About the CIS Benchmark

The Center for Internet Security is a 501(c)(3) non-profit organization, formed in October 2000, with a mission to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace”.

CIS Benchmarks are best practices for the secure configuration of a target system. CIS Benchmarks are developed through the generous volunteer efforts of subject matter experts, technology vendors, public and private community members, and the CIS Benchmark Development team.

The official Benchmark documents are available through the CIS website. The sign-up form to access the documents is here.

Initiate scan on https://aws-scan.axiomio.com.

Controls Covered

1.1 – Avoid the use of the root user 1.2 – Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password 1.3 – Ensure credentials unused for 90 days or greater are disabled 1.4 – Ensure access keys are rotated every 90 days or less 1.5 – Ensure IAM password policy requires at least one uppercase letter 1.6 – Ensure IAM password policy requires at least one lowercase letter 1.7 – Ensure IAM password policy requires at least one symbol 1.8 – Ensure IAM password policy requires at least one number 1.9 – Ensure IAM password policy requires a minimum length of 14 or greater 1.10 – Ensure IAM password policy prevents password reuse 1.11 – Ensure IAM password policy expires passwords within 90 days or less 1.12 – Ensure no root user access key exists 1.13 – Ensure MFA is enabled for the root user 1.14 – Ensure hardware MFA is enabled for the root user 1.16 – Ensure IAM policies are attached only to groups or roles 1.20 - Ensure a support role has been created to manage incidents with AWS Support 1.22 – Ensure IAM policies that allow full ":" administrative privileges are not created 2.1 – Ensure CloudTrail is enabled in all Regions 2.2. – Ensure CloudTrail log file validation is enabled 2.3 – Ensure the S3 bucket CloudTrail logs to is not publicly accessible 2.4 – Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs 2.5 – Ensure AWS Config is enabled 2.6 – Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket 2.7 – Ensure CloudTrail logs are encrypted at rest using AWS KMS keys 2.8 – Ensure rotation for customer-created KMS keys is enabled 2.9 – Ensure VPC flow logging is enabled in all VPCs 3.1 – Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA 3.3 – Ensure a log metric filter and alarm exist for usage of root user 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.6 – Ensure a log metric filter and alarm exist for AWS Management Console authentication failures 3.7 – Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys 3.8 – Ensure a log metric filter and alarm exist for S3 bucket policy changes 3.9 – Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 – Ensure a log metric filter and alarm exist for security group changes 3.11 – Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 – Ensure a log metric filter and alarm exist for changes to network gateways 3.13 – Ensure a log metric filter and alarm exist for route table changes 3.14 – Ensure a log metric filter and alarm exist for VPC changes 4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 4.3 – Ensure the default security group of every VPC restricts all traffic