | Discover, classify, and secure all data in Amazon S3 when required | lacework-global-74 | Manual | Manual | Medium |
2.1.5 | Configure S3 Buckets with 'Block public access (bucket settings)' | lacework-global-50 | Automated | Automated | High |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
2.2.1 | Enable volume encryption for Elastic Block Store (EBS) | lacework-global-51 | Manual | Automated | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
2.3.1 | Enable encryption for Relational Database Service (RDS) Instances | lacework-global-52 | Automated | Automated | High |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
3.1 | Enable CloudTrail in all regions | lacework-global-53 | Automated | Automated | High |
3.2 | Enable CloudTrail log file validation | lacework-global-75 | Automated | Automated | Low |
3.3 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | lacework-global-54 | Automated | Automated | High |
3.4 | Integrate CloudTrail trails with CloudWatch Logs | lacework-global-55 | Automated | Automated | Low |
3.5 | Enable AWS Config in all regions | lacework-global-76 (all regions) lacework-global-497 (global resources) | Automated | Automated | High |
3.6 | Enable S3 bucket access logging on the CloudTrail S3 bucket | lacework-global-56 | Automated | Automated | High |
3.7 | Encrypt CloudTrail logs at rest using Customer-Managed Key Management Service (KMS) Keys | lacework-global-77 | Automated | Automated | Medium |
3.8 | Enable rotation for Key Management Service (KMS) Keys | lacework-global-78 | Automated | Automated | Medium |
3.9 | Enable Virtual Private Cloud (VPC) flow logging in all VPCs | lacework-global-79 | Automated | Automated | Medium |
3.10 | Enable Object-level logging for write events on S3 buckets | lacework-global-80 | Automated | Automated | Medium |
3.11 | Enable Object-level logging for read events on S3 buckets | lacework-global-81 | Automated | Automated | Medium |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
4.1 | Ensure a log metric filter and alarm exist for unauthorized API calls | lacework-global-57 | Automated | Automated | Medium |
4.2 | Ensure a log metric filter and alarm exist for Management Console sign-in without Multi-Factor Authentication (MFA) | lacework-global-58 | Automated | Automated | Medium |
4.3 | Ensure a log metric filter and alarm exist for usage of 'root' account | lacework-global-59 | Automated | Automated | Low |
4.4 | Ensure a log metric filter and alarm exist for Identity and Access Management (IAM) policy changes | lacework-global-60 | Automated | Automated | Medium |
4.5 | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | lacework-global-61 | Automated | Automated | Low |
4.6 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | lacework-global-82 | Automated | Automated | Medium |
4.7 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of Key Management Service (KMS) Keys | lacework-global-83 | Automated | Automated | Medium |
4.8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes | lacework-global-62 | Automated | Automated | Medium |
4.9 | Ensure a log metric filter and alarm exist for AWS Config configuration changes | lacework-global-84 | Automated | Automated | Medium |
4.10 | Ensure a log metric filter and alarm exist for security group changes | lacework-global-85 | Automated | Automated | Medium |
4.11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | lacework-global-86 | Automated | Automated | Medium |
4.12 | Ensure a log metric filter and alarm exist for changes to network gateways | lacework-global-63 | Automated | Automated | Medium |
4.13 | Ensure a log metric filter and alarm exist for route table changes | lacework-global-64 | Automated | Automated | Medium |
4.14 | Ensure a log metric filter and alarm exist for Virtual Private Cloud (VPC) changes | lacework-global-65 | Automated | Automated | Medium |
4.15 | Ensure a log metric filter and alarm exists for AWS Organizations changes | lacework-global-66 | Automated | Automated | Low |
Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
---|---|---|---|---|---|
5.1 | Ensure no Network Access Control Lists (ACL) allow ingress from 0.0.0.0/0 to remote server administration ports | lacework-global-67 | Automated | Automated | High |
5.2 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | lacework-global-68 | Automated | Automated | High |
5.3 | Ensure the default security group of every Virtual Private Cloud (VPC) restricts all traffic | lacework-global-87 | Automated | Automated | High |
5.4 | Ensure routing tables for Virtual Private Cloud (VPC) peering are "least access" | lacework-global-88 | Manual | Manual | High |
Automated vs Manual Policies
Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.
For some benchmark recommendations, it is not possible to automate the policy checks in an AWS environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).
Automated Policies (that were deemed manual)
In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.
The following table outlines the CIS AWS 1.4.0 Benchmark policies that fall within this category:
Click to expand
Control ID | Title | Lacework Policy ID |
---|---|---|
1.11 | Do not setup access keys during initial user setup for all Identity and Access Management (IAM) users that have a console password | lacework-global-40 |
2.1.1 | Ensure all S3 buckets employ encryption-at-rest | lacework-global-72 |
2.1.2 | Deny HTTP requests in S3 Bucket Policies | lacework-global-73 |
2.2.1 | Enable volume encryption for Elastic Block Store (EBS) | lacework-global-51 |
Adjusted Controls
1.6 Ensure hardware MFA is enabled for the 'root' user account
This control has been changed from automatic to manual.
As per CIS guidelines for this policy, Lacework was originally checking if 0 MFA devices were assigned to the 'root' user account, or if a virtual MFA device was present.
However, it is now possible to have more than one MFA device for the 'root' user account, and MFA devices for the 'root' user can not be listed programmatically.
As such, a manual inspection of your 'root' user account in AWS is required. CIS have also been informed of this behavior and will be adjusting the control to Manual in the future.
1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
This control has been split into three policies to monitor users, groups, and roles.
The following table lists each policy and their new title:
Click to expand
Control ID | Lacework Policy ID | Title |
---|---|---|
1.16 | lacework-global-45 | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to users |
1.16 | lacework-global-485 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groups. |
1.16 | lacework-global-486 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to roles. |
The policy catalog only retains one entry for this control, which is lacework-global-45.
3.5 Ensure AWS Config is enabled in all regions
This control has been split into two different policies to check the following regarding AWS Config:
- Ensure that AWS Config is enabled in all regions and configured to record all resources.
- Ensure at least one region has AWS Config configured to record all global resources (for example: IAM).
The table below outlines each policy and their new title:
Click to expand
Control ID | Lacework Policy ID | Title |
---|---|---|
3.5 | lacework-global-76 | Enable AWS Config in all regions |
3.5 | lacework-global-497 | Ensure AWS Config is recording Global Resources in at least one region |
The policy catalog only retains one entry for this control, which is lacework-global-76.