Skip to main content

CIS AWS 1.4.0 Benchmark

Lacework provides compliance policies based on CIS Amazon Web Services Foundations Benchmark v1.4.0 (or CIS AWS 1.4.0 Benchmark for short).

Once you have integrated your Amazon Web Services (AWS) environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.

Visibility and Usage in the Lacework Console

You can use the CIS AWS 1.4.0 Benchmark in the following ways:

Prerequisites

Ensure you have integrated your AWS environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS AWS 1.4.0 Benchmark:

  • Integrate Lacework with AWS
    • A Configuration integration is the minimum requirement for your accounts/organizations to gain access to our Compliance platform functionality.

Previous Integrations using Terraform

If you have previously integrated AWS with Lacework using Terraform before this benchmark was available:

  1. Enter the directory containing the Terraform files used for the integration.
  2. Run terraform init -upgrade to initialize the working directory (containing the Terraform files).
  3. Run terraform plan and review the changes that will be applied.
  4. Once satisfied with the changes that will be applied, run terraform apply to upgrade the modules.

CIS AWS 1.4.0 Benchmark Policies

All policies in the CIS AWS 1.4.0 Benchmark are enabled by default.

You can enable or disable them using one of the following methods outlined in this section.

Enable or Disable Policies in the Lacework Console

On the Policies page, use the framework:cis-aws-1-4-0 tag to filter for CIS AWS 1.4.0 policies only.

You can enable or disable each one using the status toggle.

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.

Enable or Disable Policies using the Lacework CLI

tip

If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.

Enable or disable all the CIS AWS 1.4.0 policies using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-aws-1-4-0
Disable all policies
lacework policy disable --tag framework:cis-aws-1-4-0

Enable or disable specific CIS AWS 1.4.0 policies using the following command examples in the Lacework CLI:

Enable lacework-global-37
lacework policy enable lacework-global-37
Disable lacework-global-37
lacework policy disable lacework-global-37

Policy Mapping for CIS AWS 1.4.0

The CIS AWS 1.4.0 controls are mapped to Lacework policies, as listed in the following tables.

Table key:

  • Control ID - The CIS AWS 1.4.0 Benchmark security control identifier.
  • Title - The policy/control title.
  • Lacework Policy ID - The Lacework policy identifier.
  • CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
  • Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
  • Severity - The severity of the policy (as determined by Lacework).
Control IDTitleLacework Policy IDCIS AssessmentLacework AssessmentSeverity
1.1Maintain current contact detailslacework-global-31ManualManualLow
1.2Ensure security contact information is registeredlacework-global-32ManualManualLow
1.3Ensure security questions are registered in the AWS accountlacework-global-33ManualManualLow
1.4Ensure no 'root' user account access key existslacework-global-34AutomatedAutomatedCritical
1.5Ensure MFA is enabled for the 'root' user accountlacework-global-35AutomatedAutomatedCritical
1.6Ensure hardware MFA is enabled for the 'root' user accountlacework-global-69AutomatedManualCritical
1.7Eliminate use of the 'root' user for administrative and daily taskslacework-global-36AutomatedAutomatedLow
1.8Ensure IAM password policy requires minimum length of 14 or greaterlacework-global-37AutomatedAutomatedMedium
1.9Ensure IAM password policy prevents password reuselacework-global-38AutomatedAutomatedLow
1.10Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console passwordlacework-global-39AutomatedAutomatedHigh
1.11Do not setup access keys during initial user setup for all IAM users that have a console passwordlacework-global-40ManualAutomatedMedium
1.12Ensure credentials unused for 45 days or greater are disabledlacework-global-41AutomatedAutomatedMedium
1.13Ensure there is only one active access key available for any single IAM userlacework-global-42AutomatedAutomatedHigh
1.14Ensure access keys are rotated every 90 days or lesslacework-global-43AutomatedAutomatedMedium
1.15Ensure IAM Users Receive Permissions Only Through Groupslacework-global-44AutomatedAutomatedLow
1.16Ensure IAM policies that allow full "*:*" administrative privileges are not attachedlacework-global-45 (Users)
lacework-global-485 (Groups)
lacework-global-486 (Roles)
AutomatedAutomatedHigh
1.17Ensure a support role has been created to manage incidents with AWS Supportlacework-global-46AutomatedAutomatedLow
1.18Ensure IAM instance roles are used for AWS resource access from instanceslacework-global-70ManualManualMedium
1.19Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removedlacework-global-47AutomatedAutomatedHigh
1.20Ensure that IAM Access analyzer is enabled for all regionslacework-global-48AutomatedAutomatedMedium
1.21Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environmentslacework-global-71ManualManualMedium

Automated vs Manual Policies

Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.

For some benchmark recommendations, it is not possible to automate the policy checks in an AWS environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).

Automated Policies (that were deemed manual)

In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.

The following table outlines the CIS AWS 1.4.0 Benchmark policies that fall within this category:

Click to expand
Control IDTitleLacework Policy ID
1.11Do not setup access keys during initial user setup for all IAM users that have a console passwordlacework-global-40
2.1.1Ensure all S3 buckets employ encryption-at-restlacework-global-72
2.1.2Ensure S3 Bucket Policy is set to deny HTTP requests.lacework-global-73
2.2.1Ensure EBS volume encryption is enabledlacework-global-51

Adjusted Controls

1.6 Ensure hardware MFA is enabled for the 'root' user account

This control has been changed from automatic to manual.

As per CIS guidelines for this policy, Lacework was originally checking if 0 MFA devices were assigned to the 'root' user account, or if a virtual MFA device was present.

However, it is now possible to have more than one MFA device for the 'root' user account, and MFA devices for the 'root' user can not be listed programmatically.

As such, a manual inspection of your 'root' user account in AWS is required. CIS have also been informed of this behavior and will be adjusting the control to Manual in the future.

1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached

This control has been split into three policies to monitor users, groups, and roles.

The following table lists each policy and their new title:

Click to expand
Control IDLacework Policy IDTitle
1.16lacework-global-45Ensure IAM policies that allow full "*:*" administrative privileges are not attached to users.
1.16lacework-global-485Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groups.
1.16laceworkglobal486Ensure IAM policies that allow full "*:*" administrative privileges are not attached to roles.
note

The policy catalog only retains one entry for this control, which is lacework-global-45.

3.5 Ensure AWS Config is enabled in all regions

This control has been split into two different policies to check the following regarding AWS Config:

  1. Ensure that AWS Config is enabled in all regions and configured to record all resources.
  2. Ensure at least one region has AWS Config configured to record all global resources (for example: IAM).

The table below outlines each policy and their new title:

Click to expand
Control IDLacework Policy IDTitle
3.5lacework-global-76Ensure AWS Config is enabled in all regions
3.5lacework-global-497Ensure AWS Config is recording Global Resources in at least one region
note

The policy catalog only retains one entry for this control, which is lacework-global-76.