From 640d43002769e654f4afd18f18c42f5f0f4a2db3 Mon Sep 17 00:00:00 2001 From: Samuel Burgos <34037255+sbldevnet@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:13:16 +0200 Subject: [PATCH 01/10] Set `python3.8` as deprecated Lambda runtime (#833) --- conformance_pack/lambda.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conformance_pack/lambda.pp b/conformance_pack/lambda.pp index 1bc608c5..c78bbeb8 100644 --- a/conformance_pack/lambda.pp +++ b/conformance_pack/lambda.pp @@ -1,13 +1,13 @@ variable "lambda_latest_runtimes" { type = list(string) description = "A list of latest lambda runtimes." - default = ["nodejs20.x", "nodejs18.x", "nodejs16.x", "python3.12", "python3.11", "python3.10", "python3.9", "python3.8", "ruby3.3", "ruby3.2", "java21", "java17", "java11", "java8.al2", "dotnet8", "dotnet6"] + default = ["nodejs20.x", "nodejs18.x", "nodejs16.x", "python3.12", "python3.11", "python3.10", "python3.9", "ruby3.3", "ruby3.2", "java21", "java17", "java11", "java8.al2", "dotnet8", "dotnet6"] } variable "lambda_deprecated_runtimes" { type = list(string) description = "A list of deprecated lambda runtimes." - default = ["java8", "go1.x", "provided", "ruby2.7", "nodejs14.x", "python3.7", "dotnetcore3.1", "nodejs12.x", "python3.6", "dotnet5.0", "dotnetcore2.1", "nodejs10.x", "ruby2.5", "python2.7", "nodejs8.10", "nodejs4.3", "nodejs4.3-edge", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0", "nodejs"] + default = ["java8", "go1.x", "provided", "ruby2.7", "nodejs14.x", "python3.7", "python3.8", "dotnetcore3.1", "nodejs12.x", "python3.6", "dotnet5.0", "dotnetcore2.1", "nodejs10.x", "ruby2.5", "python2.7", "nodejs8.10", "nodejs4.3", "nodejs4.3-edge", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0", "nodejs"] } locals { From ed1411615a0816a1383f86974c59a78798af9179 Mon Sep 17 00:00:00 2001 From: Khushboo <46913995+khushboo9024@users.noreply.github.com> Date: Fri, 25 Oct 2024 21:24:23 +0530 Subject: [PATCH 02/10] Update queries to use non-deprecated columns, update ebs_encryption_by_default_enabled control and query name, fix VPC security group rule queries only checking for exact port matches instead of ranges (#835) Co-authored-by: Cody Bruno --- all_controls/ec2.pp | 2 +- cis_controls_v8_ig1/cis_controls_v8_ig1_11.pp | 2 +- cis_controls_v8_ig1/cis_controls_v8_ig1_4.pp | 2 +- cis_v150/section_2.pp | 2 +- cis_v200/section_2.pp | 2 +- cis_v300/section_2.pp | 2 +- cisa_cyber_essentials/your_data.pp | 4 +- cisa_cyber_essentials/your_systems.pp | 2 +- conformance_pack/ebs.pp | 45 ++++- conformance_pack/ec2.pp | 41 +--- conformance_pack/iam.pp | 34 +++- conformance_pack/ssm.pp | 17 +- conformance_pack/vpc.pp | 180 +++++++++--------- ffiec/d_3/d_3_pc.pp | 2 +- foundational_security/ec2.pp | 2 +- gxp_21_cfr_part_11/11_10.pp | 4 +- gxp_21_cfr_part_11/11_30.pp | 2 +- gxp_eu_annex_11/operational_phase.pp | 2 +- .../164_308/164_308_a_1_ii_b.pp | 2 +- .../164_308/164_308_a_4_ii_a.pp | 2 +- .../164_312/164_312_a_2_iv.pp | 2 +- .../164_312/164_312_c_1.pp | 2 +- .../164_312/164_312_e_2_ii.pp | 2 +- .../164_314/164_314_b_1.pp | 2 +- .../164_314/164_314_b_2.pp | 2 +- .../164_314/164_314_b_2_i.pp | 2 +- .../164_314/164_314_b_2_ii.pp | 2 +- .../164_314/164_314_b_2_iii.pp | 2 +- .../164_314/164_314_b_2_iv.pp | 2 +- .../164_308/164_308_a_1_ii_b.pp | 2 +- .../164_308/164_308_a_4_ii_a.pp | 2 +- .../164_312/164_312_a_2_iv.pp | 2 +- .../164_312/164_312_c_1.pp | 2 +- .../164_312/164_312_e_2_ii.pp | 2 +- .../164_314/164_314_b_1.pp | 2 +- .../164_314/164_314_b_2.pp | 2 +- nist_800_171_rev_2/sc.pp | 2 +- nist_800_53_rev_4/sc.pp | 2 +- nist_800_53_rev_5/au.pp | 2 +- nist_800_53_rev_5/cm.pp | 4 +- nist_800_53_rev_5/cp.pp | 2 +- nist_800_53_rev_5/sc.pp | 8 +- nist_800_53_rev_5/si.pp | 2 +- nist_csf/function_pr.pp | 2 +- pci_dss_v321/requirement_3.pp | 12 +- pci_dss_v321/requirement_8.pp | 2 +- soc_2/cc_6.pp | 4 +- 47 files changed, 225 insertions(+), 200 deletions(-) diff --git a/all_controls/ec2.pp b/all_controls/ec2.pp index a95b0835..42b76a3d 100644 --- a/all_controls/ec2.pp +++ b/all_controls/ec2.pp @@ -12,7 +12,7 @@ control.ec2_ami_not_older_than_90_days, control.ec2_ami_restrict_public_access, control.ec2_client_vpn_endpoint_client_connection_logging_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_attached_ebs_volume_delete_on_termination_enabled, control.ec2_instance_detailed_monitoring_enabled, control.ec2_instance_ebs_optimized, diff --git a/cis_controls_v8_ig1/cis_controls_v8_ig1_11.pp b/cis_controls_v8_ig1/cis_controls_v8_ig1_11.pp index 6e31ae96..cd1c2ac9 100644 --- a/cis_controls_v8_ig1/cis_controls_v8_ig1_11.pp +++ b/cis_controls_v8_ig1/cis_controls_v8_ig1_11.pp @@ -36,7 +36,7 @@ description = "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements." children = [ control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.rds_db_instance_encryption_at_rest_enabled ] diff --git a/cis_controls_v8_ig1/cis_controls_v8_ig1_4.pp b/cis_controls_v8_ig1/cis_controls_v8_ig1_4.pp index 61116eb3..12047c2d 100644 --- a/cis_controls_v8_ig1/cis_controls_v8_ig1_4.pp +++ b/cis_controls_v8_ig1/cis_controls_v8_ig1_4.pp @@ -37,7 +37,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.cloudtrail_trail_validation_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_iam_profile_attached, control.iam_account_password_policy_strong_min_reuse_24, control.iam_group_user_role_no_inline_policies, diff --git a/cis_v150/section_2.pp b/cis_v150/section_2.pp index 83c4c9b7..9435de2b 100644 --- a/cis_v150/section_2.pp +++ b/cis_v150/section_2.pp @@ -138,7 +138,7 @@ title = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions" description = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." documentation = file("./cis_v150/docs/cis_v150_2_2_1.md") - query = query.ebs_volume_encryption_at_rest_enabled + query = query.ebs_encryption_by_default_enabled tags = merge(local.cis_v150_2_2_common_tags, { cis_item_id = "2.2.1" diff --git a/cis_v200/section_2.pp b/cis_v200/section_2.pp index 430d1585..0686ccfc 100644 --- a/cis_v200/section_2.pp +++ b/cis_v200/section_2.pp @@ -123,7 +123,7 @@ title = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions" description = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." documentation = file("./cis_v200/docs/cis_v200_2_2_1.md") - query = query.ebs_volume_encryption_at_rest_enabled + query = query.ebs_encryption_by_default_enabled tags = merge(local.cis_v200_2_2_common_tags, { cis_item_id = "2.2.1" diff --git a/cis_v300/section_2.pp b/cis_v300/section_2.pp index 721675f5..276f4e6a 100644 --- a/cis_v300/section_2.pp +++ b/cis_v300/section_2.pp @@ -123,7 +123,7 @@ title = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions" description = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." documentation = file("./cis_v300/docs/cis_v300_2_2_1.md") - query = query.ebs_volume_encryption_at_rest_enabled + query = query.ebs_encryption_by_default_enabled tags = merge(local.cis_v300_2_2_common_tags, { cis_item_id = "2.2.1" diff --git a/cisa_cyber_essentials/your_data.pp b/cisa_cyber_essentials/your_data.pp index c3124c9b..c10347e6 100644 --- a/cisa_cyber_essentials/your_data.pp +++ b/cisa_cyber_essentials/your_data.pp @@ -21,7 +21,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypted_with_cmk, control.es_domain_encryption_at_rest_enabled, control.log_group_encryption_at_rest_enabled, @@ -58,7 +58,7 @@ control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, control.efs_file_system_encrypted_with_cmk, diff --git a/cisa_cyber_essentials/your_systems.pp b/cisa_cyber_essentials/your_systems.pp index da328770..89670835 100644 --- a/cisa_cyber_essentials/your_systems.pp +++ b/cisa_cyber_essentials/your_systems.pp @@ -65,7 +65,7 @@ control.ebs_attached_volume_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, control.ebs_volume_in_backup_plan, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_ebs_optimized, control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, diff --git a/conformance_pack/ebs.pp b/conformance_pack/ebs.pp index 5fca7dab..7b9bcb77 100644 --- a/conformance_pack/ebs.pp +++ b/conformance_pack/ebs.pp @@ -4,6 +4,28 @@ }) } +control "ebs_encryption_by_default_enabled" { + title = "EBS default encryption should be enabled" + description = "To help protect data at rest, ensure that encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes." + query = query.ebs_encryption_by_default_enabled + + tags = merge(local.conformance_pack_ec2_common_tags, { + cis_controls_v8_ig1 = "true" + cisa_cyber_essentials = "true" + ffiec = "true" + gxp_21_cfr_part_11 = "true" + gxp_eu_annex_11 = "true" + hipaa_final_omnibus_security_rule_2013 = "true" + hipaa_security_rule_2003 = "true" + nist_800_171_rev_2 = "true" + nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" + nist_csf = "true" + pci_dss_v321 = "true" + soc_2 = "true" + }) +} + control "ebs_snapshot_not_publicly_restorable" { title = "EBS snapshots should not be publicly restorable" description = "Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable." @@ -163,6 +185,27 @@ tags = local.conformance_pack_ebs_common_tags } +query "ebs_encryption_by_default_enabled" { + sql = <<-EOQ + select + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, + case + when r.opt_in_status = 'not-opted-in' then 'skip' + when not default_ebs_encryption_enabled then 'alarm' + else 'ok' + end as status, + case + when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' + when not default_ebs_encryption_enabled then r.region || ' default EBS encryption disabled.' + else r.region || ' default EBS encryption enabled.' + end as reason + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")} + from + aws_region as r + left join aws_ec2_regional_settings as s on s.account_id = r.account_id and s.region = r.region; + EOQ +} + query "ebs_snapshot_not_publicly_restorable" { sql = <<-EOQ select @@ -386,4 +429,4 @@ aws_ebs_volume as v left join volume_with_snapshots as s on s.volume_id = v.volume_id; EOQ -} \ No newline at end of file +} diff --git a/conformance_pack/ec2.pp b/conformance_pack/ec2.pp index e36f0d57..02bd55e5 100644 --- a/conformance_pack/ec2.pp +++ b/conformance_pack/ec2.pp @@ -20,27 +20,6 @@ tags = local.conformance_pack_ec2_common_tags } -control "ec2_ebs_default_encryption_enabled" { - title = "EBS default encryption should be enabled" - description = "To help protect data at rest, ensure that encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes." - query = query.ec2_ebs_default_encryption_enabled - - tags = merge(local.conformance_pack_ec2_common_tags, { - cis_controls_v8_ig1 = "true" - cisa_cyber_essentials = "true" - ffiec = "true" - gxp_21_cfr_part_11 = "true" - gxp_eu_annex_11 = "true" - hipaa_final_omnibus_security_rule_2013 = "true" - hipaa_security_rule_2003 = "true" - nist_800_171_rev_2 = "true" - nist_800_53_rev_4 = "true" - nist_800_53_rev_5 = "true" - nist_csf = "true" - pci_dss_v321 = "true" - soc_2 = "true" - }) -} control "ec2_instance_detailed_monitoring_enabled" { title = "EC2 instance detailed monitoring should be enabled" @@ -512,24 +491,6 @@ tags = local.conformance_pack_ec2_common_tags } -query "ec2_ebs_default_encryption_enabled" { - sql = <<-EOQ - select - 'arn:' || partition || '::' || region || ':' || account_id as resource, - case - when not default_ebs_encryption_enabled then 'alarm' - else 'ok' - end as status, - case - when not default_ebs_encryption_enabled then region || ' default EBS encryption disabled.' - else region || ' default EBS encryption enabled.' - end as reason - ${local.common_dimensions_sql} - from - aws_ec2_regional_settings; - EOQ -} - query "ec2_instance_detailed_monitoring_enabled" { sql = <<-EOQ select @@ -2036,4 +1997,4 @@ from aws_ec2_network_interface; EOQ -} \ No newline at end of file +} diff --git a/conformance_pack/iam.pp b/conformance_pack/iam.pp index a42afd76..cc5396f4 100644 --- a/conformance_pack/iam.pp +++ b/conformance_pack/iam.pp @@ -1518,28 +1518,48 @@ query "iam_access_analyzer_enabled_without_findings" { sql = <<-EOQ + with accessanalyzer_findings as ( + select + a.status as status, + f.access_analyzer_arn as arn, + a.region, + a.account_id, + a.tags, + a.name, + count(*) + from + aws_accessanalyzer_analyzer as a + left join aws_accessanalyzer_finding as f on f.access_analyzer_arn = a.arn + group by + f.access_analyzer_arn, + a.status, + a.region, + a.account_id, + a.tags, + a.name + ) select 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, case -- Skip any regions that are disabled in the account. when r.opt_in_status = 'not-opted-in' then 'skip' - when aa.status = 'ACTIVE' and aa.findings is null then 'ok' - when aa.status = 'ACTIVE' and jsonb_array_length(aa.findings) > 0 then 'alarm' - when aa.status = 'NOT_AVAILABLE' then 'alarm' + when f.status = 'ACTIVE' and f.arn is null then 'ok' + when f.status = 'ACTIVE' and f.arn is not null then 'alarm' + when f.status = 'NOT_AVAILABLE' then 'alarm' else 'alarm' end as status, case when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when aa.status = 'ACTIVE' and aa.findings is null then aa.name || ' does not have active findings in region ' || r.region || '.' - when aa.status = 'ACTIVE' and jsonb_array_length(aa.findings) > 0 then aa.name || ' has active findings in region ' || r.region || '.' - when aa.status = 'NOT_AVAILABLE' then aa.name || ' is not enabled in region ' || r.region || '.' + when f.status = 'ACTIVE' and f.arn is null then f.name || ' does not have active findings in region ' || r.region || '.' + when f.status = 'ACTIVE' and f.arn is not null then f.name || ' has active findings in region ' || r.region || '.' + when f.status = 'NOT_AVAILABLE' then f.name || ' is not enabled in region ' || r.region || '.' else 'IAM Access Analyzer is not active in region ' || r.region || '.' end as reason ${local.tag_dimensions_sql} ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")} from aws_region as r - left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region; + left join accessanalyzer_findings as f on f.region = r.region and f.account_id = r.account_id; EOQ } diff --git a/conformance_pack/ssm.pp b/conformance_pack/ssm.pp index 7262fda3..17fdb473 100644 --- a/conformance_pack/ssm.pp +++ b/conformance_pack/ssm.pp @@ -176,21 +176,22 @@ query "ssm_document_prohibit_public_access" { sql = <<-EOQ select - 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name as resource, + d.arn as resource, case - when account_ids :: jsonb ? 'all' then 'alarm' + when p.account_ids :: jsonb ? 'all' then 'alarm' else 'ok' end as status, case - when account_ids :: jsonb ? 'all' then title || ' publicly accesible.' - else title || ' not publicly accesible.' + when p.account_ids :: jsonb ? 'all' then d.title || ' publicly accessible.' + else d.title || ' not publicly accessible.' end as reason - ${local.tag_dimensions_sql} - ${local.common_dimensions_sql} + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "d.")} + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "d.")} from - aws_ssm_document + aws_ssm_document as d + left join aws_ssm_document_permission as p on p.document_name = d.name and p.region = d.region and p.account_id = d.account_id where - owner_type = 'Self'; + d.owner_type = 'Self'; EOQ } diff --git a/conformance_pack/vpc.pp b/conformance_pack/vpc.pp index 292e0742..2fb934cc 100644 --- a/conformance_pack/vpc.pp +++ b/conformance_pack/vpc.pp @@ -659,28 +659,28 @@ and from_port is null ) or ( - from_port >= 22 - and to_port <= 22 + from_port <= 22 + and to_port >= 22 ) or ( - from_port >= 3389 - and to_port <= 3389 + from_port <= 3389 + and to_port >= 3389 ) or ( - from_port >= 21 - and to_port <= 21 + from_port <= 21 + and to_port >= 21 ) or ( - from_port >= 20 - and to_port <= 20 + from_port <= 20 + and to_port >= 20 ) or ( - from_port >= 3306 - and to_port <= 3306 + from_port <= 3306 + and to_port >= 3306 ) or ( - from_port >= 4333 - and to_port <= 4333 + from_port <= 4333 + and to_port >= 4333 ) ) group by @@ -720,8 +720,8 @@ and from_port is null ) or ( - from_port >= 22 - and to_port <= 22 + from_port <= 22 + and to_port >= 22 ) ) group by @@ -923,8 +923,8 @@ and from_port is null ) or ( - from_port >= 6379 - and to_port <= 6379 + from_port <= 6379 + and to_port >= 6379 ) ) group by @@ -967,8 +967,8 @@ and from_port is null ) or ( - from_port >= 9092 - and to_port <= 9092 + from_port <= 9092 + and to_port >= 9092 ) ) group by @@ -1011,12 +1011,12 @@ and from_port is null ) or ( - from_port >= 9200 - and to_port <= 9200 + from_port <= 9200 + and to_port >= 9200 ) or ( - from_port >= 5601 - and to_port <= 5601 + from_port <= 5601 + and to_port >= 5601 ) ) group by @@ -1158,12 +1158,12 @@ and from_port is null ) or ( - from_port >= 27017 - and to_port <= 27017 + from_port <= 27017 + and to_port >= 27017 ) or ( - from_port >= 27018 - and to_port <= 27018 + from_port <= 27018 + and to_port >= 27018 ) ) group by @@ -1203,14 +1203,14 @@ and from_port is null ) or ( - from_port >= 7199 - and to_port <= 7199 + from_port <= 7199 + and to_port >= 7199 ) or ( - from_port >= 9160 - and to_port <= 9160 + from_port <= 9160 + and to_port >= 9160 ) or ( - from_port >= 8888 - and to_port <= 8888 + from_port <= 8888 + and to_port >= 8888 ) ) group by @@ -1250,11 +1250,11 @@ and from_port is null ) or ( - from_port >= 1521 - and to_port <= 1521 + from_port <= 1521 + and to_port >= 1521 ) or ( - from_port >= 2483 - and to_port <= 2483 + from_port <= 2483 + and to_port >= 2483 ) ) group by @@ -1294,8 +1294,8 @@ and from_port is null ) or ( - from_port >= 11211 - and to_port <= 11211 + from_port <= 11211 + and to_port >= 11211 ) ) group by @@ -1338,12 +1338,12 @@ and from_port is null ) or ( - from_port >= 22 - and to_port <= 22 + from_port <= 22 + and to_port >= 22 ) or ( - from_port >= 3389 - and to_port <= 3389 + from_port <= 3389 + and to_port >= 3389 ) ) group by @@ -1398,12 +1398,12 @@ and from_port is null ) or ( - from_port >= 22 - and to_port <= 22 + from_port <= 22 + and to_port >= 22 ) or ( - from_port >= 3389 - and to_port <= 3389 + from_port <= 3389 + and to_port >= 3389 ) ) group by @@ -1446,12 +1446,12 @@ and from_port is null ) or ( - from_port >= 22 - and to_port <= 22 + from_port <= 22 + and to_port >= 22 ) or ( - from_port >= 3389 - and to_port <= 3389 + from_port <= 3389 + and to_port >= 3389 ) ) group by @@ -1491,8 +1491,8 @@ and from_port is null ) or ( - from_port >= 3389 - and to_port <= 3389 + from_port <= 3389 + and to_port >= 3389 ) ) group by @@ -1567,80 +1567,80 @@ and from_port is null ) or ( - from_port >= 22 - and to_port <= 22 + from_port <= 22 + and to_port >= 22 ) or ( - from_port >= 3389 - and to_port <= 3389 + from_port <= 3389 + and to_port >= 3389 ) or ( - from_port >= 21 - and to_port <= 21 + from_port <= 21 + and to_port >= 21 ) or ( - from_port >= 20 - and to_port <= 20 + from_port <= 20 + and to_port >= 20 ) or ( - from_port >= 3306 - and to_port <= 3306 + from_port <= 3306 + and to_port >= 3306 ) or ( - from_port >= 4333 - and to_port <= 4333 + from_port <= 4333 + and to_port >= 4333 ) or ( - from_port >= 23 - and to_port <= 23 + from_port <= 23 + and to_port >= 23 ) or ( - from_port >= 25 - and to_port <= 25 + from_port <= 25 + and to_port >= 25 ) or ( - from_port >= 445 - and to_port <= 445 + from_port <= 445 + and to_port >= 445 ) or ( - from_port >= 110 - and to_port <= 110 + from_port <= 110 + and to_port >= 110 ) or ( - from_port >= 135 - and to_port <= 135 + from_port <= 135 + and to_port >= 135 ) or ( - from_port >= 143 - and to_port <= 143 + from_port <= 143 + and to_port >= 143 ) or ( - from_port >= 1433 - and to_port <= 3389 + from_port <= 1433 + and to_port >= 3389 ) or ( - from_port >= 3389 - and to_port <= 1434 + from_port <= 3389 + and to_port >= 1434 ) or ( - from_port >= 5432 - and to_port <= 5432 + from_port <= 5432 + and to_port >= 5432 ) or ( - from_port >= 5500 - and to_port <= 5500 + from_port <= 5500 + and to_port >= 5500 ) or ( - from_port >= 5601 - and to_port <= 5601 + from_port <= 5601 + and to_port >= 5601 ) or ( - from_port >= 9200 - and to_port <= 9300 + from_port <= 9200 + and to_port >= 9300 ) or ( - from_port >= 8080 - and to_port <= 8080 + from_port <= 8080 + and to_port >= 8080 ) ) group by diff --git a/ffiec/d_3/d_3_pc.pp b/ffiec/d_3/d_3_pc.pp index b14ff8de..2b86553a 100644 --- a/ffiec/d_3/d_3_pc.pp +++ b/ffiec/d_3/d_3_pc.pp @@ -64,7 +64,7 @@ control.apigateway_rest_api_stage_use_ssl_certificate, control.backup_recovery_point_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_tls_https_listeners, diff --git a/foundational_security/ec2.pp b/foundational_security/ec2.pp index 9c18f990..67712ebf 100644 --- a/foundational_security/ec2.pp +++ b/foundational_security/ec2.pp @@ -104,7 +104,7 @@ title = "7 EBS default encryption should be enabled" description = "This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled." severity = "medium" - query = query.ec2_ebs_default_encryption_enabled + query = query.ebs_encryption_by_default_enabled documentation = file("./foundational_security/docs/foundational_security_ec2_7.md") tags = merge(local.foundational_security_ec2_common_tags, { diff --git a/gxp_21_cfr_part_11/11_10.pp b/gxp_21_cfr_part_11/11_10.pp index 64ad4732..1aa8dad2 100644 --- a/gxp_21_cfr_part_11/11_10.pp +++ b/gxp_21_cfr_part_11/11_10.pp @@ -119,7 +119,7 @@ control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_iam_profile_attached, control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, @@ -219,7 +219,7 @@ control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_iam_profile_attached, control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, diff --git a/gxp_21_cfr_part_11/11_30.pp b/gxp_21_cfr_part_11/11_30.pp index 186354f7..f8daec8f 100644 --- a/gxp_21_cfr_part_11/11_30.pp +++ b/gxp_21_cfr_part_11/11_30.pp @@ -13,7 +13,7 @@ control.codebuild_project_s3_logs_encryption_enabled, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.elb_application_lb_redirect_http_request_to_https, control.elb_application_network_lb_use_ssl_certificate, diff --git a/gxp_eu_annex_11/operational_phase.pp b/gxp_eu_annex_11/operational_phase.pp index 3cfd797d..4659e0ab 100644 --- a/gxp_eu_annex_11/operational_phase.pp +++ b/gxp_eu_annex_11/operational_phase.pp @@ -75,7 +75,7 @@ control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_attached_volume_encryption_enabled, control.ebs_volume_in_backup_plan, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_ebs_optimized, control.efs_file_system_encrypt_data_at_rest, control.efs_file_system_in_backup_plan, diff --git a/hipaa_final_omnibus_security_rule_2013/164_308/164_308_a_1_ii_b.pp b/hipaa_final_omnibus_security_rule_2013/164_308/164_308_a_1_ii_b.pp index 2f270332..af40104e 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_308/164_308_a_1_ii_b.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_308/164_308_a_1_ii_b.pp @@ -13,7 +13,7 @@ control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_attached_volume_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, control.ec2_instance_ssm_managed, diff --git a/hipaa_final_omnibus_security_rule_2013/164_308/164_308_a_4_ii_a.pp b/hipaa_final_omnibus_security_rule_2013/164_308/164_308_a_4_ii_a.pp index 72183fcb..7371dade 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_308/164_308_a_4_ii_a.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_308/164_308_a_4_ii_a.pp @@ -10,7 +10,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.elb_application_lb_drop_http_headers, diff --git a/hipaa_final_omnibus_security_rule_2013/164_312/164_312_a_2_iv.pp b/hipaa_final_omnibus_security_rule_2013/164_312/164_312_a_2_iv.pp index a9aa0f77..4ef0a3c0 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_312/164_312_a_2_iv.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_312/164_312_a_2_iv.pp @@ -9,7 +9,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.elb_application_lb_drop_http_headers, diff --git a/hipaa_final_omnibus_security_rule_2013/164_312/164_312_c_1.pp b/hipaa_final_omnibus_security_rule_2013/164_312/164_312_c_1.pp index 6b4f0639..8b339485 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_312/164_312_c_1.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_312/164_312_c_1.pp @@ -7,7 +7,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_final_omnibus_security_rule_2013/164_312/164_312_e_2_ii.pp b/hipaa_final_omnibus_security_rule_2013/164_312/164_312_e_2_ii.pp index fded9421..f8d77dc8 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_312/164_312_e_2_ii.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_312/164_312_e_2_ii.pp @@ -9,7 +9,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.elb_application_lb_drop_http_headers, diff --git a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_1.pp b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_1.pp index 5af0111a..d1b3185b 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_1.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_1.pp @@ -6,7 +6,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2.pp b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2.pp index 64b638a3..bf8fa9a4 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2.pp @@ -6,7 +6,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_i.pp b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_i.pp index bd413b5e..9bdeb07b 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_i.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_i.pp @@ -6,7 +6,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_ii.pp b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_ii.pp index ad3a81de..09045db3 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_ii.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_ii.pp @@ -6,7 +6,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_iii.pp b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_iii.pp index fea73f61..29c6a0b6 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_iii.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_iii.pp @@ -6,7 +6,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_iv.pp b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_iv.pp index ab2e33f6..df44ab32 100644 --- a/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_iv.pp +++ b/hipaa_final_omnibus_security_rule_2013/164_314/164_314_b_2_iv.pp @@ -6,7 +6,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_security_rule_2003/164_308/164_308_a_1_ii_b.pp b/hipaa_security_rule_2003/164_308/164_308_a_1_ii_b.pp index 5d1d6a90..8e632a7c 100644 --- a/hipaa_security_rule_2003/164_308/164_308_a_1_ii_b.pp +++ b/hipaa_security_rule_2003/164_308/164_308_a_1_ii_b.pp @@ -13,7 +13,7 @@ control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_attached_volume_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, control.ec2_instance_ssm_managed, diff --git a/hipaa_security_rule_2003/164_308/164_308_a_4_ii_a.pp b/hipaa_security_rule_2003/164_308/164_308_a_4_ii_a.pp index c20a02c7..8a17cbf0 100644 --- a/hipaa_security_rule_2003/164_308/164_308_a_4_ii_a.pp +++ b/hipaa_security_rule_2003/164_308/164_308_a_4_ii_a.pp @@ -10,7 +10,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.elb_application_lb_drop_http_headers, diff --git a/hipaa_security_rule_2003/164_312/164_312_a_2_iv.pp b/hipaa_security_rule_2003/164_312/164_312_a_2_iv.pp index 8a3da160..3e4a218b 100644 --- a/hipaa_security_rule_2003/164_312/164_312_a_2_iv.pp +++ b/hipaa_security_rule_2003/164_312/164_312_a_2_iv.pp @@ -8,7 +8,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_security_rule_2003/164_312/164_312_c_1.pp b/hipaa_security_rule_2003/164_312/164_312_c_1.pp index d728b92a..664f27ba 100644 --- a/hipaa_security_rule_2003/164_312/164_312_c_1.pp +++ b/hipaa_security_rule_2003/164_312/164_312_c_1.pp @@ -7,7 +7,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_security_rule_2003/164_312/164_312_e_2_ii.pp b/hipaa_security_rule_2003/164_312/164_312_e_2_ii.pp index ecdd1b9f..37527cbd 100644 --- a/hipaa_security_rule_2003/164_312/164_312_e_2_ii.pp +++ b/hipaa_security_rule_2003/164_312/164_312_e_2_ii.pp @@ -8,7 +8,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_security_rule_2003/164_314/164_314_b_1.pp b/hipaa_security_rule_2003/164_314/164_314_b_1.pp index cd055698..90d0acc1 100644 --- a/hipaa_security_rule_2003/164_314/164_314_b_1.pp +++ b/hipaa_security_rule_2003/164_314/164_314_b_1.pp @@ -6,7 +6,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/hipaa_security_rule_2003/164_314/164_314_b_2.pp b/hipaa_security_rule_2003/164_314/164_314_b_2.pp index f9131011..66c1f2eb 100644 --- a/hipaa_security_rule_2003/164_314/164_314_b_2.pp +++ b/hipaa_security_rule_2003/164_314/164_314_b_2.pp @@ -6,7 +6,7 @@ control.dax_cluster_encryption_at_rest_enabled, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.eks_cluster_secrets_encrypted, control.elb_classic_lb_use_tls_https_listeners, control.es_domain_encryption_at_rest_enabled, diff --git a/nist_800_171_rev_2/sc.pp b/nist_800_171_rev_2/sc.pp index c139d6f6..ec9dc563 100644 --- a/nist_800_171_rev_2/sc.pp +++ b/nist_800_171_rev_2/sc.pp @@ -268,7 +268,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, control.kms_key_not_pending_deletion, diff --git a/nist_800_53_rev_4/sc.pp b/nist_800_53_rev_4/sc.pp index e2fe3cea..5bd6bd7d 100644 --- a/nist_800_53_rev_4/sc.pp +++ b/nist_800_53_rev_4/sc.pp @@ -203,7 +203,7 @@ control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, control.kms_key_not_pending_deletion, diff --git a/nist_800_53_rev_5/au.pp b/nist_800_53_rev_5/au.pp index 2f349538..0e301a50 100644 --- a/nist_800_53_rev_5/au.pp +++ b/nist_800_53_rev_5/au.pp @@ -436,7 +436,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_encrypted_with_kms, control.ebs_volume_encryption_at_rest_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, diff --git a/nist_800_53_rev_5/cm.pp b/nist_800_53_rev_5/cm.pp index 5f6231f5..d1769a71 100644 --- a/nist_800_53_rev_5/cm.pp +++ b/nist_800_53_rev_5/cm.pp @@ -250,7 +250,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.cloudtrail_trail_validation_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_iam_profile_attached, control.iam_account_password_policy_min_length_14, control.iam_group_user_role_no_inline_policies, @@ -478,7 +478,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.cloudtrail_trail_validation_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.iam_account_password_policy_min_length_14, control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, diff --git a/nist_800_53_rev_5/cp.pp b/nist_800_53_rev_5/cp.pp index fd048f8e..3e89fcb9 100644 --- a/nist_800_53_rev_5/cp.pp +++ b/nist_800_53_rev_5/cp.pp @@ -369,7 +369,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_in_backup_plan, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, control.log_group_encryption_at_rest_enabled, diff --git a/nist_800_53_rev_5/sc.pp b/nist_800_53_rev_5/sc.pp index 066baeab..2e4e8d02 100644 --- a/nist_800_53_rev_5/sc.pp +++ b/nist_800_53_rev_5/sc.pp @@ -813,7 +813,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, @@ -847,7 +847,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, @@ -948,7 +948,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, @@ -1115,7 +1115,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, control.log_group_encryption_at_rest_enabled, diff --git a/nist_800_53_rev_5/si.pp b/nist_800_53_rev_5/si.pp index 5df26716..e8ea5f8d 100644 --- a/nist_800_53_rev_5/si.pp +++ b/nist_800_53_rev_5/si.pp @@ -722,7 +722,7 @@ control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, control.log_group_encryption_at_rest_enabled, diff --git a/nist_csf/function_pr.pp b/nist_csf/function_pr.pp index 1d3923b2..1702fdda 100644 --- a/nist_csf/function_pr.pp +++ b/nist_csf/function_pr.pp @@ -293,7 +293,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, diff --git a/pci_dss_v321/requirement_3.pp b/pci_dss_v321/requirement_3.pp index 49a58b8c..b6142846 100644 --- a/pci_dss_v321/requirement_3.pp +++ b/pci_dss_v321/requirement_3.pp @@ -142,7 +142,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, @@ -175,7 +175,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, @@ -206,7 +206,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, @@ -237,7 +237,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, @@ -269,7 +269,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, @@ -302,7 +302,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.es_domain_encryption_at_rest_enabled, diff --git a/pci_dss_v321/requirement_8.pp b/pci_dss_v321/requirement_8.pp index cf11d695..990397f4 100644 --- a/pci_dss_v321/requirement_8.pp +++ b/pci_dss_v321/requirement_8.pp @@ -141,7 +141,7 @@ control.dynamodb_table_encrypted_with_kms, control.dynamodb_table_encryption_enabled, control.ebs_attached_volume_encryption_enabled, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.eks_cluster_secrets_encrypted, control.elb_application_lb_drop_http_headers, diff --git a/soc_2/cc_6.pp b/soc_2/cc_6.pp index dd0f5b19..659fd212 100644 --- a/soc_2/cc_6.pp +++ b/soc_2/cc_6.pp @@ -31,7 +31,7 @@ control.dms_replication_instance_not_publicly_accessible, control.ebs_attached_volume_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, control.ec2_instance_ssm_managed, @@ -107,7 +107,7 @@ control.dms_replication_instance_not_publicly_accessible, control.ebs_attached_volume_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, - control.ec2_ebs_default_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, control.ec2_instance_ssm_managed, From d305d8fc0696748d242f82403a5b7d2627269b1f Mon Sep 17 00:00:00 2001 From: Cody Bruno Date: Fri, 25 Oct 2024 12:11:49 -0400 Subject: [PATCH 03/10] Update CIS, FedRAMP, and RBI Cyber Security benchmarks to use EBS encryption by default control --- all_controls/ebs.pp | 1 + cis_compute_service_v100/section_2.pp | 4 ++-- cis_v130/section_2.pp | 2 +- cis_v140/section_2.pp | 2 +- conformance_pack/ebs.pp | 2 +- fedramp_moderate_rev_4/sc.pp | 4 ++-- rbi_cyber_security/annex_i_1_3.pp | 1 + 7 files changed, 9 insertions(+), 7 deletions(-) diff --git a/all_controls/ebs.pp b/all_controls/ebs.pp index 6d6c9d17..beefc067 100644 --- a/all_controls/ebs.pp +++ b/all_controls/ebs.pp @@ -10,6 +10,7 @@ children = [ control.ebs_attached_volume_delete_on_termination_enabled, control.ebs_attached_volume_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ebs_snapshot_encryption_enabled, control.ebs_snapshot_not_publicly_restorable, control.ebs_volume_encryption_at_rest_enabled, diff --git a/cis_compute_service_v100/section_2.pp b/cis_compute_service_v100/section_2.pp index 5166c7fc..38b58561 100644 --- a/cis_compute_service_v100/section_2.pp +++ b/cis_compute_service_v100/section_2.pp @@ -146,7 +146,7 @@ control "cis_compute_service_v100_2_2_1" { title = "2.2.1 Ensure EBS volume encryption is enabled" description = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." - query = query.ebs_volume_encryption_at_rest_enabled + query = query.ebs_encryption_by_default_enabled documentation = file("./cis_compute_service_v100/docs/cis_compute_service_v100_2_2_1.md") tags = merge(local.cis_compute_service_v100_2_2_common_tags, { @@ -365,4 +365,4 @@ cis_type = "automated" service = "AWS/EC2" }) -} \ No newline at end of file +} diff --git a/cis_v130/section_2.pp b/cis_v130/section_2.pp index 0a008286..05a9bdb9 100644 --- a/cis_v130/section_2.pp +++ b/cis_v130/section_2.pp @@ -85,7 +85,7 @@ title = "2.2.1 Ensure EBS volume encryption is enabled" description = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." documentation = file("./cis_v130/docs/cis_v130_2_2_1.md") - query = query.ebs_volume_encryption_at_rest_enabled + query = query.ebs_encryption_by_default_enabled tags = merge(local.cis_v130_2_2_common_tags, { cis_item_id = "2.2.1" diff --git a/cis_v140/section_2.pp b/cis_v140/section_2.pp index f8710305..75faf8bf 100644 --- a/cis_v140/section_2.pp +++ b/cis_v140/section_2.pp @@ -134,7 +134,7 @@ title = "2.2.1 Ensure EBS volume encryption is enabled" description = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." documentation = file("./cis_v140/docs/cis_v140_2_2_1.md") - query = query.ebs_volume_encryption_at_rest_enabled + query = query.ebs_encryption_by_default_enabled tags = merge(local.cis_v140_2_2_common_tags, { cis_item_id = "2.2.1" diff --git a/conformance_pack/ebs.pp b/conformance_pack/ebs.pp index 7b9bcb77..eb854100 100644 --- a/conformance_pack/ebs.pp +++ b/conformance_pack/ebs.pp @@ -5,7 +5,7 @@ } control "ebs_encryption_by_default_enabled" { - title = "EBS default encryption should be enabled" + title = "EBS encryption by default should be enabled" description = "To help protect data at rest, ensure that encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes." query = query.ebs_encryption_by_default_enabled diff --git a/fedramp_moderate_rev_4/sc.pp b/fedramp_moderate_rev_4/sc.pp index f5052008..6a409199 100644 --- a/fedramp_moderate_rev_4/sc.pp +++ b/fedramp_moderate_rev_4/sc.pp @@ -236,7 +236,7 @@ control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.ebs_attached_volume_encryption_enabled, - control.ebs_volume_encryption_at_rest_enabled, + control.ebs_encryption_by_default_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, control.kms_key_not_pending_deletion, @@ -254,4 +254,4 @@ ] tags = local.fedramp_moderate_rev_4_common_tags -} \ No newline at end of file +} diff --git a/rbi_cyber_security/annex_i_1_3.pp b/rbi_cyber_security/annex_i_1_3.pp index 36847e54..604f7238 100644 --- a/rbi_cyber_security/annex_i_1_3.pp +++ b/rbi_cyber_security/annex_i_1_3.pp @@ -11,6 +11,7 @@ control.dms_replication_instance_not_publicly_accessible, control.dynamodb_table_encrypted_with_kms, control.ebs_attached_volume_encryption_enabled, + control.ebs_encryption_by_default_enabled, control.ebs_snapshot_not_publicly_restorable, control.ebs_volume_encryption_at_rest_enabled, control.ec2_instance_in_vpc, From 0dc770dc43b9ace37a711ec3bca31fd217491600 Mon Sep 17 00:00:00 2001 From: Khushboo <46913995+khushboo9024@users.noreply.github.com> Date: Fri, 25 Oct 2024 21:43:22 +0530 Subject: [PATCH 04/10] Add CIS v4.0.0 (#836) --- cis_v400/cis.pp | 23 +++ cis_v400/docs/cis_overview.md | 82 ++++++++ cis_v400/docs/cis_v400_1.md | 3 + cis_v400/docs/cis_v400_1_1.md | 19 ++ cis_v400/docs/cis_v400_1_10.md | 29 +++ cis_v400/docs/cis_v400_1_11.md | 34 ++++ cis_v400/docs/cis_v400_1_12.md | 35 ++++ cis_v400/docs/cis_v400_1_13.md | 37 ++++ cis_v400/docs/cis_v400_1_14.md | 56 ++++++ cis_v400/docs/cis_v400_1_15.md | 36 ++++ cis_v400/docs/cis_v400_1_16.md | 51 +++++ cis_v400/docs/cis_v400_1_17.md | 38 ++++ cis_v400/docs/cis_v400_1_18.md | 44 ++++ cis_v400/docs/cis_v400_1_19.md | 25 +++ cis_v400/docs/cis_v400_1_2.md | 26 +++ cis_v400/docs/cis_v400_1_20.md | 33 +++ cis_v400/docs/cis_v400_1_21.md | 9 + cis_v400/docs/cis_v400_1_22.md | 14 ++ cis_v400/docs/cis_v400_1_3.md | 24 +++ cis_v400/docs/cis_v400_1_4.md | 19 ++ cis_v400/docs/cis_v400_1_5.md | 24 +++ cis_v400/docs/cis_v400_1_6.md | 24 +++ cis_v400/docs/cis_v400_1_7.md | 14 ++ cis_v400/docs/cis_v400_1_8.md | 25 +++ cis_v400/docs/cis_v400_1_9.md | 25 +++ cis_v400/docs/cis_v400_2.md | 3 + cis_v400/docs/cis_v400_2_1.md | 3 + cis_v400/docs/cis_v400_2_1_1.md | 121 +++++++++++ cis_v400/docs/cis_v400_2_1_2.md | 21 ++ cis_v400/docs/cis_v400_2_1_3.md | 44 ++++ cis_v400/docs/cis_v400_2_1_4.md | 55 +++++ cis_v400/docs/cis_v400_2_2.md | 3 + cis_v400/docs/cis_v400_2_2_1.md | 69 +++++++ cis_v400/docs/cis_v400_2_2_2.md | 41 ++++ cis_v400/docs/cis_v400_2_2_3.md | 46 +++++ cis_v400/docs/cis_v400_2_2_4.md | 37 ++++ cis_v400/docs/cis_v400_2_3.md | 3 + cis_v400/docs/cis_v400_2_3_1.md | 69 +++++++ cis_v400/docs/cis_v400_3.md | 3 + cis_v400/docs/cis_v400_3_1.md | 47 +++++ cis_v400/docs/cis_v400_3_2.md | 36 ++++ cis_v400/docs/cis_v400_3_3.md | 54 +++++ cis_v400/docs/cis_v400_3_4.md | 59 ++++++ cis_v400/docs/cis_v400_3_5.md | 37 ++++ cis_v400/docs/cis_v400_3_6.md | 25 +++ cis_v400/docs/cis_v400_3_7.md | 102 ++++++++++ cis_v400/docs/cis_v400_3_8.md | 31 +++ cis_v400/docs/cis_v400_3_9.md | 31 +++ cis_v400/docs/cis_v400_4.md | 5 + cis_v400/docs/cis_v400_4_1.md | 44 ++++ cis_v400/docs/cis_v400_4_10.md | 44 ++++ cis_v400/docs/cis_v400_4_11.md | 41 ++++ cis_v400/docs/cis_v400_4_12.md | 41 ++++ cis_v400/docs/cis_v400_4_13.md | 41 ++++ cis_v400/docs/cis_v400_4_14.md | 41 ++++ cis_v400/docs/cis_v400_4_15.md | 41 ++++ cis_v400/docs/cis_v400_4_16.md | 32 +++ cis_v400/docs/cis_v400_4_2.md | 52 +++++ cis_v400/docs/cis_v400_4_3.md | 43 ++++ cis_v400/docs/cis_v400_4_4.md | 43 ++++ cis_v400/docs/cis_v400_4_5.md | 42 ++++ cis_v400/docs/cis_v400_4_6.md | 44 ++++ cis_v400/docs/cis_v400_4_7.md | 43 ++++ cis_v400/docs/cis_v400_4_8.md | 43 ++++ cis_v400/docs/cis_v400_4_9.md | 43 ++++ cis_v400/docs/cis_v400_5.md | 3 + cis_v400/docs/cis_v400_5_1.md | 3 + cis_v400/docs/cis_v400_5_1_1.md | 31 +++ cis_v400/docs/cis_v400_5_1_2.md | 34 ++++ cis_v400/docs/cis_v400_5_2.md | 20 ++ cis_v400/docs/cis_v400_5_3.md | 19 ++ cis_v400/docs/cis_v400_5_4.md | 19 ++ cis_v400/docs/cis_v400_5_5.md | 37 ++++ cis_v400/docs/cis_v400_5_6.md | 23 +++ cis_v400/docs/cis_v400_5_7.md | 39 ++++ cis_v400/section_1.pp | 346 ++++++++++++++++++++++++++++++++ cis_v400/section_2.pp | 199 ++++++++++++++++++ cis_v400/section_3.pp | 151 ++++++++++++++ cis_v400/section_4.pp | 257 ++++++++++++++++++++++++ cis_v400/section_5.pp | 155 ++++++++++++++ conformance_pack/vpc.pp | 50 +++++ 81 files changed, 3758 insertions(+) create mode 100644 cis_v400/cis.pp create mode 100644 cis_v400/docs/cis_overview.md create mode 100644 cis_v400/docs/cis_v400_1.md create mode 100644 cis_v400/docs/cis_v400_1_1.md create mode 100644 cis_v400/docs/cis_v400_1_10.md create mode 100644 cis_v400/docs/cis_v400_1_11.md create mode 100644 cis_v400/docs/cis_v400_1_12.md create mode 100644 cis_v400/docs/cis_v400_1_13.md create mode 100644 cis_v400/docs/cis_v400_1_14.md create mode 100644 cis_v400/docs/cis_v400_1_15.md create mode 100644 cis_v400/docs/cis_v400_1_16.md create mode 100644 cis_v400/docs/cis_v400_1_17.md create mode 100644 cis_v400/docs/cis_v400_1_18.md create mode 100644 cis_v400/docs/cis_v400_1_19.md create mode 100644 cis_v400/docs/cis_v400_1_2.md create mode 100644 cis_v400/docs/cis_v400_1_20.md create mode 100644 cis_v400/docs/cis_v400_1_21.md create mode 100644 cis_v400/docs/cis_v400_1_22.md create mode 100644 cis_v400/docs/cis_v400_1_3.md create mode 100644 cis_v400/docs/cis_v400_1_4.md create mode 100644 cis_v400/docs/cis_v400_1_5.md create mode 100644 cis_v400/docs/cis_v400_1_6.md create mode 100644 cis_v400/docs/cis_v400_1_7.md create mode 100644 cis_v400/docs/cis_v400_1_8.md create mode 100644 cis_v400/docs/cis_v400_1_9.md create mode 100644 cis_v400/docs/cis_v400_2.md create mode 100644 cis_v400/docs/cis_v400_2_1.md create mode 100644 cis_v400/docs/cis_v400_2_1_1.md create mode 100644 cis_v400/docs/cis_v400_2_1_2.md create mode 100644 cis_v400/docs/cis_v400_2_1_3.md create mode 100644 cis_v400/docs/cis_v400_2_1_4.md create mode 100644 cis_v400/docs/cis_v400_2_2.md create mode 100644 cis_v400/docs/cis_v400_2_2_1.md create mode 100644 cis_v400/docs/cis_v400_2_2_2.md create mode 100644 cis_v400/docs/cis_v400_2_2_3.md create mode 100644 cis_v400/docs/cis_v400_2_2_4.md create mode 100644 cis_v400/docs/cis_v400_2_3.md create mode 100644 cis_v400/docs/cis_v400_2_3_1.md create mode 100644 cis_v400/docs/cis_v400_3.md create mode 100644 cis_v400/docs/cis_v400_3_1.md create mode 100644 cis_v400/docs/cis_v400_3_2.md create mode 100644 cis_v400/docs/cis_v400_3_3.md create mode 100644 cis_v400/docs/cis_v400_3_4.md create mode 100644 cis_v400/docs/cis_v400_3_5.md create mode 100644 cis_v400/docs/cis_v400_3_6.md create mode 100644 cis_v400/docs/cis_v400_3_7.md create mode 100644 cis_v400/docs/cis_v400_3_8.md create mode 100644 cis_v400/docs/cis_v400_3_9.md create mode 100644 cis_v400/docs/cis_v400_4.md create mode 100644 cis_v400/docs/cis_v400_4_1.md create mode 100644 cis_v400/docs/cis_v400_4_10.md create mode 100644 cis_v400/docs/cis_v400_4_11.md create mode 100644 cis_v400/docs/cis_v400_4_12.md create mode 100644 cis_v400/docs/cis_v400_4_13.md create mode 100644 cis_v400/docs/cis_v400_4_14.md create mode 100644 cis_v400/docs/cis_v400_4_15.md create mode 100644 cis_v400/docs/cis_v400_4_16.md create mode 100644 cis_v400/docs/cis_v400_4_2.md create mode 100644 cis_v400/docs/cis_v400_4_3.md create mode 100644 cis_v400/docs/cis_v400_4_4.md create mode 100644 cis_v400/docs/cis_v400_4_5.md create mode 100644 cis_v400/docs/cis_v400_4_6.md create mode 100644 cis_v400/docs/cis_v400_4_7.md create mode 100644 cis_v400/docs/cis_v400_4_8.md create mode 100644 cis_v400/docs/cis_v400_4_9.md create mode 100644 cis_v400/docs/cis_v400_5.md create mode 100644 cis_v400/docs/cis_v400_5_1.md create mode 100644 cis_v400/docs/cis_v400_5_1_1.md create mode 100644 cis_v400/docs/cis_v400_5_1_2.md create mode 100644 cis_v400/docs/cis_v400_5_2.md create mode 100644 cis_v400/docs/cis_v400_5_3.md create mode 100644 cis_v400/docs/cis_v400_5_4.md create mode 100644 cis_v400/docs/cis_v400_5_5.md create mode 100644 cis_v400/docs/cis_v400_5_6.md create mode 100644 cis_v400/docs/cis_v400_5_7.md create mode 100644 cis_v400/section_1.pp create mode 100644 cis_v400/section_2.pp create mode 100644 cis_v400/section_3.pp create mode 100644 cis_v400/section_4.pp create mode 100644 cis_v400/section_5.pp diff --git a/cis_v400/cis.pp b/cis_v400/cis.pp new file mode 100644 index 00000000..f0aea089 --- /dev/null +++ b/cis_v400/cis.pp @@ -0,0 +1,23 @@ +locals { + cis_v400_common_tags = merge(local.aws_compliance_common_tags, { + cis = "true" + cis_version = "v4.0.0" + }) +} + +benchmark "cis_v400" { + title = "CIS v4.0.0" + description = "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings." + documentation = file("./cis_v400/docs/cis_overview.md") + children = [ + benchmark.cis_v400_1, + benchmark.cis_v400_2, + benchmark.cis_v400_3, + benchmark.cis_v400_4, + benchmark.cis_v400_5 + ] + + tags = merge(local.cis_v400_common_tags, { + type = "Benchmark" + }) +} diff --git a/cis_v400/docs/cis_overview.md b/cis_v400/docs/cis_overview.md new file mode 100644 index 00000000..6301a6e4 --- /dev/null +++ b/cis_v400/docs/cis_overview.md @@ -0,0 +1,82 @@ +To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org. + +## Overview + +All CIS BenchmarksTM focus on technical configuration settings used to maintain and/or increase the security of the addressed technology, and they should be used in conjunction with other essential cyber hygiene tasks like: + +- Monitoring the base operating system and applications for vulnerabilities and quickly updating with the latest security patches. +- End-point protection (Antivirus software, Endpoint Detection and Response (EDR), etc.). +- Logging and monitoring user and system activity. + +In the end, the CIS BenchmarksTM are designed to be a key component of a comprehensive cybersecurity program. + +### Important Usage Information + +All CIS BenchmarksTM are available free for non-commercial use from the [CIS Website](https://www.cisecurity.org/cis-benchmarks). They can be used to manually assess and remediate systems and applications. In lieu of manual assessment and remediation, there are several tools available to assist with assessment: +- [CIS Configuration Assessment Tool (CIS-CAT® Pro Assessor)](https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro) +- [CIS BenchmarksTM Certified 3rd Party Tooling](https://www.cisecurity.org/cis-securesuite/members/vendors) + +These tools make the hardening process much more scalable for large numbers of systems and applications. + +### NOTE: +Some tooling focuses only on the CIS BenchmarksTM Recommendations that can be fully automated (skipping ones marked Manual). It is important that ALL Recommendations (Automated and Manual) be addressed, since all are important for properly securing systems and are typically in scope for audits. + +In addition, CIS has developed CIS [Build Kits](https://www.cisecurity.org/cis-securesuite/cis-securesuite-build-kit-content) for some common technologies to assist in applying CIS BenchmarksTM Recommendations. + +When remediating systems (changing configuration settings on deployed systems as per the CIS BenchmarksTM Recommendations), please approach this with caution and test thoroughly. + + +The following is a reasonable remediation approach to follow: + +1. NEVER deploy a CIS Build Kit, or any internally developed remediation method, to production systems without proper testing. +2. Proper testing consists of the following: + - Understand the configuration (including installed applications) of the targeted systems. + - Read the Impact section of the given Recommendation to help determine if there might be an issue with the targeted systems. + - Test the configuration changes on representative lab system(s). This way if there is some issue it can be resolved prior to deploying to any production systems. + - When confident, initially deploy to a small sub-set of users and monitor closely for issues. This way if there is some issue it can be resolved prior to deploying more broadly. + - When confident, iteratively deploy to additional groups and monitor closely for issues until deployment is complete. This way if there is some issue it can be resolved prior to continuing deployment. + +### NOTE: +CIS and the CIS BenchmarksTM development communities in CIS WorkBench do their best to test and have high confidence in the Recommendations, but they cannot test potential conflicts with all possible system deployments. Known potential issues identified during CIS BenchmarksTM development are documented in the Impact section of each Recommendation. + +By using CIS and/or CIS BenchmarksTM Certified tools, and being careful with remediation deployment, it is possible to harden large numbers of deployed systems in a cost effective, efficient, and safe manner. + +### NOTE: +As previously stated, the PDF versions of the CIS BenchmarksTM are available for free, non-commercial use on the [CIS Website](https://www.cisecurity.org/cis-benchmarks). All other formats of the CIS BenchmarksTM (MS Word, Excel, and [Build Kits](https://www.cisecurity.org/cis-securesuite/cis-securesuite-build-kit-content)) are available for CIS [SecureSuite®](https://www.cisecurity.org/cis-securesuite) members. + +CIS-CAT® Pro is also available to CIS [SecureSuite®](https://www.cisecurity.org/cis-securesuite) members. + +### Target Technology Details + +This document provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. Some of the specific Amazon Web Services in scope for this document include: + +- AWS Identity and Access Management (IAM) +- IAM Access Analyzer +- AWS Config +- AWS CloudTrail +- AWS CloudWatch +- AWS Simple Notification Service (SNS) +- AWS Simple Storage Service (S3) +- Elastic Compute Cloud (EC2) +- Relational Database Service (RDS) +- AWS VPC + +## Profiles Definitions + +The following configuration profiles are defined by this Benchmark: + +### Level 1 + +Items in this profile intend to: + - be practical and prudent; + - provide security focused best practice hardening of a technology; and + - limit impact to the utility of the technology beyond acceptable means. + +### Level 2 + +This profile extends the "Level 1" profile. Items in this profile exhibit one or more +of the following characteristics: + - are intended for environments or use cases where security is more critical than manageability and usability + - acts as defense in depth measure + - may impact the utility or performance of the technology + - may include additional licensing, cost, or addition of third party software \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1.md b/cis_v400/docs/cis_v400_1.md new file mode 100644 index 00000000..47ec3e90 --- /dev/null +++ b/cis_v400/docs/cis_v400_1.md @@ -0,0 +1,3 @@ +## Overview + +This section contains recommendations for configuring identity and access management related options. diff --git a/cis_v400/docs/cis_v400_1_1.md b/cis_v400/docs/cis_v400_1_1.md new file mode 100644 index 00000000..ac52219a --- /dev/null +++ b/cis_v400/docs/cis_v400_1_1.md @@ -0,0 +1,19 @@ +## Description + +Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. + +An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system. + +If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups. + +## Remediation + +This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing). +1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. +2. On the navigation bar, choose your account name, and then choose `Account`. +3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. +4. Next to the field that you need to update, choose `Edit`. +5. After you have entered your changes, choose `Save changes`. +6. After you have made your changes, choose `Done`. +7. To edit your contact information, under `Contact Information`, choose `Edit`. +8. For the fields that you want to change, type your updated information, and then choose `Update`. diff --git a/cis_v400/docs/cis_v400_1_10.md b/cis_v400/docs/cis_v400_1_10.md new file mode 100644 index 00000000..11e406d5 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_10.md @@ -0,0 +1,29 @@ +## Description + +Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. + +Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential. + +## Remediation + +Perform the following to enable MFA: + +### From Console: + +1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'. +2. In the left pane, select `Users`. +3. In the `User Name` list, choose the name of the intended MFA user. +4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. +5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. + +IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. + +6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). +7. Determine whether the MFA app supports QR codes, and then do one of the following: +- Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code. +- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. + +When you are finished, the virtual MFA device starts generating one-time passwords. + +8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new `one-time password`. Then type the second one- time password into the `MFA Code 2 box`. +9. Click `Assign MFA`. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_11.md b/cis_v400/docs/cis_v400_1_11.md new file mode 100644 index 00000000..610f2961 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_11.md @@ -0,0 +1,34 @@ +## Description + +AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. + +Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. + +AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user. + +Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization. + +**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation. + +## Remediation + +Perform the following to delete access keys that do not pass the audit: + +### From Console: + +1. Log into the AWS Management Console: +2. Click `Services`. +3. Click `IAM`. +4. Click on `Users`. +5. Click on `Security Credentials`. +6. As an Administrator +- Click on the X (`Delete`) for keys that were created at the same time as the user profile but have not been used. + +7. As an IAM User +- Click on the X (`Delete`) for keys that were created at the same time as the user profile but have not been used. + +### From Command Line: + +```bash +aws iam delete-access-key --access-key-id --user-name +``` diff --git a/cis_v400/docs/cis_v400_1_12.md b/cis_v400/docs/cis_v400_1_12.md new file mode 100644 index 00000000..62d02a86 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_12.md @@ -0,0 +1,35 @@ +## Description + +AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. + +Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used. + +## Remediation + +### From Console: + +Perform the following to manage Unused Password (IAM user console access) + +1. Login to the AWS Management Console: +2. Click `Services`. +3. Click `IAM`. +4. Click on `Users`. +5. Click on `Security Credentials`. +6. Select user whose `Console last sign-in` is greater than 45 days. +7. Click `Security credentials`. +8. In section `Sign-incredentials`, `Console password` click `Manage`. +9. Under Console Access select `Disable`. +10. Click `Apply` + +Perform the following to deactivate Access Keys: + +1. Login to the AWS Management Console: +2. Click `Services`. +3. Click `IAM`. +4. Click on `Users`. +5. Click on `Security Credentials`. +6. Select any access keys that are over 45 days old and that have been used and +- Click on `Make inactive`. + +7. Select any access keys that are over 45 days old and that have not been used and +- Click the X to `Delete`. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_13.md b/cis_v400/docs/cis_v400_1_13.md new file mode 100644 index 00000000..dc0094b4 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_13.md @@ -0,0 +1,37 @@ +## Description + +Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). + +One of the best ways to protect your account is to not allow users to have multiple access keys. + +## Remediation + +### From Console: + +1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/. +2. In the left navigation panel, choose `Users`. +3. Click on the IAM user name that you want to examine. +4. On the IAM user configuration page, select `Security Credentials` tab. +5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. +6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. +7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. +8. Repeat steps 3-7 for each IAM user in your AWS account. + +### From Command Line: + +1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. +2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user. + +**Note** - the command does not return any output: +```bash +aws iam update-access-key --access-key-id --status Inactive --user-name +``` +3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: + +```bash +aws iam list-access-keys --user-name +``` + +- The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation. + +4. Repeat steps 1-3 for each IAM user in your AWS account. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_14.md b/cis_v400/docs/cis_v400_1_14.md new file mode 100644 index 00000000..5438c53c --- /dev/null +++ b/cis_v400/docs/cis_v400_1_14.md @@ -0,0 +1,56 @@ +## Description + +Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be rotated regularly. + +Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. + +Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen. + +## Remediation + +Perform the following to rotate access keys: + +### From Console: + +1. Go to Management Console(https://console.aws.amazon.com/iam). +2. Click on `Users`. +3. Click on `Security Credentials`. +4. As an Administrator + - Click on `Make Inactive` for keys that have not been rotated in `90` Days. +5. As an IAM User + - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days. +6. Click on `Create Access Key`. +7. Update programmatic call with new Access Key credentials. + +### From Command Line: + +1. While the first access key is still active, create a second access key, which is active by default. Run the following command: + +```bash +aws iam create-access-key +``` + +At this point, the user has two active access keys. + +2. Update all applications and tools to use the new access key pair. +3. Determine whether the first access key is still in use by using this command: + +```bash +aws iam get-access-key-last-used +``` + +4. One approach is to wait several days and then check the old access key for any use before proceeding. + +Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: + +```bash +aws iam update-access-key +``` + +5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the +first access key. Then return to step 2 and update this application to use the new key. +6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: + +```bash +aws iam delete-access-key +``` diff --git a/cis_v400/docs/cis_v400_1_15.md b/cis_v400/docs/cis_v400_1_15.md new file mode 100644 index 00000000..9693243e --- /dev/null +++ b/cis_v400/docs/cis_v400_1_15.md @@ -0,0 +1,36 @@ +## Description + +IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, also known as an inline or user policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy. + +Only the third implementation is recommended. + +Assigning IAM policies solely through groups unifies permissions management into a single, flexible layer that is consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced. + +## Remediation + +Perform the following to create an IAM group and assign a policy to it: + +1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. +2. In the navigation pane, click `Groups` and then click `Create New Group`. +3. In the `Group Name` box, type the name of the group and then click `Next Step`. +4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step`. +5. Click `Create Group`. + +Perform the following to add a user to a given group: + +1. Sign into the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. +2. In the navigation pane, click `Groups`. +3. Select the group to add a user to +4. Click `Add Users To Group` +5. Select the users to be added to the group +6. Click `Add Users` + +Perform the following to remove a direct association between a user and policy: + +1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. +2. In the left navigation pane, click on Users. +3. For each user: + - Select the user. + - Click on the `Permissions` tab. + - Expand `Permissions policies`. + - Click `X` for each policy; then click Detach or Remove (depending on policy type). diff --git a/cis_v400/docs/cis_v400_1_16.md b/cis_v400/docs/cis_v400_1_16.md new file mode 100644 index 00000000..627b974a --- /dev/null +++ b/cis_v400/docs/cis_v400_1_16.md @@ -0,0 +1,51 @@ +## Description + +IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do, and then craft policies for them that allow the users to perform only those tasks, instead of granting full administrative privileges. + +It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then attempting to tighten them later. + +Providing full administrative privileges instead of restricting access to the minimum set of permissions required for the user exposes resources to potentially unwanted actions. + +IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed. + +## Remediation + +### From Console: + +Perform the following to detach the policy that has full administrative privileges: + +1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. +2. In the navigation pane, click Policies and then search for the policy name found in the audit step. +3. Select the policy that needs to be deleted. +4. In the policy action menu, select first `Detach`. +5. Select all Users, Groups, Roles that have this policy attached. +6. Click `Detach Policy`. +7. In the policy action menu, select `Detach`. + +### From Command Line: + +Perform the following to detach the policy that has full administrative privileges as found in the audit step: + +1. Lists all IAM users, groups, and roles that the specified managed policy is attached to. + +```bash +aws iam list-entities-for-policy --policy-arn +``` + +2. Detach the policy from all IAM Users: + +```bash +aws iam detach-user-policy --user-name --policy-arn +``` + +3. Detach the policy from all IAM Groups: + +```bash +aws iam detach-group-policy --group-name --policy-arn +``` + +4. Detach the policy from all IAM Roles: + +```bash +aws iam detach-role-policy --role-name --policy-arn +``` diff --git a/cis_v400/docs/cis_v400_1_17.md b/cis_v400/docs/cis_v400_1_17.md new file mode 100644 index 00000000..9291f8ca --- /dev/null +++ b/cis_v400/docs/cis_v400_1_17.md @@ -0,0 +1,38 @@ +## Description + +AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role, with the appropriate policy assigned, to allow authorized users to manage incidents with AWS Support. + +By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support. + +## Remediation + +### From Command Line: + +1. Create an IAM role for managing incidents with AWS: + - Create a trust relationship policy document that allows to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json. +```json + { + "Version":"2012-10-17", + "Statement":[ + { + "Effect":"Allow", + "Principal":{ + "AWS":"" + }, + "Action":"sts:AssumeRole" + } + ] + } +``` + +2. Create the IAM role using the above trust policy. + +```bash +aws iam create-role --role-name --assume-role-policy- document file:///tmp/TrustPolicy.json +``` + +3. Attach 'AWSSupportAccess' managed policy to the created IAM role: + +```bash +aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name +``` diff --git a/cis_v400/docs/cis_v400_1_18.md b/cis_v400/docs/cis_v400_1_18.md new file mode 100644 index 00000000..eac27372 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_18.md @@ -0,0 +1,44 @@ +## Description + +AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. + +AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it. + +Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials. + +## Remediation + +### From Console: + +1. Sign in to the AWS Management Console and navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/. +2. In the left navigation panel, choose `Instances`. +3. Select the EC2 instance you want to modify. +4. Click `Actions`. +5. Click `Security`. +6. Click `Modify IAM role`. +7. Click `Create new IAM role` if a new IAM role is required. +8. Select the IAM role you want to attach to your instance in the `IAM role` dropdown. +9. Click `Update IAM role`. +10. Repeat steps 3 to 9 for each EC2 instance in your AWS account that requires an IAM role to be attached. + +### From Command Line: + +1. Run the `describe-instances` command to list all EC2 instance IDs, available in the selected AWS region: + +```bash +aws ec2 describe-instances --region --query 'Reservations[*].Instances[*].InstanceId' +``` + +2. Run the `associate-iam-instance-profile` command to attach an instance profile (which is attached to an IAM role) to the EC2 instance: + +```bash +aws ec2 associate-iam-instance-profile --region --instance-id --iam-instance-profile Name="Instance-Profile-Name" +``` + +3. Run the `describe-instances` command again for the recently modified EC2 instance. The command output should return the instance profile ARN and ID: + +```bash +aws ec2 describe-instances --region --instance-id --query 'Reservations[*].Instances[*].IamInstanceProfile' +``` + +4. Repeat steps 2 and 3 for each EC2 instance in your AWS account that requires an IAM role to be attached. diff --git a/cis_v400/docs/cis_v400_1_19.md b/cis_v400/docs/cis_v400_1_19.md new file mode 100644 index 00000000..0762e1e8 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_19.md @@ -0,0 +1,25 @@ +## Description + +To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. + +Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. + +## Remediation + +### From Console: + +Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM through the AWS API, use the Command Line Interface (CLI). + +### From Command Line: + +To delete an expired certificate, run the following command by replacing with the name of the certificate to delete: + +```bash +aws iam delete-server-certificate --server-certificate-name +``` + +When the preceding command is successful, it does not return any output. + +### Default Value: + +By default, expired certificates will not be deleted. diff --git a/cis_v400/docs/cis_v400_1_2.md b/cis_v400/docs/cis_v400_1_2.md new file mode 100644 index 00000000..5b5695a1 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_2.md @@ -0,0 +1,26 @@ +## Description + +AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided. + +Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them. + +## Remediation + +Perform the following to establish security contact information: + +### From Console: + +1. Click on your account name at the top right corner of the console. +2. From the drop-down menu Click `My Account`. +3. Scroll down to the `Alternate Contacts` section. +4. Enter contact information in the `Security` section. + +### From Command Line: + +Run the following command with the following input parameters: --email-address, --name, and --phone-number. + +```bash +aws account put-alternate-contact --alternate-contact-type SECURITY +``` + +**Note**: Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_20.md b/cis_v400/docs/cis_v400_1_20.md new file mode 100644 index 00000000..ce03a98a --- /dev/null +++ b/cis_v400/docs/cis_v400_1_20.md @@ -0,0 +1,33 @@ +## Description + +Enable IAM Access analyzer for IAM policies about all resources in each active AWS region. + +IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region. + +AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic- based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS (Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues. + +## Remediation + +### From Console: + +Perform the following to enable IAM Access analyzer for IAM policies: + +1. Open the IAM console athttps://console.aws.amazon.com/iam/. +2. Choose `Access analyzer`. +3. Choose `Create analyzer`. +4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. +5. Optionally enter a name for the analyzer. +6. Optionally add any tags that you want to apply to the analyzer. +7. Choose `Create Analyzer`. +8. Repeat these step for each active region. + +### From Command Line: + +Run the following command: + +```bash +aws accessanalyzer create-analyzer --analyzer-name --type +``` +Repeat this command above for each active region. + +**Note**: The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_21.md b/cis_v400/docs/cis_v400_1_21.md new file mode 100644 index 00000000..c760df44 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_21.md @@ -0,0 +1,9 @@ +## Description + +In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations. + +Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors. + +## Remediation + +The remediation procedure will vary based on each individual organization's implementation of identity federation and/or AWS Organizations, with the acceptance criteria that no non-service IAM users and non-root accounts are present outside theaccount providing centralized IAM user management. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_22.md b/cis_v400/docs/cis_v400_1_22.md new file mode 100644 index 00000000..00cafacc --- /dev/null +++ b/cis_v400/docs/cis_v400_1_22.md @@ -0,0 +1,14 @@ +## Description + +AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers. + +Access to this policy should be restricted as it presents a potential channel for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy which denies file transfer permissions. + +## Remediation + +### From Console: + +1. Open the IAM console at https://console.aws.amazon.com/iam/. +2. In the left pane, select Policies. +3. Search for and select AWS CloudShellFullAccess. +4. On the Entities attached tab, for each item, check the box and select Detach. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_3.md b/cis_v400/docs/cis_v400_1_3.md new file mode 100644 index 00000000..a2373cc3 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_3.md @@ -0,0 +1,24 @@ +## Description + +The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. + +When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access. + +## Remediation + +### From Console: + +1. Login to the AWS Account as the 'root' user. +2. Click on the from the top right of the console. +3. From the drop-down menu Click My Account. +4. Scroll down to the `Configure Security Questions` section. +5. Click on `Edit`. +6. Click on each `Question`. + +- From the drop-down select an appropriate question. +- Click on the `Answer` section. +- Enter an appropriate answer. + - Follow process for all 3 questions. + +7. Click `Update` when complete. +8. Save Questions and Answers and place in a secure physical location. diff --git a/cis_v400/docs/cis_v400_1_4.md b/cis_v400/docs/cis_v400_1_4.md new file mode 100644 index 00000000..876926ac --- /dev/null +++ b/cis_v400/docs/cis_v400_1_4.md @@ -0,0 +1,19 @@ +## Description + +The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted. + +Deleting access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, deleting the 'root' access keys encourages the creation and use of role based accounts that are least privileged. + +## Remediation + +Perform the following to delete active 'root' user access keys. + +### From Console: + +1. Sign in to the AWS Management Console as 'root' and open the IAM console at https://console.aws.amazon.com/iam/. +2. Click on `` at the top right and select `My Security Credentials` from the drop down list. +3. On the pop out screen click on `Continue to Security Credentials`. +4. Click on `Access Keys` (Access Key ID and Secret Access Key). +5. If there are active keys, under Status, click Delete (Note: Deleted keys cannot be recovered). + +**Note**: While a key can be made inactive, this inactive key will still show up in the CLI command from the audit procedure, and may lead to the root user being falsely flagged as being non-compliant. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_5.md b/cis_v400/docs/cis_v400_1_5.md new file mode 100644 index 00000000..8178ee08 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_5.md @@ -0,0 +1,24 @@ +## Description + +The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. + +**Note**: When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is kept charged and secured, independent of any individual personal devices ("non- personal virtual MFA"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company. + +Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential. + +## Remediation: + +**Note** To manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. +Perform the following to establish MFA for the 'root' user account: + +1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. +2. Choose `Dashboard`, and under `Security Status`, expand `Activate MFA` on your root account. +3. Choose `Activate MFA`. +4. In the wizard, choose `A virtual MFA` device and then choose `Next Step`. +5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. +6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). +7. Determine whether the MFA app supports QR codes, and then do one of the following: + - o Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code. + - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. + +When you are finished, the virtual MFA device starts generating one-time passwords. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_6.md b/cis_v400/docs/cis_v400_1_6.md new file mode 100644 index 00000000..e6371335 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_6.md @@ -0,0 +1,24 @@ +## Description + +The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA. + +A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides. + +**Note**: Using hardware MFA for numerous AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively for the highest security AWS accounts, while applying the Level 1 recommendation to the remaining accounts. + +## Remediation + +**Note:** To manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. + +Perform the following to establish a hardware MFA for the 'root' user account: + +1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. +2. Choose `Dashboard`, and under `Security Status`, expand `Activate MFA` on your root account. +3. Choose `Activate MFA`. +4. In the wizard, choose `A hardware MFA` device and then choose `Next Step`. +5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. +6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. +7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. +8. Choose `Next Step`. The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device. + +Remediation for this recommendation is not available through AWS CLI. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_7.md b/cis_v400/docs/cis_v400_1_7.md new file mode 100644 index 00000000..7aa51b35 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_7.md @@ -0,0 +1,14 @@ +## Description + +With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. + +The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise. + +## Remediation + +If you find that the 'root' user account is being used for daily activities, including administrative tasks that do not require the 'root' user: + +1. Change the 'root' user password. +2. Deactivate or delete any access keys associate with the 'root' user. + +Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_1_8.md b/cis_v400/docs/cis_v400_1_8.md new file mode 100644 index 00000000..feb5a9b6 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_8.md @@ -0,0 +1,25 @@ +## Description + +Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are at least a given length. It is recommended that the password policy require a minimum password length 14. + +Setting a password complexity policy increases account resiliency against brute force login attempts. + +## Remediation + +Perform the following to set the password policy as prescribed: + +### From Console: + +1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings). +2. Goto IAM Service on the AWS Console. +3. Click on Account Settings on the Left Pane. +4. Set "Minimum password length" to `14` or greater. +5. Click "Apply password policy". + +### From Command Line: + +```bash +aws iam update-account-password-policy --minimum-password-length 14 +``` + +**Note**: All commands starting with "aws iam update-account-password-policy" can be combined into a single command. diff --git a/cis_v400/docs/cis_v400_1_9.md b/cis_v400/docs/cis_v400_1_9.md new file mode 100644 index 00000000..388ab947 --- /dev/null +++ b/cis_v400/docs/cis_v400_1_9.md @@ -0,0 +1,25 @@ +## Description + +IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. + +Preventing password reuse increases account resiliency against brute force login attempts. + +## Remediation + +Perform the following to set the password policy as prescribed: + +### From Console: + +1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings). +2. Go to IAM Service on the AWS Console. +3. Click on Account Settings on the Left Pane. +4. Check "Prevent password reuse". +5. Set "Number of passwords to remember" is set to `24`. + +### From Command Line: + +```bash +aws iam update-account-password-policy --password-reuse-prevention 24 +``` + +**Note**: All commands starting with "aws iam update-account-password-policy" can be combined into a single command. diff --git a/cis_v400/docs/cis_v400_2.md b/cis_v400/docs/cis_v400_2.md new file mode 100644 index 00000000..3c5a8812 --- /dev/null +++ b/cis_v400/docs/cis_v400_2.md @@ -0,0 +1,3 @@ +## Overview + +This section contains recommendations for configuring AWS Storage. diff --git a/cis_v400/docs/cis_v400_2_1.md b/cis_v400/docs/cis_v400_2_1.md new file mode 100644 index 00000000..c5b50b55 --- /dev/null +++ b/cis_v400/docs/cis_v400_2_1.md @@ -0,0 +1,3 @@ +## Overview + +This section contains recommendations for configuring AWS Simple Storage Service (S3) Buckets. diff --git a/cis_v400/docs/cis_v400_2_1_1.md b/cis_v400/docs/cis_v400_2_1_1.md new file mode 100644 index 00000000..34980f76 --- /dev/null +++ b/cis_v400/docs/cis_v400_2_1_1.md @@ -0,0 +1,121 @@ +## Description + +At the Amazon S3 bucket level, you can configure permissions through a bucket policy, making the objects accessible only through HTTPS. + +By default, Amazon S3 allows both HTTP and HTTPS requests. To ensure that access to Amazon S3 objects is only permitted through HTTPS, you must explicitly deny HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation. + +## Remediation + +### From Console: + +1. Log in to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/. +2. Select the Check box next to the Bucket. +3. Click on 'Permissions'. +4. Click 'Bucket Policy'. +5. Add this to the existing policy filling in the required information. + +```bash +{ + "Sid": "", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*", + "Resource": "arn:aws:s3:::/*", + "Condition":{ + "Bool":{ + "aws:SecureTransport": "false" + } + } +} +``` +or +```bash +{ + "Sid": "", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::", + "arn:aws:s3:::/*" + ], + "Condition":{ + "NumericLessThan":{ + "s3:TlsVersion": "1.2" + } + } +} +``` + +6. Save. +7. Repeat for all the buckets in your AWS account that contain sensitive data. + +### From Console + +Using AWS Policy Generator: + +1. Repeat steps 1-4 above. +2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor. +3. Select Policy Type `S3 Bucket Policy`. +4. Add Statements +- `Effect` = Deny +- `Principal` = * +- `AWS Service` = Amazon S3 +- `Actions` = * +- `Amazon Resource Name` = <ARN of the S3 Bucket> +5. Generate Policy. +6. Copy the text and add it to the Bucket Policy. + +### From Command Line: + +1. Export the bucket policy to a json file. + +```bash + aws s3api get-bucket-policy --bucket --query Policy --output text > policy.json +``` + +2. Modify the policy.json file by adding in this statement: + +```bash +{ + "Sid": "", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*", + "Resource": "arn:aws:s3:::/*", + "Condition":{ + "Bool":{ + "aws:SecureTransport": "false" + } + } +} +``` +or + +```bash +{ + "Sid": "", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::", + "arn:aws:s3:::/*" + ], + "Condition":{ + "NumericLessThan":{ + "s3:TlsVersion": "1.2" + } + } +} +``` + +3. Apply this modified policy back to the S3 bucket: + +```bash +aws s3api put-bucket-policy --bucket --policy file://policy.json +``` + +### Default Value: + +Both HTTP and HTTPS requests are allowed. diff --git a/cis_v400/docs/cis_v400_2_1_2.md b/cis_v400/docs/cis_v400_2_1_2.md new file mode 100644 index 00000000..203405aa --- /dev/null +++ b/cis_v400/docs/cis_v400_2_1_2.md @@ -0,0 +1,21 @@ +## Description + +Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. + +Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted. + +## Remediation + +Perform the steps below to enable MFA delete on an S3 bucket. + +**Note:** +- You cannot enable MFA Delete using the AWS Management Console; you must use the AWS CLI or API. +- You must use your 'root' account to enable MFA Delete on S3 buckets. + +### From Command line: + +1. Run the s3ap put-bucket-versioning command + +```bash +aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_2_1_3.md b/cis_v400/docs/cis_v400_2_1_3.md new file mode 100644 index 00000000..3fe3397b --- /dev/null +++ b/cis_v400/docs/cis_v400_2_1_3.md @@ -0,0 +1,44 @@ +## Description + +Amazon S3 buckets can contain sensitive data that, for security purposes, should be discovered, monitored, classified, and protected. Macie, along with other third-party tools, can automatically provide an inventory of Amazon S3 buckets. + +Using a cloud service or third-party software to continuously monitor and automate the process of data discovery and classification for S3 buckets through machine learning and pattern matching is a strong defense in protecting that information. + +Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. + +## Remediation + +Perform the steps below to enable and configure Amazon Macie: + +### From Console: + +1. Log on to the Macie console at https://console.aws.amazon.com/macie/ +2. Click `Get started`. +3. Click `Enable Macie`. + +Setup a repository for sensitive data discovery results + +1. In the Left pane, under Settings, click `Discovery results`. +2. Make sure `Create bucket` is selected. +3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number. +4. Click on `Advanced`. +5. For block all public access, make sure `Yes` is selected. +6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket. +7. Click on `Save`. + +Create a job to discover sensitive data: + +1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account. +2. Check the box for each bucket that you want Macie to analyze as part of the job. +3. Click `Create job`. +4. Click `Quick create`. +5. For the Name and description step, enter a name and, optionally, a description of the job. +6. Click `Next`. +7. For the Review and create step, click `Submit`. + +Review your findings + +1. In the left pane, click `Findings`. +2. To view the details of a specific finding, choose any field other than the check box for the finding. + +If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool. diff --git a/cis_v400/docs/cis_v400_2_1_4.md b/cis_v400/docs/cis_v400_2_1_4.md new file mode 100644 index 00000000..2f62866d --- /dev/null +++ b/cis_v400/docs/cis_v400_2_1_4.md @@ -0,0 +1,55 @@ +## Description + +Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. + +Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). + +Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. + +Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case. + +## Remediation + +### If utilizing Block Public Access (bucket settings) + +### From Console: + +1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/. +2. Select the Check box next to the Bucket. +3. Click on 'Edit public access settings'. +4. Click 'Block all public access'. +5. Repeat for all the buckets in your AWS account that contain sensitive data. + +### From Command Line: + +1. List all of the S3 Buckets + +```bash +aws s3 ls +``` + +2. Set the public access to true on that bucket + +```bash +aws s3api put-public-access-block --bucket --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" +``` + +### If utilizing Block Public Access (account settings) + +### From Console: + +If the output reads `true` for the separate configuration settings then it is set on the account. + +1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/. +2. Choose `Block Public Access (account settings)`. +3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account. +4. Update the settings and click `Save`. For details about each setting, pause on the `i` icons. +5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes. + +### From Command Line: + +To set Block Public access settings for the account, run the following command: + +```bash +aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id +``` diff --git a/cis_v400/docs/cis_v400_2_2.md b/cis_v400/docs/cis_v400_2_2.md new file mode 100644 index 00000000..9c7967af --- /dev/null +++ b/cis_v400/docs/cis_v400_2_2.md @@ -0,0 +1,3 @@ +## Overview + +This section contains recommendations for configuring AWS Relational Database Services (RDS). diff --git a/cis_v400/docs/cis_v400_2_2_1.md b/cis_v400/docs/cis_v400_2_2_1.md new file mode 100644 index 00000000..327d38ee --- /dev/null +++ b/cis_v400/docs/cis_v400_2_2_1.md @@ -0,0 +1,69 @@ +## Description + +Amazon RDS encrypted DB instances use the industry-standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles the authentication of access and the decryption of your data transparently, with minimal impact on performance. + +Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted. + +## Remediation + +### From Console: + +1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. +2. In the left navigation panel, click on `Databases`. +3. Select the Database instance that needs to be encrypted. +4. Click on `Actions` button placed at the top right and select `Take Snapshot`. +5. On the Take Snapshot page, enter the name of the database for which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. +6. Select the newly created snapshot, click the `Action` button placed at the top right, and select `Copy snapshot` from the Action menu. +7. On the Make Copy of DB Snapshot page, perform the following: +- In the `New DB Snapshot Identifier` field, Enter a name for the `new snapshot`. +- Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. +- Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list. +8. Click `Copy Snapshot` to create an encrypted copy of the selected instance's snapshot. +9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right. Then, select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. +10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. +11. Review the instance configuration details and click `Restore DB Instance`. +12. As the new instance provisioning process is completed, you can update the application configuration to refer to the endpoint of the new encrypted database instance. Once the database endpoint is changed at the application level, you can remove the unencrypted instance. + +### From Command Line: + +1. Run the `describe-db-instances` command to list the names of all RDS database instances in the selected AWS region. The command output should return database instance identifiers: + +```bash +aws rds describe-db-instances --region --query 'DBInstances[*].DBInstanceIdentifier' +``` + +2. Run the `create-db-snapshot` command to create a snapshot for a selected database instance. The command output will return the `new snapshot` with name DB Snapshot Name: + +```bash +aws rds create-db-snapshot --region --db-snapshot-identifier --db-instance-identifier +``` + +3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption the activation process, locate the ID of the AWS default KMS key: + +```bash +aws kms list-aliases --region +``` + +4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot. The command output will return the `encrypted instance snapshot configuration`: + +```bash +aws rds copy-db-snapshot --region --source-db-snapshot-identifier --target-db-snapshot-identifier --copy-tags --kms-key-id +``` + +5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance. If successful, the command output should return the configuration of the new encrypted database instance: + +```bash +aws rds restore-db-instance-from-db-snapshot --region --db-instance-identifier --db-snapshot-identifier +``` + +6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, output will return database instance identifier name. Select encrypted database name that we just created DB-Name-Encrypted: + +```bash +aws rds describe-db-instances --region --query 'DBInstances[*].DBInstanceIdentifier' +``` + +7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, the command output should return the encryption status True: + +```bash +aws rds describe-db-instances --region --db-instance-identifier --query 'DBInstances[*].StorageEncrypted' +``` diff --git a/cis_v400/docs/cis_v400_2_2_2.md b/cis_v400/docs/cis_v400_2_2_2.md new file mode 100644 index 00000000..8fae847a --- /dev/null +++ b/cis_v400/docs/cis_v400_2_2_2.md @@ -0,0 +1,41 @@ +## Description + +Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines. + +AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines. + +## Remediation + +### From Console: + +1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. +2. In the left navigation panel, click on `Databases`. +3. Select the RDS instance that wants to update. +4. Click on the `Modify` button placed on the top right side. +5. On the `Modify DB Instance`:`` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. +6. At the bottom of the page click on `Continue`, check to `Apply Immediately` to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. +7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`. + +### From Command Line: + +1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: + +```bash +aws rds describe-db-instances --region --query 'DBInstances[*].DBInstanceIdentifier' +``` + +2. The command output should return each database instance identifier. +3. Run the `modify-db-instance` command to modify the configuration of a selected RDS instance. This command will apply the changes immediately. Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: + +```bash +aws rds modify-db-instance --region --db-instance-identifier --auto-minor-version-upgrade --apply-immediately +``` + +4. The command output should reveal the new configuration metadata for the RDS instance, including the `AutoMinorVersionUpgrade` parameter value. +5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enabled: + +```bash +aws rds describe-db-instances --region --db-instance-identifier --query 'DBInstances[*].AutoMinorVersionUpgrade' +``` + +6. The command output should return the feature's current status set to `true`, indicating that the feature is `enabled`, and that the minor engine upgrades will be applied to the selected RDS instance. diff --git a/cis_v400/docs/cis_v400_2_2_3.md b/cis_v400/docs/cis_v400_2_2_3.md new file mode 100644 index 00000000..d90bb933 --- /dev/null +++ b/cis_v400/docs/cis_v400_2_2_3.md @@ -0,0 +1,46 @@ +## Description + +Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance. + +Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks. + +## Remediation + +### From Console: + +1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. +2. Under the navigation panel, On RDS Dashboard, click `Databases`. +3. Select the RDS instance that you want to update. +4. Click `Modify` from the dashboard top menu. +5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to `Not publicly accessible` to restrict public access. +6. Follow the below steps to update subnet configurations: +- Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section. +- Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. +- On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`. +- On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes. +7. On the Modify DB Instance panel, click `Continue`, and in the Scheduling of modifications section, perform one of the following actions based on your requirements: +- Select `Apply during the next scheduled maintenance window` to apply the changes automatically during the next scheduled maintenance window. +- Select `Apply immediately` to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also +applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. +8. Repeat steps 3-7 for each RDS instance in the current region. +9. Change the AWS region from the navigation bar to repeat the process for other regions. + +### From Command Line: + +1. Run the `describe-db-instances` command to list all available RDS database identifiers in the selected AWS region: + +```bash +aws rds describe-db-instances --region --query 'DBInstances[*].DBInstanceIdentifier' +``` + +2. The command output should return each database instance identifier. +3. Run the `modify-db-instance` command to modify the configuration of a selected RDS instance, disabling the `Publicly Accessible` flag for that instance. This command uses the `apply-immediately` flag. If you want to avoid any downtime, the `--no-apply-immediately` flag can be used: + +```bash +aws rds modify-db-instance --region --db-instance-identifier --no-publicly-accessible --apply-immediately +``` + +4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time. +5. Updating the Internet Gateway destination via the AWS CLI is not currently supported. To update information about the Internet Gateway, please use the AWS Console procedure. +6. Repeat steps 1-5 for each RDS instance provisioned in the current region. +7. Change the AWS region by using the --region filter to repeat the process for other regions. diff --git a/cis_v400/docs/cis_v400_2_2_4.md b/cis_v400/docs/cis_v400_2_2_4.md new file mode 100644 index 00000000..70bfbe7b --- /dev/null +++ b/cis_v400/docs/cis_v400_2_2_4.md @@ -0,0 +1,37 @@ +## Description + +Amazon RDS offers Multi-AZ deployments that provide enhanced availability and durability for your databases, using synchronous replication to replicate data to a standby instance in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS automatically fails over to the standby to minimize downtime and ensure business continuity. + +Database availability is crucial for maintaining service uptime, particularly for applications that are critical to the business. Implementing Multi-AZ deployments with Amazon RDS ensures that your databases are protected against unplanned outages due to hardware failures, network issues, or other disruptions. This configuration enhances both the availability and durability of your database, making it a highly recommended practice for production environments + +## Remediation + +### From Console: + +1. Login to the AWS Management Console and open the RDS dashboard at [AWS RDS Console](https://us-east-1.console.aws.amazon.com/rds?region=us-east-1). +2. In the left navigation pane, click on `Databases`. +3. Select the database instance that needs Multi-AZ deployment to be enabled. +4. Click the `Modify` button at the top right. +5. Scroll down to the `Availability & Durability` section. +6. Under `Multi-AZ deployment`, select `Yes` to enable. +7. Review the changes and click `Continue`. +8. On the `Review` page, choose `Apply immediately` to make the change without waiting for the next maintenance window, or `Apply during the next scheduled maintenance window`. +9. Click` Modify DB Instance` to apply the changes. + +### From Command Line: + +1. Run the following command to modify the RDS instance and enable Multi-AZ: + +```bash +aws rds modify-db-instance --region --db-instance- identifier --multi-az --apply-immediately +``` + +2. Confirm that the Multi-AZ deployment is enabled by running the following command: + +```bash +aws rds describe-db-instances --region --db-instance- identifier --query 'DBInstances[*].MultiAZ' +``` + +- The output should return True, indicating that Multi-AZ is enabled. + +3. Repeat the procedure for other instances as necessary. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_2_3.md b/cis_v400/docs/cis_v400_2_3.md new file mode 100644 index 00000000..e9c17362 --- /dev/null +++ b/cis_v400/docs/cis_v400_2_3.md @@ -0,0 +1,3 @@ +## Overview + +This section contains recommendations for configuring Elastic File System (EFS). diff --git a/cis_v400/docs/cis_v400_2_3_1.md b/cis_v400/docs/cis_v400_2_3_1.md new file mode 100644 index 00000000..2a18cf17 --- /dev/null +++ b/cis_v400/docs/cis_v400_2_3_1.md @@ -0,0 +1,69 @@ +## Description + +EFS data should be encrypted at rest using AWS KMS (Key Management Service). + +Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device. + +## Remediation + +**It is important to note that EFS file system data-at-rest encryption must be turned on when creating the file system. If an EFS file system has been created without data-at-rest encryption enabled, then you must create another EFS file system with the correct configuration and transfer the data.** + +**Steps to create an EFS file system with data encrypted at rest:** + +### From Console: + +1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. +2. Select `File Systems` from the left navigation panel. +3. Click `Create File System` button from the dashboard top menu to start the file system setup process. +4. On the `Configure file system access` configuration page, perform the following actions. +- Choose an appropriate VPC from the VPC dropdown list. +- Within the `Create mount targets` section, check the boxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. +- Click `Next step` to continue. +5. Perform the following on the `Configure optional settings` page. +- Create `tags` to describe your new file system. +- Choose `performance mode` based on your requirements. +- Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from `Select KMS master key `dropdown list to enable encryption for the new file system, using the default master key provided and managed by AWS KMS. +- Click `Next step` to continue. +6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. +7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. +8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. +9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions. + + +### From CLI: + +1. Run the `describe-file-systems` command to view the configuration information for the selected unencrypted file system identified in the Audit steps: + +```bash +aws efs describe-file-systems --region --file-system-id +``` + +2. The command output should return the requested configuration information. +3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) to create the token required by the `create-file-system` command. To create the required token, you can use a randomly generated UUID from "https://www.uuidgenerator.net". +4. Run the `create-file-system` command using the unique token created at the previous step: + +```bash +aws efs create-file-system --region --creation-token --performance-mode generalPurpose --encrypted +``` + +5. The command output should return the new file system configuration metadata. +6. Run the `create-mount-target` command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: + +```bash +aws efs create-mount-target --region --file-system-id --subnet-id +``` + +7. The command output should return the new mount target metadata. +8. Now you can mount your file system from an EC2 instance. +9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. +10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed: + +```bash +aws efs delete-file-system --region --file-system-id +``` + +11. Change the AWS region by updating the --region and repeat the entire process for the other AWS regions. + +### Default Value: + +EFS file system data is encrypted at rest by default when creating a file system through the Console. However, encryption at rest is not enabled by default when creating a new file system using the AWS CLI, API, or SDKs. diff --git a/cis_v400/docs/cis_v400_3.md b/cis_v400/docs/cis_v400_3.md new file mode 100644 index 00000000..6c1d7db9 --- /dev/null +++ b/cis_v400/docs/cis_v400_3.md @@ -0,0 +1,3 @@ +## Overview + +This section contains recommendations for configuring AWS logging features. diff --git a/cis_v400/docs/cis_v400_3_1.md b/cis_v400/docs/cis_v400_3_1.md new file mode 100644 index 00000000..3caf5a0a --- /dev/null +++ b/cis_v400/docs/cis_v400_3_1.md @@ -0,0 +1,47 @@ +## Description + +AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation). + +The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, +- ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected +- ensuring that a multi-regions trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services +- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account + +## Remediation + +Perform the following to enable global (Multi-region) CloudTrail logging: + +### From Console: + +1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail. +2. Click on `Trails` on the left navigation pane. +3. Click `Get Started Now`, if presented. +- Click `Add new trail`. +- Enter a trail name in the `Trail name` box. +- A trail created in the console is a multi-region trail by default. +- Specify an S3 bucket name in the `S3 bucket` box. +- Specify the AWS KMS alias under the `Log file SSE-KMS encryption` section or create a new key. +- Click `Next`. +4. Ensure `Management events` check box is selected. +5. Ensure both `Read` and `Write` are check under API activity. +6. Click `Next`. +7. Review your trail settings and click`Create trail` + +### From Command Line: + +Create a multi-region trail: + +```bash +aws cloudtrail create-trail --name --bucket-name --is-multi-region-trail +``` +Enable multi-region on an existing trail: + +```bash +aws cloudtrail update-trail --name --is-multi-region-trail +``` + +**Note:**. Creating a CloudTrail trail via the CLI without providing any overriding options configures all `read` and `write Management Events` to be logged by default. + +### Default Value: + +Not Enabled. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_3_2.md b/cis_v400/docs/cis_v400_3_2.md new file mode 100644 index 00000000..b32a83e4 --- /dev/null +++ b/cis_v400/docs/cis_v400_3_2.md @@ -0,0 +1,36 @@ +## Description + +CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. + +Enabling log file validation will provide additional integrity checking of CloudTrail logs. + +## Remediation + +Perform the following to enable log file validation on a given trail: + +### From Console: + +1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail. +2. Click on `Trails` on the left navigation pane. +3. Click on target trail. +4. With in the `General details` section click `edit`. +5. Under `Advanced settings`, check the `enable` box under `Log file validation`. +6. Click `Save changes`. + +### From Command Line: + +Enable log file validation on a trail: + +```bash +aws cloudtrail update-trail --name --enable-log-file-validation +``` + +Note that periodic validation of logs using these digests can be carried out by running the following command: + +```bash +aws cloudtrail validate-logs --trail-arn --start-time --end-time +``` + +### Default Value: + +Not Enabled. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_3_3.md b/cis_v400/docs/cis_v400_3_3.md new file mode 100644 index 00000000..8e16b3a5 --- /dev/null +++ b/cis_v400/docs/cis_v400_3_3.md @@ -0,0 +1,54 @@ +## Description + +AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration items (AWS resources), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended that AWS Config be enabled in all regions. + +The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing. + +## Remediation + +To implement AWS Config configuration: + +### From Console: + +1. Select the region you want to focus on in the top right of the console. +2. Click `Services`. +3. Click `Config`. +4. If a Config Recorder is enabled in this region, navigate to the Settings page from the navigation menu on the left-hand side. If a Config Recorder is not yet enabled in this region, select "Get Started". +5. Select "Record all resources supported in this region". +6. Choose to include global resources (IAM resources). +7. Specify an S3 bucket in the same account or in another managed AWS account. +8. Create an SNS Topic from the same AWS account or another managed AWS account. + +### From Command Line: + +1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS +Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). +2. Run this command to create a new configuration recorder: + +```bash +aws configservice put-configuration-recorder --configuration-recordername=,roleARN=arn:aws:iam:::role/ --recording-group allSupported=true,includeGlobalResourceTypes=true +``` + +3. Create a delivery channel configuration file locally which specifies the channel attributes, populated from the prerequisites set up previously: + +```bash +{ + "name": "", + "s3BucketName": "", + "snsTopicARN": "arn:aws:sns:::", + "configSnapshotDeliveryProperties":{ + "deliveryFrequency": "Twelve_Hours" + } +} +``` + +4. Run this command to create a new delivery channel, referencing the json configuration file made in the previous step: + +```bash +aws configservice put-delivery-channel --delivery-channel file://.json +``` +5. Start the configuration recorder by running the following command: + +```bash +aws configservice start-configuration-recorder --configuration-recorder-name +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_3_4.md b/cis_v400/docs/cis_v400_3_4.md new file mode 100644 index 00000000..d03a8227 --- /dev/null +++ b/cis_v400/docs/cis_v400_3_4.md @@ -0,0 +1,59 @@ +## Description + +S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. + +By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. + +## Remediation + +Perform the following to enable server access logging: + +### From Console: + +1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3. +2. Under `All Buckets` click on the target S3 bucket. +3. Click on `Properties` in the top right of the console. +4. Under `Bucket`: `` click on Logging. +5. Configure bucket logging + - Click on the `Enabled` checkbox. + - Select Target Bucket from list. + - Enter a Target Prefix. +6. Click `Save`. + +### From Command Line: + +1. Get the name of the S3 bucket that CloudTrail is logging to: + +```bash +aws cloudtrail describe-trails --region --query trailList[*].S3BucketName +``` + +2. Copy and add the target bucket name at ``, the prefix for the log file at ``, and optionally add an email address in the following template, then save it as `.json:` + +```bash +{ + "LoggingEnabled":{ + "TargetBucket": "", + "TargetPrefix": "", + "TargetGrants":[ + { + "Grantee":{ + "Type": "AmazonCustomerByEmail", + "EmailAddress": "" + }, + "Permission": "FULL_CONTROL" + } + ] + } +} +``` + +3. Run the `put-bucket-logging` command with bucket name and `` as input; for more information refer to [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): + +```bash +aws s3api put-bucket-logging --bucket --bucket-logging-status file://.json +``` + +### Default Value: + +Logging is disabled. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_3_5.md b/cis_v400/docs/cis_v400_3_5.md new file mode 100644 index 00000000..8ebd193f --- /dev/null +++ b/cis_v400/docs/cis_v400_3_5.md @@ -0,0 +1,37 @@ +## Description + +AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. + +Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy. + +## Remediation + +Perform the following to configure CloudTrail to use SSE-KMS: + +### From Console: + +1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail. +2. In the left navigation pane, choose `Trails` . +3. Click on a Trail +4. Under the `S3` section click on the edit button (pencil icon). +5. Click `Advanced`. +6. Select an existing CMK from the `KMS key Id` drop-down menu +- Note: Ensure the CMK is located in the same region as the S3 bucket. +- Note: You will need to apply a KMS key policy on the selected CMK in order for CloudTrail, as a service, to encrypt and decrypt log files using the CMK provided. View the AWS documentation for [editing the selected CMK Key policy](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html). +7. Click `Save`. +8. You will see a notification message stating that you need to have decryption permissions on the specified KMS key to decrypt log files. +9. Click `Yes`. + +### From Command Line: + +Run the following command to specify a KMS key ID to use with a trail: + +```bash +aws cloudtrail update-trail --name --kms-id +``` + +Run the following command to attach a key policy to a specified KMS key: + +```bash +aws kms put-key-policy --key-id --policy +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_3_6.md b/cis_v400/docs/cis_v400_3_6.md new file mode 100644 index 00000000..bdd176fc --- /dev/null +++ b/cis_v400/docs/cis_v400_3_6.md @@ -0,0 +1,25 @@ +## Description + +AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the customercreated customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK. + +Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key. + +## Remediation + +### From Console: + +1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms. +2. In the left navigation pane, click `Customer-managed keys`. +3. Select a customer-managed CMK where `Key spec = SYMMETRIC_DEFAULT.` +4. Select the `Key rotation` tab. +5. Ensure the `Automatically rotate this KMS key every year` box is checked. +6. Click `Save`. +7. Repeat steps 3–6 for all customer-managed CMKs that do not have automatic rotation enabled. + +### From Command Line: + +1. Run the following command to enable key rotation: + +```bash +aws kms enable-key-rotation --key-id +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_3_7.md b/cis_v400/docs/cis_v400_3_7.md new file mode 100644 index 00000000..ac35770c --- /dev/null +++ b/cis_v400/docs/cis_v400_3_7.md @@ -0,0 +1,102 @@ +## Description + +VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. + +VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows. + +## Remediation + +Perform the following to enable VPC Flow Logs: + +### From Console: + +1. Sign into the management console. +2. Select `Services` then `VPC`. +3. In the left navigation pane, select `Your VPCs`. +4. Select a VPC. +5. In the right pane, select the `Flow Logs` tab. +6. If no Flow Log exists, click `Create Flow Log`. +7. For Filter, select `Reject`. +8. Enter a `Role` and `Destination Log Group`. +9. Click `Create Log Flow`. +10. Click on `CloudWatch Logs Group`. + +**Note:** Setting the filter to "Reject" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to "All" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment. + +### From Command Line: + +1. Create a policy document, name it `role_policy_document.json`, and paste the following content: + +```bash +{ + "Version": "2012-10-17", + "Statement":[ + { + "Sid": "test", + "Effect": "Allow", + "Principal":{ + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} +``` +2. Create another policy document, name it `iam_policy.json`, and paste the following content: + +```bash +{ +"Version": "2012-10-17", +"Statement": +[ + { + "Effect": "Allow", + "Action":[ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:FilterLogEvents" + ], + "Resource": "*" + } + ] +} +``` + +3. Run the following command to create an IAM role: + +```bash +aws iam create-role --role-name --assume-role-policy-document file://role_policy_document.json +``` + +4. Run the following command to create an IAM policy: + +```bash +aws iam create-policy --policy-name --policy-document file://iam-policy.json +``` + +5. Run the `attach-group-policy` command, using the IAM policy ARN returned from the previous step to attach the policy to the IAM role: + +```bash +aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name +``` +If the command succeeds, no output is returned. + +6. Run the `describe-vpcs` command to get a list of VPCs in the selected region: + +```bash +aws ec2 describe-vpcs --region +``` + +The command output should return a list of VPCs in the selected region. + +7. Run the `create-flow-logs` command to create a flow log for a VPC: + +```bash +aws ec2 create-flow-logs --resource-type VPC --resource-ids --traffic-type REJECT --log-group-name --deliver-logs-permission-arn +``` +8. Repeat step 7 for other VPCs in the selected region. +9. Change the region by updating --region, and repeat the remediation procedure for each region. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_3_8.md b/cis_v400/docs/cis_v400_3_8.md new file mode 100644 index 00000000..fffeb92e --- /dev/null +++ b/cis_v400/docs/cis_v400_3_8.md @@ -0,0 +1,31 @@ +## Description + +S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. + +Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events. + +## Remediation + +### From Console: + +1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/. +2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. +3. Click the `Properties` tab to see the bucket configuration in detail. +4. In the `AWS CloudTrail data events` section, select the trail name for recording activity. You can choose an existing trail or create a new one by clicking the `Configure in CloudTrail` button or navigating to the [CloudTrail console.](ttps://console.aws.amazon.com/cloudtrail/) +5. Once the trail is selected, select the `Data Events` check box. +6. Select `S3` from the `Data event type` drop-down. +7. Select `Log all events` from the `Log selector template` drop-down. +8. Repeat steps 2-7 to enable object-level logging of write events for other S3 buckets. + +### From Command Line: + +1. To enable `object-level` data events logging for S3 buckets within your AWS account, run the `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: + +```bash +aws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::/"] }] }]' +``` + +2. The command output will be `object-level` event trail configuration. +3. If you want to enable it for all buckets at once then change Values parameter to `["arn:aws:s3"]` in command given above. +4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. +5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions. diff --git a/cis_v400/docs/cis_v400_3_9.md b/cis_v400/docs/cis_v400_3_9.md new file mode 100644 index 00000000..74e0a606 --- /dev/null +++ b/cis_v400/docs/cis_v400_3_9.md @@ -0,0 +1,31 @@ +## Description + +S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. + +Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events. + +## Remediation + +### From Console: + +1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/. +2. In the left navigation panel, click `buckets` and then click the name of the S3 bucket that you want to examine. +3. Click the `Properties` tab to see the bucket configuration in detail. +4. In the `AWS Cloud Trail data events` section, select the trail name for recording activity. You can choose an existing trail or create a new one by clicking the `Configure in CloudTrail` button or navigating to the [CloudTrail console.](https://console.aws.amazon.com/cloudtrail/) +5. Once the trail is selected, select the `Data Events` check box. +6. Select `S3` from the `Data event type` drop-down. +7. Select `Log all events` from the `Log selector template` drop-down. +8. Repeat steps 2-7 to enable object-level logging of read events for other S3 buckets. + +### From Command Line: + +1. To enable `object-level` data events logging for S3 buckets within your AWS account, run the `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: + +```bash +aws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::/"] }] }]' +``` + +2. The command output will be `object-level` event trail configuration. +3. If you want to enable it for all buckets at once, change the Values parameter to `["arn:aws:s3"]` in the previous command. +4. Repeat step 1 for each s3 bucket to update object-level logging of read events. +5. Change the AWS region by updating the `--region` command parameter, and perform the process for the other regions. diff --git a/cis_v400/docs/cis_v400_4.md b/cis_v400/docs/cis_v400_4.md new file mode 100644 index 00000000..56fd83db --- /dev/null +++ b/cis_v400/docs/cis_v400_4.md @@ -0,0 +1,5 @@ +## Overview + +This section contains recommendations for configuring AWS to assist with monitoring and responding to account activities. + +Metric filter-related recommendations in this section are dependent on the `Ensure CloudTrail is enabled in all regions` and `Ensure CloudTrail trails are integrated with CloudWatch Logs` recommendations in the "Logging" section. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_1.md b/cis_v400/docs/cis_v400_4_1.md new file mode 100644 index 00000000..9cd4f13d --- /dev/null +++ b/cis_v400/docs/cis_v400_4_1.md @@ -0,0 +1,44 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. + +It is recommended that a metric filter and alarm be established for unauthorized API calls. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail logs can also be sent to an external Security Information and Event Management (SIEM) environment for monitoring and alerting. + +Monitoring unauthorized API calls will help reduce time to detect malicious activity and can alert you to a potential security incident. + +## Remediation + +If you are using CloudTrail trails and CloudWatch, perform the following steps to set up the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name "cloudtrail_log_group_name" --filter-name "" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricV alue=1 --filter-pattern "{ ($.errorCode ="*UnauthorizedOperation") || ($.errorCode ="AccessDenied*") && ($.sourceIPAddress!="delivery.logs.amazonaws.com") && ($.eventName!="HeadBucket") }" +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. +**Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name "unauthorized_api_calls_alarm" --metric-name "unauthorized_api_calls_metric" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold -- evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_10.md b/cis_v400/docs/cis_v400_4_10.md new file mode 100644 index 00000000..8076c48b --- /dev/null +++ b/cis_v400/docs/cis_v400_4_10.md @@ -0,0 +1,44 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. + +It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. + +Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name "" -- filter-name "" --metric-transformations metricName= "" ,metricNamespace="CISBenchmark",metricValue=1 --filter-pattern "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }" +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name +"" --metric-name "" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 -- namespace "CISBenchmark" --alarm-actions "" +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_11.md b/cis_v400/docs/cis_v400_4_11.md new file mode 100644 index 00000000..64829564 --- /dev/null +++ b/cis_v400/docs/cis_v400_4_11.md @@ -0,0 +1,41 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 -- filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` -- metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation- periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_12.md b/cis_v400/docs/cis_v400_4_12.md new file mode 100644 index 00000000..881324cb --- /dev/null +++ b/cis_v400/docs/cis_v400_4_12.md @@ -0,0 +1,41 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation- periods 1 --namespace 'CISBenchmark' --alarm-actions +``` diff --git a/cis_v400/docs/cis_v400_4_13.md b/cis_v400/docs/cis_v400_4_13.md new file mode 100644 index 00000000..00df08bc --- /dev/null +++ b/cis_v400/docs/cis_v400_4_13.md @@ -0,0 +1,41 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path and prevent any accidental or intentional modifications that may lead to uncontrolled network traffic. An alarm should be triggered every time an AWS API call is performed to create, replace, delete, or disassociate a Route Table. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for route table changes and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 - -threshold 1 --comparison-operator GreaterThanOrEqualToThreshold -- evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_14.md b/cis_v400/docs/cis_v400_4_14.md new file mode 100644 index 00000000..6fcfa32a --- /dev/null +++ b/cis_v400/docs/cis_v400_4_14.md @@ -0,0 +1,41 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +VPCs in AWS are logically isolated virtual networks that can be used to launch AWS resources. Monitoring changes to VPC configuration will help ensure VPC traffic flow is not getting impacted. Changes to VPCs can impact network accessibility from the public internet and additionally impact VPC traffic flow to and from resources launched in the VPC. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 -- filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` -- metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_15.md b/cis_v400/docs/cis_v400_4_15.md new file mode 100644 index 00000000..74cb43a8 --- /dev/null +++ b/cis_v400/docs/cis_v400_4_15.md @@ -0,0 +1,41 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 -- filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") || ($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify: + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2: + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` -- metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation- periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_16.md b/cis_v400/docs/cis_v400_4_16.md new file mode 100644 index 00000000..d4004def --- /dev/null +++ b/cis_v400/docs/cis_v400_4_16.md @@ -0,0 +1,32 @@ +## Description + +Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products. + +AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts. + +## Remediation + +To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role. + +Enabling Security Hub + +### From Console: + +1. Use the credentials of the IAM identity to sign in to the Security Hub console. +2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. +3. On the welcome page, Security standards list the security standards that Security Hub supports. +4. Choose Enable Security Hub. + +### From Command Line: + +1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. + +```bash +aws securityhub enable-security-hub --enable-default-standards +``` + +2. To enable the security hub without the default standards, include `--no-enable-default-standards`. + +```bash +aws securityhub enable-security-hub --no-enable-default-standards +``` diff --git a/cis_v400/docs/cis_v400_4_2.md b/cis_v400/docs/cis_v400_4_2.md new file mode 100644 index 00000000..ede9c62e --- /dev/null +++ b/cis_v400/docs/cis_v400_4_2.md @@ -0,0 +1,52 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. + +It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA). + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA. These type of accounts are more susceptible to compromise and unauthorized access. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1. + +Use Command: + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }' +``` + +Or (To reduce false positives incase Single Sign-On (SSO) is used in organization): + +```bash +aws logs put-metric-filter --log-group-name -- +filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success") }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold -- evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_3.md b/cis_v400/docs/cis_v400_4_3.md new file mode 100644 index 00000000..37db7e78 --- /dev/null +++ b/cis_v400/docs/cis_v400_4_3.md @@ -0,0 +1,43 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. + +It is recommended that a metric filter and alarm be established for 'root' login attempts to detect the unauthorized use, or attempts to use the root account. + +Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it. + +Cloud Watch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name `` -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter- pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` --metric- name `` --statistic Sum --period 300 --threshold 1 -- comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 -- namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_4.md b/cis_v400/docs/cis_v400_4_4.md new file mode 100644 index 00000000..208fb0e7 --- /dev/null +++ b/cis_v400/docs/cis_v400_4_4.md @@ -0,0 +1,43 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. + +It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name `` -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 -- filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventNa me=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolic y)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=Del etePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersi on)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.event Name=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGr oupPolicy)||($.eventName=DetachGroupPolicy)}' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` -- metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_5.md b/cis_v400/docs/cis_v400_4_5.md new file mode 100644 index 00000000..90ac836a --- /dev/null +++ b/cis_v400/docs/cis_v400_4_5.md @@ -0,0 +1,42 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, where metric filters and alarms can be established. + +It is recommended that a metric filter and alarm be utilized for detecting changes to CloudTrail's configurations. + +Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name +`` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 -- namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_6.md b/cis_v400/docs/cis_v400_4_6.md new file mode 100644 index 00000000..5ef21d9e --- /dev/null +++ b/cis_v400/docs/cis_v400_4_6.md @@ -0,0 +1,44 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. + +It is recommended that a metric filter and alarm be established for failed console authentication attempts. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP address, that can be used in other event correlation. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name +`` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 -- namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_7.md b/cis_v400/docs/cis_v400_4_7.md new file mode 100644 index 00000000..43c3f9dd --- /dev/null +++ b/cis_v400/docs/cis_v400_4_7.md @@ -0,0 +1,43 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. + +It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Data encrypted with disabled or deleted keys will no longer be accessible. Changes in the state of a CMK should be monitored to make sure the change is intentional. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric- transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation- periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_8.md b/cis_v400/docs/cis_v400_4_8.md new file mode 100644 index 00000000..0f54c21f --- /dev/null +++ b/cis_v400/docs/cis_v400_4_8.md @@ -0,0 +1,43 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. + +It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_4_9.md b/cis_v400/docs/cis_v400_4_9.md new file mode 100644 index 00000000..2fa14732 --- /dev/null +++ b/cis_v400/docs/cis_v400_4_9.md @@ -0,0 +1,43 @@ +## Description + +Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. + +It is recommended that a metric filter and alarm be established for detecting changes to AWS Config's configurations. + +Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account. + +CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security information and event management (SIEM) environment for monitoring and alerting. + +## Remediation + +If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: + +1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. + +```bash +aws logs put-metric-filter --log-group-name -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' +``` + +**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. + +2. Create an SNS topic that the alarm will notify + +```bash +aws sns create-topic --name +``` + +**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. + +3. Create an SNS subscription to the topic created in step 2 + +```bash +aws sns subscribe --topic-arn --protocol --notification-endpoint +``` + +**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. + +4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 + +```bash +aws cloudwatch put-metric-alarm --alarm-name `` - -metric-name `` --statistic Sum --period 300 -- threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation- periods 1 --namespace 'CISBenchmark' --alarm-actions +``` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_5.md b/cis_v400/docs/cis_v400_5.md new file mode 100644 index 00000000..1505b8ee --- /dev/null +++ b/cis_v400/docs/cis_v400_5.md @@ -0,0 +1,3 @@ +## Overview + +This section contains recommendations for AWS networking configuration. diff --git a/cis_v400/docs/cis_v400_5_1.md b/cis_v400/docs/cis_v400_5_1.md new file mode 100644 index 00000000..32f798c6 --- /dev/null +++ b/cis_v400/docs/cis_v400_5_1.md @@ -0,0 +1,3 @@ +## Overview + +This section contains recommendations for configuring AWS Elastic Compute Cloud(EC2). diff --git a/cis_v400/docs/cis_v400_5_1_1.md b/cis_v400/docs/cis_v400_5_1_1.md new file mode 100644 index 00000000..15fe85a5 --- /dev/null +++ b/cis_v400/docs/cis_v400_5_1_1.md @@ -0,0 +1,31 @@ +## Description + +Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. + +Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken. + +## Remediation + +### From Console: + +1. Log in to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ +2. Under `Account attributes`, click `EBS encryption`. +3. Click `Manage`. +4. Click the `Enable` checkbox. +5. Click `Update EBS encryption` +6. Repeat for each region in which EBS volume encryption is not enabled by default. + +**Note**: EBS volume encryption is configured per region. + +### From Command Line: + +1. Run the following command: + +```bash +aws --region ec2 enable-ebs-encryption-by-default. +``` + +2. Verify that `EbsEncryptionByDefault`: `true` is displayed. +3. Repeat for each region in which EBS volume encryption is not enabled by default. + +**Note**: EBS volume encryption is configured per region. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_5_1_2.md b/cis_v400/docs/cis_v400_5_1_2.md new file mode 100644 index 00000000..0bac4894 --- /dev/null +++ b/cis_v400/docs/cis_v400_5_1_2.md @@ -0,0 +1,34 @@ +## Description + +Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches. + +Allowing unrestricted CIFS access can lead to significant security vulnerabilities, as it may allow unauthorized users to access sensitive files and data. By restricting CIFS access to known and trusted networks, you can minimize the risk of unauthorized access and protect sensitive data from exposure to potential attackers. Implementing proper network access controls and permissions is essential for maintaining the security and integrity of your file-sharing systems. + +## Remediation + +### From Console: + +1. Login to the AWS Management Console. +2. Navigate to the EC2 Dashboard and select the Security Groups section under `Network & Security`. +3. Identify the security group that allows unrestricted ingress on port 445. +4. Select the security group and click the `Edit Inbound Rules` button. +5. Locate the rule allowing unrestricted access on port 445 (typically listed as `0.0.0.0/0` or `::/0`). +6. Modify the rule to restrict access to specific IP ranges or trusted networks only. +7. Save the changes to the security group. + +### From Command Line: + +1. Run the following command to remove or modify the unrestricted rule for CIFS access: + +```bash +aws ec2 revoke-security-group-ingress --region --group-id --protocol tcp --port 445 --cidr 0.0.0.0/0 +``` +- Optionally, run the `authorise-security-group-ingress` command to create a new rule, specifying a trusted CIDR range instead of `0.0.0.0/0`. + +2. Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted: + +```bash +aws ec2 describe-security-groups --region --group-ids --query 'SecurityGroups[*].IpPermissions[?FromPort==`445`].{CIDR:IpRanges[*].Ci drIp,Port:FromPort}' +``` + +3. Repeat the remediation for other security groups and regions as necessary. \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_5_2.md b/cis_v400/docs/cis_v400_5_2.md new file mode 100644 index 00000000..06f8c07b --- /dev/null +++ b/cis_v400/docs/cis_v400_5_2.md @@ -0,0 +1,20 @@ +## Description + +The Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH on port `22` and RDP on port `3389`, using either the TCP (6), UDP (17), or ALL (-1) protocols. + +Public access to remote server administration ports, such as 22 (when used for SSH, not SFTP) and 3389, increases the attack surface of resources and unnecessarily raises the risk of resource compromise. + +## Remediation + +### From Console: + +Perform the following steps to remediate a network ACL: + +1. Login to the AWS VPC Console at https://console.aws.amazon.com/vpc/home. +2. In the left pane, click `Network ACLs`. +3. For each network ACL that needs remediation, perform the following: + - Select the network ACL. + - Click the `Inbound Rules` tab. + - Click `Edit inbound rules`. + - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule. + - Click `Save`. diff --git a/cis_v400/docs/cis_v400_5_3.md b/cis_v400/docs/cis_v400_5_3.md new file mode 100644 index 00000000..c8171d21 --- /dev/null +++ b/cis_v400/docs/cis_v400_5_3.md @@ -0,0 +1,19 @@ +## Description + +Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH on port `22` and RDP on port `3389`, using either the TCP (6), UDP (17), or ALL (-1) protocols. + +Public access to remote server administration ports, such as 22 (when used for SSH, not SFTP) and 3389, increases the attack surface of resources and unnecessarily raises the risk of resource compromise. + +## Remediation + +Perform the following to implement the prescribed state: + +1. Login to the AWS VPC Console at https://console.aws.amazon.com/vpc/home. +2. In the left pane, click `Security Groups`. +3. For each security group, perform the following: + - Select the security group. + - Click the `Inbound Rules` tab. + - Click the `Edit inbound rules` button. + - Identify the rules to be edited or removed. + - Either A) update the Source field to a range other than 0.0.0.0/0, or B) click `Delete` to remove the offending inbound rule. + - Click `Save rules.` \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_5_4.md b/cis_v400/docs/cis_v400_5_4.md new file mode 100644 index 00000000..9315c4e3 --- /dev/null +++ b/cis_v400/docs/cis_v400_5_4.md @@ -0,0 +1,19 @@ +## Description + +Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH on port `22` and RDP on port `3389`. + +Public access to remote server administration ports, such as 22 (when used for SSH, not SFTP) and 3389, increases attack surface of resources and unnecessarily raises the risk of resource compromise. + +## Remediation + +Perform the following to implement the prescribed state: + +1. Login to the AWS VPC Console at https://console.aws.amazon.com/vpc/home. +2. In the left pane, click `Security Groups`. +3. For each security group to remediate, perform the following: + - Select the security group. + - Click the `Inbound Rules` tab. + - Click the `Edit inbound rules` button. + - Identify the rules to be edited or removed. + - Either A) update the Source field to a range other than ::/0, or B) Click `Delete` to remove the offending inbound rule. + - Click `Save rules`. diff --git a/cis_v400/docs/cis_v400_5_5.md b/cis_v400/docs/cis_v400_5_5.md new file mode 100644 index 00000000..f08cfbbd --- /dev/null +++ b/cis_v400/docs/cis_v400_5_5.md @@ -0,0 +1,37 @@ +## Description + +A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If a security group is not specified when an instance is launched, it is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic, both inbound and outbound. + +The default VPC in every region should have its default security group updated to comply with the following: +- No inbound rules. +- No outbound rules. + +Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. + +**NOTE:**When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly, as it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering by discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups. + +Configuring all VPC default security groups to restrict all traffic will encourage the development of least privilege security groups and promote the mindful placement of AWS resources into security groups, which will, in turn, reduce the exposure of those resources. + +## Remediation + +Perform the following to implement the prescribed state: +Security Group Members + +1. Identify AWS resources that exist within the default security group. +2. Create a set of least-privilege security groups for those resources. +3. Place the resources in those security groups, removing the resources noted in step 1 from the default security group. + +Security Group State + +1. Login to the AWS VPC Console at https://console.aws.amazon.com/vpc/home. +2. Repeat the following steps for all VPCs, including the default VPC in each AWS region: +3. In the left pane, click `Security Groups`. +4. For each default security group, perform the following: + - Select the `default` security group. + - Click the `Inbound Rule`s tab. + - Remove any inbound rules. + - Click the `Outbound Rules` tab. + - Remove any Outbound rules. + +### Recommended: +IAM groups allow you to edit the "name" field. After remediating default group rules for all VPCs in all regions, edit this field to add text similar to "DO NOT USE. DO NOT ADD RULES." \ No newline at end of file diff --git a/cis_v400/docs/cis_v400_5_6.md b/cis_v400/docs/cis_v400_5_6.md new file mode 100644 index 00000000..9735b5b5 --- /dev/null +++ b/cis_v400/docs/cis_v400_5_6.md @@ -0,0 +1,23 @@ +## Description + +Once a VPC peering connection is established, routing tables must be updated to enable any connections between the peered VPCs. These routes can be as specific as desired, even allowing for the peering of a VPC to only a single host on the other side of the connection. + +Being highly selective in peering routing tables is a very effective way to minimize the impact of a breach, as resources outside of these routes are inaccessible to the peered VPC. + +## Remediation + +Remove and add route table entries to ensure that the least number of subnets or hosts required to accomplish the purpose of peering are routable. + +### From Command Line: + +1. For each `` that contains routes that are non-compliant with your routing policy (granting more access than desired), delete the non-compliant route: + +```bash +aws ec2 delete-route --route-table-id --destination-cidrblock +``` + +2. Create a new compliant route: + +```bash +aws ec2 create-route --route-table-id --destination-cidrblock --vpc-peering-connection-id +``` diff --git a/cis_v400/docs/cis_v400_5_7.md b/cis_v400/docs/cis_v400_5_7.md new file mode 100644 index 00000000..edd736fb --- /dev/null +++ b/cis_v400/docs/cis_v400_5_7.md @@ -0,0 +1,39 @@ +## Description + +When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). + +Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into [categories](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html), such as host name, events, and security groups. + +When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). With IMDSv2, every request is now protected by session authentication. A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally stored EC2 instance metadata and credentials. + +Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security. + +## Remediation + +### From Console: + +1. Sign in to the AWS Management Console and navigate to the EC2 dashboard at (https://console.aws.amazon.com/ec2/)[https://console.aws.amazon.com/ec2/]. +2. In the left navigation panel, under the `INSTANCES` section, choose `Instances`. +3. Select the EC2 instance that you want to examine. +4. Choose `Actions > Instance Settings > Modify instance metadata options`. +5. Set `Instance metadata service `to `Enable`. +6. Set `IMDSv2` to `Required`. +7. Repeat steps 1-6 to perform the remediation process for other EC2 instances in all applicable AWS region(s). + +### From Command Line: + +1. Run the `describe-instances` command, applying the appropriate filters to list the IDs of all existing EC2 instances currently available in the selected region: + +```bash +aws ec2 describe-instances --region --output table --query "Reservations[*].Instances[*].InstanceId" +``` + +2. The command output should return a table with the requested instance IDs. +3. Run the` modify-instance-metadata-options` command with an instance ID obtained from the previous step to update the Instance Metadata Version: + +```bash +aws ec2 modify-instance-metadata-options --instance-id -- http-tokens required --region +``` + +4. Repeat steps 1-3 to perform the remediation process for other EC2 instances in the same AWS region. +5. Change the region by updating `--region` and repeat the process for other regions. \ No newline at end of file diff --git a/cis_v400/section_1.pp b/cis_v400/section_1.pp new file mode 100644 index 00000000..2d06c099 --- /dev/null +++ b/cis_v400/section_1.pp @@ -0,0 +1,346 @@ +locals { + cis_v400_1_common_tags = merge(local.cis_v400_common_tags, { + cis_section_id = "1" + }) +} + +benchmark "cis_v400_1" { + title = "1 Identity and Access Management" + documentation = file("./cis_v400/docs/cis_v400_1.md") + children = [ + control.cis_v400_1_1, + control.cis_v400_1_2, + control.cis_v400_1_3, + control.cis_v400_1_4, + control.cis_v400_1_5, + control.cis_v400_1_6, + control.cis_v400_1_7, + control.cis_v400_1_8, + control.cis_v400_1_9, + control.cis_v400_1_10, + control.cis_v400_1_11, + control.cis_v400_1_12, + control.cis_v400_1_13, + control.cis_v400_1_14, + control.cis_v400_1_15, + control.cis_v400_1_16, + control.cis_v400_1_17, + control.cis_v400_1_18, + control.cis_v400_1_19, + control.cis_v400_1_20, + control.cis_v400_1_21, + control.cis_v400_1_22 + ] + + tags = merge(local.cis_v400_1_common_tags, { + type = "Benchmark" + }) +} + +control "cis_v400_1_1" { + title = "1.1 Maintain current contact details" + description = "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization." + query = query.manual_control + documentation = file("./cis_v400/docs/cis_v400_1_1.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.1" + cis_level = "1" + cis_type = "manual" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_2" { + title = "1.2 Ensure security contact information is registered" + description = "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided." + query = query.account_alternate_contact_security_registered + documentation = file("./cis_v400/docs/cis_v400_1_2.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.2" + cis_level = "1" + cis_type = "manual" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_3" { + title = "1.3 Ensure security questions are registered in the AWS account" + description = "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." + query = query.manual_control + documentation = file("./cis_v400/docs/cis_v400_1_3.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.3" + cis_level = "1" + cis_type = "manual" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_4" { + title = "1.4 Ensure no 'root' user account access key exists" + description = "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted." + query = query.iam_root_user_no_access_keys + documentation = file("./cis_v400/docs/cis_v400_1_4.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.4" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_5" { + title = "1.5 Ensure MFA is enabled for the 'root' user account" + description = "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device." + query = query.iam_root_user_mfa_enabled + documentation = file("./cis_v400/docs/cis_v400_1_5.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.5" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_6" { + title = "1.6 Ensure hardware MFA is enabled for the 'root' user account" + description = "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA." + query = query.iam_root_user_hardware_mfa_enabled + documentation = file("./cis_v400/docs/cis_v400_1_6.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.6" + cis_level = "2" + cis_type = "manual" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_7" { + title = "1.7 Eliminate use of the 'root' user for administrative and daily tasks" + description = "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks." + query = query.iam_root_last_used + documentation = file("./cis_v400/docs/cis_v400_1_7.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.7" + cis_level = "1" + cis_type = "manual" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_8" { + title = "1.8 Ensure IAM password policy requires minimum length of 14 or greater" + description = "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." + query = query.iam_account_password_policy_min_length_14 + documentation = file("./cis_v400/docs/cis_v400_1_8.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.8" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_9" { + title = "1.9 Ensure IAM password policy prevents password reuse" + description = "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." + query = query.iam_account_password_policy_reuse_24 + documentation = file("./cis_v400/docs/cis_v400_1_9.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.9" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_10" { + title = "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" + description = "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password." + query = query.iam_user_console_access_mfa_enabled + documentation = file("./cis_v400/docs/cis_v400_1_10.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.10" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_11" { + title = "1.11 Do not create access keys during initial setup for IAM users with a console password" + description = "AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require." + query = query.iam_user_access_keys_and_password_at_setup + documentation = file("./cis_v400/docs/cis_v400_1_11.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.11" + cis_level = "1" + cis_type = "manual" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_12" { + title = "1.12 Ensure credentials unused for 45 days or more are disabled" + description = "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed." + query = query.iam_user_unused_credentials_45 + documentation = file("./cis_v400/docs/cis_v400_1_12.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.12" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_13" { + title = "1.13 Ensure there is only one active access key for any single IAM user" + description = "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)." + query = query.iam_user_one_active_key + documentation = file("./cis_v400/docs/cis_v400_1_13.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.13" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_14" { + title = "1.14 Ensure access keys are rotated every 90 days or less" + description = "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be rotated regularly." + query = query.iam_user_access_key_age_90 + documentation = file("./cis_v400/docs/cis_v400_1_14.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.14" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_15" { + title = "1.15 Ensure IAM Users Receive Permissions Only Through Groups" + description = "IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, also known as an inline or user policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy." + query = query.iam_user_no_inline_attached_policies + documentation = file("./cis_v400/docs/cis_v400_1_15.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.15" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_16" { + title = "1.16 Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached" + description = "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do, and then craft policies for them that allow the users to perform only those tasks, instead of granting full administrative privileges." + query = query.iam_policy_all_attached_no_star_star + documentation = file("./cis_v400/docs/cis_v400_1_16.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.16" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_17" { + title = "1.17 Ensure a support role has been created to manage incidents with AWS Support" + description = "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role, with the appropriate policy assigned, to allow authorized users to manage incidents with AWS Support." + query = query.iam_support_role + documentation = file("./cis_v400/docs/cis_v400_1_17.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.17" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_18" { + title = "1.18 Ensure IAM instance roles are used for AWS resource access from instances" + description = "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." + query = query.manual_control + documentation = file("./cis_v400/docs/cis_v400_1_18.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.18" + cis_level = "2" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_19" { + title = "1.19 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed" + description = "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use AWS Certificate Manager (ACM) or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." + query = query.iam_server_certificate_not_expired + documentation = file("./cis_v400/docs/cis_v400_1_19.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.19" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_20" { + title = "1.20 Ensure that IAM Access analyzer is enabled for all regions" + description = "Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region." + query = query.iam_access_analyzer_enabled + documentation = file("./cis_v400/docs/cis_v400_1_20.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.20" + cis_level = "1" + cis_type = "automated" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_21" { + title = "1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments" + description = "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations." + query = query.manual_control + documentation = file("./cis_v400/docs/cis_v400_1_21.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.21" + cis_level = "2" + cis_type = "manual" + service = "AWS/IAM" + }) +} + +control "cis_v400_1_22" { + title = "1.22 Ensure access to AWSCloudShellFullAccess is restricted" + description = "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers." + query = query.iam_user_group_role_cloudshell_fullaccess_restricted + documentation = file("./cis_v400/docs/cis_v400_1_22.md") + + tags = merge(local.cis_v400_1_common_tags, { + cis_item_id = "1.22" + cis_level = "1" + cis_type = "manual" + service = "AWS/IAM" + }) +} diff --git a/cis_v400/section_2.pp b/cis_v400/section_2.pp new file mode 100644 index 00000000..8e9afc91 --- /dev/null +++ b/cis_v400/section_2.pp @@ -0,0 +1,199 @@ +locals { + cis_v400_2_common_tags = merge(local.cis_v400_common_tags, { + cis_section_id = "2" + }) +} + +locals { + cis_v400_2_1_common_tags = merge(local.cis_v400_2_common_tags, { + cis_section_id = "2.1" + }) + cis_v400_2_2_common_tags = merge(local.cis_v400_2_common_tags, { + cis_section_id = "2.2" + }) + cis_v400_2_3_common_tags = merge(local.cis_v400_2_common_tags, { + cis_section_id = "2.3" + }) +} + +benchmark "cis_v400_2" { + title = "2 Storage" + documentation = file("./cis_v400/docs/cis_v400_2.md") + children = [ + benchmark.cis_v400_2_1, + benchmark.cis_v400_2_2, + benchmark.cis_v400_2_3 + ] + + tags = merge(local.cis_v400_2_common_tags, { + type = "Benchmark" + }) +} + +benchmark "cis_v400_2_1" { + title = "2.1 Simple Storage Service (S3)" + documentation = file("./cis_v400/docs/cis_v400_2_1.md") + children = [ + control.cis_v400_2_1_1, + control.cis_v400_2_1_2, + control.cis_v400_2_1_3, + control.cis_v400_2_1_4 + ] + + tags = merge(local.cis_v400_2_1_common_tags, { + service = "AWS/S3" + type = "Benchmark" + }) +} + +control "cis_v400_2_1_1" { + title = "2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests" + description = "At the Amazon S3 bucket level, you can configure permissions through a bucket policy, making the objects accessible only through HTTPS." + documentation = file("./cis_v400/docs/cis_v400_2_1_1.md") + query = query.s3_bucket_enforces_ssl + + tags = merge(local.cis_v400_2_1_common_tags, { + cis_item_id = "2.1.1" + cis_level = "2" + cis_type = "automated" + service = "AWS/S3" + }) +} + +control "cis_v400_2_1_2" { + title = "2.1.2 Ensure MFA Delete is enabled on S3 buckets" + description = "Once MFA Delete is enabled on your sensitive and classified S3 bucket, it requires the user to provide two forms of authentication." + documentation = file("./cis_v400/docs/cis_v400_2_1_2.md") + query = query.s3_bucket_mfa_delete_enabled + + tags = merge(local.cis_v400_2_1_common_tags, { + cis_item_id = "2.1.2" + cis_level = "2" + cis_type = "manual" + service = "AWS/S3" + }) +} + +control "cis_v400_2_1_3" { + title = "2.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary" + description = "Amazon S3 buckets can contain sensitive data that, for security purposes, should be discovered, monitored, classified, and protected. Macie, along with other third-party tools, can automatically provide an inventory of Amazon S3 buckets." + documentation = file("./cis_v400/docs/cis_v400_2_1_3.md") + query = query.s3_bucket_protected_by_macie + + tags = merge(local.cis_v400_2_1_common_tags, { + cis_item_id = "2.1.3" + cis_level = "2" + cis_type = "manual" + service = "AWS/S3" + }) +} + +control "cis_v400_2_1_4" { + title = "2.1.4 Ensure that S3 is configured with 'Block Public Access' enabled" + description = "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket and its contained objects from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets and their contained objects from becoming publicly accessible across the entire account." + documentation = file("./cis_v400/docs/cis_v400_2_1_4.md") + query = query.s3_public_access_block_bucket_account + + tags = merge(local.cis_v400_2_1_common_tags, { + cis_item_id = "2.1.4" + cis_level = "1" + cis_type = "automated" + service = "AWS/S3" + }) +} + +benchmark "cis_v400_2_2" { + title = "2.2 Relational Database Service (RDS)" + documentation = file("./cis_v400/docs/cis_v400_2_2.md") + children = [ + control.cis_v400_2_2_1 + ] + + tags = merge(local.cis_v400_2_2_common_tags, { + service = "AWS/RDS" + type = "Benchmark" + }) +} + +control "cis_v400_2_2_1" { + title = "2.2.1 Ensure that encryption-at-rest is enabled for RDS Instances" + description = "Amazon RDS encrypted DB instances use the industry-standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles the authentication of access and the decryption of your data transparently, with minimal impact on performance." + documentation = file("./cis_v400/docs/cis_v400_2_2_1.md") + query = query.rds_db_instance_encryption_at_rest_enabled + + tags = merge(local.cis_v400_2_2_common_tags, { + cis_item_id = "2.3.1" + cis_level = "1" + cis_type = "automated" + service = "AWS/RDS" + }) +} + +control "cis_v400_2_2_2" { + title = "2.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances" + description = "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled to automatically receive minor engine upgrades during the specified maintenance window. This way, RDS instances can obtain new features, bug fixes, and security patches for their database engines." + documentation = file("./cis_v400/docs/cis_v400_2_2_2.md") + query = query.rds_db_instance_automatic_minor_version_upgrade_enabled + + tags = merge(local.cis_v400_2_2_common_tags, { + cis_item_id = "2.2.2" + cis_level = "1" + cis_type = "automated" + service = "AWS/RDS" + }) +} + +control "cis_v400_2_2_3" { + title = "2.2.3 Ensure that RDS instances are not publicly accessible" + description = "Ensure and verify that the RDS database instances provisioned in your AWS account restrict unauthorized access in order to minimize security risks. To restrict access to any RDS database instance, you must disable the Publicly Accessible flag for the database and update the VPC security group associated with the instance." + documentation = file("./cis_v400/docs/cis_v400_2_2_3.md") + query = query.rds_db_instance_prohibit_public_access + + tags = merge(local.cis_v400_2_2_common_tags, { + cis_item_id = "2.2.3" + cis_level = "1" + cis_type = "automated" + service = "AWS/RDS" + }) +} + +control "cis_v400_2_2_4" { + title = "2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS" + description = "Amazon RDS offers Multi-AZ deployments that provide enhanced availability and durability for your databases, using synchronous replication to replicate data to a standby instance in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS automatically fails over to the standby to minimize downtime and ensure business continuity." + documentation = file("./cis_v400/docs/cis_v400_2_2_4.md") + query = query.rds_db_instance_multiple_az_enabled + + tags = merge(local.cis_v400_2_2_common_tags, { + cis_item_id = "2.2.4" + cis_level = "1" + cis_type = "manual" + service = "AWS/RDS" + }) +} + +benchmark "cis_v400_2_3" { + title = "2.3 Elastic File System (EFS)" + documentation = file("./cis_v400/docs/cis_v400_2_3.md") + children = [ + control.cis_v400_2_3_1 + ] + + tags = merge(local.cis_v400_2_3_common_tags, { + service = "AWS/RDS" + type = "Benchmark" + }) +} + +control "cis_v400_2_3_1" { + title = "2.3.1 Ensure that encryption is enabled for EFS file systems" + description = "EFS data should be encrypted at rest using AWS KMS (Key Management Service)." + documentation = file("./cis_v400/docs/cis_v400_2_3_1.md") + query = query.efs_file_system_encrypt_data_at_rest + + tags = merge(local.cis_v400_2_3_common_tags, { + cis_item_id = "2.3.1" + cis_level = "1" + cis_type = "automated" + service = "AWS/EFS" + }) +} diff --git a/cis_v400/section_3.pp b/cis_v400/section_3.pp new file mode 100644 index 00000000..5fa15aa1 --- /dev/null +++ b/cis_v400/section_3.pp @@ -0,0 +1,151 @@ +locals { + cis_v400_3_common_tags = merge(local.cis_v400_common_tags, { + cis_section_id = "3" + }) +} + +benchmark "cis_v400_3" { + title = "3 Logging" + documentation = file("./cis_v400/docs/cis_v400_3.md") + children = [ + control.cis_v400_3_1, + control.cis_v400_3_2, + control.cis_v400_3_3, + control.cis_v400_3_4, + control.cis_v400_3_5, + control.cis_v400_3_6, + control.cis_v400_3_7, + control.cis_v400_3_8, + control.cis_v400_3_9 + ] + + tags = merge(local.cis_v400_3_common_tags, { + type = "Benchmark" + }) +} + +control "cis_v400_3_1" { + title = "3.1 Ensure CloudTrail is enabled in all regions" + description = "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." + query = query.cloudtrail_multi_region_read_write_enabled + documentation = file("./cis_v400/docs/cis_v400_3_1.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.1" + cis_level = "1" + cis_type = "automated" + service = "AWS/CloudTrail" + }) +} + +control "cis_v400_3_2" { + title = "3.2 Ensure CloudTrail log file validation is enabled" + description = "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails." + query = query.cloudtrail_trail_validation_enabled + documentation = file("./cis_v400/docs/cis_v400_3_2.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.2" + cis_level = "2" + cis_type = "automated" + service = "AWS/CloudTrail" + }) +} + +control "cis_v400_3_3" { + title = "3.3 Ensure AWS Config is enabled in all regions" + description = "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions." + query = query.config_enabled_all_regions + documentation = file("./cis_v400/docs/cis_v400_3_3.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.3" + cis_level = "2" + cis_type = "automated" + service = "AWS/Config" + }) +} + +control "cis_v400_3_4" { + title = "3.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket" + description = "Server access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that server access logging be enabled on the CloudTrail S3 bucket." + query = query.cloudtrail_s3_logging_enabled + documentation = file("./cis_v400/docs/cis_v400_3_4.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.4" + cis_level = "1" + cis_type = "automated" + service = "AWS/CloudTrail" + }) +} + +control "cis_v400_3_5" { + title = "3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs" + description = "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer-created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS." + query = query.cloudtrail_trail_logs_encrypted_with_kms_cmk + documentation = file("./cis_v400/docs/cis_v400_3_5.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.5" + cis_level = "2" + cis_type = "automated" + service = "AWS/CloudTrail" + }) +} + +control "cis_v400_3_6" { + title = "3.6 Ensure rotation for customer-created symmetric CMKs is enabled" + description = "AWS Key Management Service (KMS) allows customers to rotate the backing key, which is key material stored within the KMS that is tied to the key ID of the customer- created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can occur transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation cannot be enabled for any asymmetric CMK." + query = query.kms_cmk_rotation_enabled + documentation = file("./cis_v400/docs/cis_v400_3_6.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.6" + cis_level = "2" + cis_type = "automated" + service = "AWS/CloudTrail" + }) +} + +control "cis_v400_3_7" { + title = "3.7 Ensure VPC flow logging is enabled in all VPCs" + description = "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet `Rejects` for VPCs." + query = query.vpc_flow_logs_enabled + documentation = file("./cis_v400/docs/cis_v400_3_7.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.7" + cis_level = "2" + cis_type = "automated" + service = "AWS/VPC" + }) +} + +control "cis_v400_3_8" { + title = "3.8 Ensure that Object-level logging for write events is enabled for S3 buckets" + description = "S3 object-level API operations, such as GetObject, DeleteObject, and PutObject, are referred to as data events. By default, CloudTrail trails do not log data events, so it is recommended to enable object-level logging for S3 buckets." + query = query.cloudtrail_s3_object_write_events_audit_enabled + documentation = file("./cis_v400/docs/cis_v400_3_8.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.8" + cis_level = "2" + cis_type = "automated" + service = "AWS/S3" + }) +} + +control "cis_v400_3_9" { + title = "3.9 Ensure that Object-level logging for read events is enabled for S3 buckets" + description = "S3 object-level API operations, such as GetObject, DeleteObject, and PutObject, are referred to as data events. By default, CloudTrail trails do not log data events, so it is recommended to enable object-level logging for S3 buckets." + query = query.cloudtrail_s3_object_read_events_audit_enabled + documentation = file("./cis_v400/docs/cis_v400_3_9.md") + + tags = merge(local.cis_v400_3_common_tags, { + cis_item_id = "3.9" + cis_level = "2" + cis_type = "automated" + service = "AWS/S3" + }) +} diff --git a/cis_v400/section_4.pp b/cis_v400/section_4.pp new file mode 100644 index 00000000..d845e549 --- /dev/null +++ b/cis_v400/section_4.pp @@ -0,0 +1,257 @@ +locals { + cis_v400_4_common_tags = merge(local.cis_v400_common_tags, { + cis_section_id = "4" + }) +} + +benchmark "cis_v400_4" { + title = "4 Monitoring" + documentation = file("./cis_v400/docs/cis_v400_4.md") + children = [ + control.cis_v400_4_1, + control.cis_v400_4_2, + control.cis_v400_4_3, + control.cis_v400_4_4, + control.cis_v400_4_5, + control.cis_v400_4_6, + control.cis_v400_4_7, + control.cis_v400_4_8, + control.cis_v400_4_9, + control.cis_v400_4_10, + control.cis_v400_4_11, + control.cis_v400_4_12, + control.cis_v400_4_13, + control.cis_v400_4_14, + control.cis_v400_4_15, + control.cis_v400_4_16 + ] + + tags = merge(local.cis_v400_4_common_tags, { + type = "Benchmark" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_1" { + title = "4.1 Ensure unauthorized API calls are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms." + query = query.log_metric_filter_unauthorized_api + documentation = file("./cis_v400/docs/cis_v400_4_1.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.1" + cis_level = "2" + cis_type = "automated" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_2" { + title = "4.2 Ensure management console sign-in without MFA is monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA)." + query = query.log_metric_filter_console_login_mfa + documentation = file("./cis_v400/docs/cis_v400_4_2.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.2" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_3" { + title = "4.3 Ensure usage of the 'root' account is monitoredd" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts to detect unauthorized use or attempts to use the root account." + query = query.log_metric_filter_root_login + documentation = file("./cis_v400/docs/cis_v400_4_3.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.3" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_4" { + title = "4.4 Ensure IAM policy changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes made to Identity and Access Management (IAM) policies." + query = query.log_metric_filter_iam_policy + documentation = file("./cis_v400/docs/cis_v400_4_4.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.4" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_5" { + title = "4.5 Ensure CloudTrail configuration changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be used to detect changes to CloudTrail's configurations." + query = query.log_metric_filter_cloudtrail_configuration + documentation = file("./cis_v400/docs/cis_v400_4_5.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.5" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_6" { + title = "4.6 Ensure AWS Management Console authentication failures are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts." + query = query.log_metric_filter_console_authentication_failure + documentation = file("./cis_v400/docs/cis_v400_4_6.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.6" + cis_level = "2" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_7" { + title = "4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer-created CMKs that have changed state to disabled or are scheduled for deletion." + query = query.log_metric_filter_disable_or_delete_cmk + documentation = file("./cis_v400/docs/cis_v400_4_7.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.7" + cis_level = "2" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_8" { + title = "4.8 Ensure S3 bucket policy changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies." + query = query.log_metric_filter_bucket_policy + documentation = file("./cis_v400/docs/cis_v400_4_8.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.8" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_9" { + title = "4.9 Ensure AWS Config configuration changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to AWS Config's configurations." + query = query.log_metric_filter_config_configuration + documentation = file("./cis_v400/docs/cis_v400_4_9.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.9" + cis_level = "2" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_10" { + title = "4.10 Ensure security group changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. Security groups are stateful packet filters that control ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established to detect changes to security groups." + query = query.log_metric_filter_security_group + documentation = file("./cis_v400/docs/cis_v400_4_10.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.10" + cis_level = "2" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_11" { + title = "4.11 Ensure Network Access Control List (NACL) changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for any changes made to NACLs." + query = query.log_metric_filter_network_acl + documentation = file("./cis_v400/docs/cis_v400_4_11.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.11" + cis_level = "2" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_12" { + title = "4.12 Ensure changes to network gateways are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways." + query = query.log_metric_filter_network_gateway + documentation = file("./cis_v400/docs/cis_v400_4_12.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.12" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_13" { + title = "4.13 Ensure route table changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables." + query = query.log_metric_filter_route_table + documentation = file("./cis_v400/docs/cis_v400_4_13.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.13" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_14" { + title = "4.14 Ensure VPC changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is possible to have more than one VPC within an account; additionally, it is also possible to create a peer connection between two VPCs, enabling network traffic to route between them. It is recommended that a metric filter and alarm be established for changes made to VPCs." + query = query.log_metric_filter_vpc + documentation = file("./cis_v400/docs/cis_v400_4_14.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.14" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_15" { + title = "4.15 Ensure AWS Organizations changes are monitored" + description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes made to AWS Organizations in the master AWS account." + query = query.log_metric_filter_organization + documentation = file("./cis_v400/docs/cis_v400_4_15.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.15" + cis_level = "1" + cis_type = "manual" + service = "AWS/CloudWatch" + }) +} + +control "cis_v400_4_16" { + title = "4.16 Ensure AWS Security Hub is enabled" + description = "Security Hub collects security data from various AWS accounts, services, and supported third-party partner products, helping you analyze your security trends and identify the highest-priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from the AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products." + query = query.securityhub_enabled + documentation = file("./cis_v400/docs/cis_v400_4_16.md") + + tags = merge(local.cis_v400_4_common_tags, { + cis_item_id = "4.16" + cis_level = "2" + cis_type = "automated" + service = "AWS/SecurityHub" + }) +} diff --git a/cis_v400/section_5.pp b/cis_v400/section_5.pp new file mode 100644 index 00000000..fa313f84 --- /dev/null +++ b/cis_v400/section_5.pp @@ -0,0 +1,155 @@ +locals { + cis_v400_5_common_tags = merge(local.cis_v400_common_tags, { + cis_section_id = "5" + }) +} + +locals { + cis_v400_5_1_common_tags = merge(local.cis_v400_5_common_tags, { + cis_section_id = "5.1" + }) +} + +benchmark "cis_v400_5" { + title = "5 Networking" + documentation = file("./cis_v400/docs/cis_v400_5.md") + children = [ + benchmark.cis_v400_5_1, + control.cis_v400_5_2, + control.cis_v400_5_3, + control.cis_v400_5_4, + control.cis_v400_5_5, + control.cis_v400_5_6 + ] + + tags = merge(local.cis_v400_5_common_tags, { + service = "AWS/VPC" + type = "Benchmark" + }) +} + +benchmark "cis_v400_5_1" { + title = "5.1 Elastic Compute Cloud (EC2)" + documentation = file("./cis_v400/docs/cis_v400_5_1.md") + children = [ + control.cis_v400_5_1_1, + control.cis_v400_5_1_2 + ] + + tags = merge(local.cis_v400_5_common_tags, { + service = "AWS/EC2" + type = "Benchmark" + }) +} + +control "cis_v400_5_1_1" { + title = "5.1.1 Ensure EBS Volume Encryption is Enabled in all Regions" + description = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." + documentation = file("./cis_v400/docs/cis_v400_5_1_1.md") + query = query.ebs_encryption_by_default_enabled + + tags = merge(local.cis_v400_5_1_common_tags, { + cis_item_id = "5.1.1" + cis_level = "1" + cis_type = "automated" + service = "AWS/EBS" + }) +} + +control "cis_v400_5_1_2" { + title = "5.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access" + description = "Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches." + documentation = file("./cis_v400/docs/cis_v400_5_1_2.md") + query = query.vpc_security_group_allows_ingress_to_port_445 + + tags = merge(local.cis_v400_5_1_common_tags, { + cis_item_id = "5.1.2" + cis_level = "1" + cis_type = "manual" + service = "AWS/VPC" + }) +} + +control "cis_v400_5_2" { + title = "5.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports" + description = "The Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH on port 22 and RDP on port 3389, using either the TCP (6), UDP (17), or ALL (-1) protocols." + query = query.vpc_network_acl_remote_administration + documentation = file("./cis_v400/docs/cis_v400_5_2.md") + + tags = merge(local.cis_v400_5_common_tags, { + cis_item_id = "5.2" + cis_level = "1" + cis_type = "automated" + service = "AWS/VPC" + }) +} + +control "cis_v400_5_3" { + title = "5.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports" + description = "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH on port 22 and RDP on port 3389, using either the TCP (6), UDP (17), or ALL (-1) protocols." + query = query.vpc_security_group_remote_administration_ipv4 + documentation = file("./cis_v400/docs/cis_v400_5_3.md") + + tags = merge(local.cis_v400_5_common_tags, { + cis_item_id = "5.3" + cis_level = "1" + cis_type = "automated" + service = "AWS/VPC" + }) +} + +control "cis_v400_5_4" { + title = "5.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports" + description = "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH on port 22 and RDP on port 3389." + query = query.vpc_security_group_remote_administration_ipv6 + documentation = file("./cis_v400/docs/cis_v400_5_3.md") + + tags = merge(local.cis_v400_5_common_tags, { + cis_item_id = "5.4" + cis_level = "1" + cis_type = "automated" + service = "AWS/VPC" + }) +} + +control "cis_v400_5_5" { + title = "5.5 Ensure the default security group of every VPC restricts all traffic" + description = "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If a security group is not specified when an instance is launched, it is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic, both inbound and outbound." + query = query.vpc_default_security_group_restricts_all_traffic + documentation = file("./cis_v400/docs/cis_v400_5_5.md") + + tags = merge(local.cis_v400_5_common_tags, { + cis_item_id = "5.5" + cis_level = "2" + cis_type = "automated" + service = "AWS/VPC" + }) +} + +control "cis_v400_5_6" { + title = "5.6 Ensure routing tables for VPC peering are \"least access\"" + description = "Once a VPC peering connection is established, routing tables must be updated to enable any connections between the peered VPCs. These routes can be as specific as desired, even allowing for the peering of a VPC to only a single host on the other side of the connection." + query = query.manual_control + documentation = file("./cis_v400/docs/cis_v400_5_6.md") + + tags = merge(local.cis_v400_5_common_tags, { + cis_item_id = "5.6" + cis_level = "2" + cis_type = "manual" + service = "AWS/VPC" + }) +} + +control "cis_v400_5_7" { + title = "5.7 Ensure that the EC2 Metadata Service only allows IMDSv2" + description = "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method)." + query = query.ec2_instance_uses_imdsv2 + documentation = file("./cis_v400/docs/cis_v400_5_7.md") + + tags = merge(local.cis_v400_5_common_tags, { + cis_item_id = "5.7" + cis_level = "1" + cis_type = "automated" + service = "AWS/EC2" + }) +} diff --git a/conformance_pack/vpc.pp b/conformance_pack/vpc.pp index 2fb934cc..a90b3e65 100644 --- a/conformance_pack/vpc.pp +++ b/conformance_pack/vpc.pp @@ -457,6 +457,14 @@ tags = local.conformance_pack_vpc_common_tags } +control "vpc_security_group_allows_ingress_to_port_445" { + title = "Ensure CIFS access is restricted to trusted networks to prevent unauthorized access" + description = "Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches." + query = query.vpc_security_group_allows_ingress_to_port_445 + + tags = local.conformance_pack_vpc_common_tags +} + query "vpc_flow_logs_enabled" { sql = <<-EOQ with vpcs as ( @@ -1999,3 +2007,45 @@ EOQ } +query "vpc_security_group_allows_ingress_to_port_445" { + sql = <<-EOQ + with ingress_cifs_rules as ( + select + group_id, + count(*) as num_cifs_rules + from + aws_vpc_security_group_rule + where + type = 'ingress' + and (cidr_ipv4 = '0.0.0.0/0' or cidr_ipv6 = '::/0') + and ( + ( + ip_protocol = '-1' + and from_port is null + ) + or ( + from_port <= 445 + and to_port >= 445 + ) + ) + group by + group_id + ) + select + arn as resource, + case + when ingress_cifs_rules.group_id is null then 'ok' + else 'alarm' + end as status, + case + when ingress_cifs_rules.group_id is null then sg.group_id || ' ingress restricted for ports 445 from 0.0.0.0/0 and ::/0.' + else sg.group_id || ' contains ' || ingress_cifs_rules.num_cifs_rules || ' ingress rule(s) allowing access on ports 445 from 0.0.0.0/0 or ::/0..' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_vpc_security_group as sg + left join ingress_cifs_rules on ingress_cifs_rules.group_id = sg.group_id; + EOQ +} + From 3b994eae85e2573cd9f592731e853a69a0284e3a Mon Sep 17 00:00:00 2001 From: Cody Bruno Date: Fri, 25 Oct 2024 13:38:46 -0400 Subject: [PATCH 05/10] Update VPC security group ingress CIFR port control name and add missing CIS v4.0.0 children --- all_controls/vpc.pp | 1 + cis_v400/section_2.pp | 5 ++++- cis_v400/section_5.pp | 5 +++-- conformance_pack/vpc.pp | 10 +++++----- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/all_controls/vpc.pp b/all_controls/vpc.pp index 64d0cee6..4e2de9a7 100644 --- a/all_controls/vpc.pp +++ b/all_controls/vpc.pp @@ -24,6 +24,7 @@ control.vpc_route_table_restrict_public_access_to_igw, control.vpc_security_group_allows_ingress_authorized_ports, control.vpc_security_group_allows_ingress_to_cassandra_ports, + control.vpc_security_group_allows_ingress_to_cifs_ports, control.vpc_security_group_allows_ingress_to_memcached_port, control.vpc_security_group_allows_ingress_to_mongodb_ports, control.vpc_security_group_allows_ingress_to_oracle_ports, diff --git a/cis_v400/section_2.pp b/cis_v400/section_2.pp index 8e9afc91..ca14767e 100644 --- a/cis_v400/section_2.pp +++ b/cis_v400/section_2.pp @@ -106,7 +106,10 @@ title = "2.2 Relational Database Service (RDS)" documentation = file("./cis_v400/docs/cis_v400_2_2.md") children = [ - control.cis_v400_2_2_1 + control.cis_v400_2_2_1, + control.cis_v400_2_2_2, + control.cis_v400_2_2_3, + control.cis_v400_2_2_4 ] tags = merge(local.cis_v400_2_2_common_tags, { diff --git a/cis_v400/section_5.pp b/cis_v400/section_5.pp index fa313f84..bce7583c 100644 --- a/cis_v400/section_5.pp +++ b/cis_v400/section_5.pp @@ -19,7 +19,8 @@ control.cis_v400_5_3, control.cis_v400_5_4, control.cis_v400_5_5, - control.cis_v400_5_6 + control.cis_v400_5_6, + control.cis_v400_5_7 ] tags = merge(local.cis_v400_5_common_tags, { @@ -60,7 +61,7 @@ title = "5.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access" description = "Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches." documentation = file("./cis_v400/docs/cis_v400_5_1_2.md") - query = query.vpc_security_group_allows_ingress_to_port_445 + query = query.vpc_security_group_allows_ingress_to_cifs_ports tags = merge(local.cis_v400_5_1_common_tags, { cis_item_id = "5.1.2" diff --git a/conformance_pack/vpc.pp b/conformance_pack/vpc.pp index a90b3e65..b1e07901 100644 --- a/conformance_pack/vpc.pp +++ b/conformance_pack/vpc.pp @@ -457,10 +457,10 @@ tags = local.conformance_pack_vpc_common_tags } -control "vpc_security_group_allows_ingress_to_port_445" { +control "vpc_security_group_allows_ingress_to_cifs_ports" { title = "Ensure CIFS access is restricted to trusted networks to prevent unauthorized access" description = "Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches." - query = query.vpc_security_group_allows_ingress_to_port_445 + query = query.vpc_security_group_allows_ingress_to_cifs_ports tags = local.conformance_pack_vpc_common_tags } @@ -2007,7 +2007,7 @@ EOQ } -query "vpc_security_group_allows_ingress_to_port_445" { +query "vpc_security_group_allows_ingress_to_cifs_ports" { sql = <<-EOQ with ingress_cifs_rules as ( select @@ -2038,8 +2038,8 @@ else 'alarm' end as status, case - when ingress_cifs_rules.group_id is null then sg.group_id || ' ingress restricted for ports 445 from 0.0.0.0/0 and ::/0.' - else sg.group_id || ' contains ' || ingress_cifs_rules.num_cifs_rules || ' ingress rule(s) allowing access on ports 445 from 0.0.0.0/0 or ::/0..' + when ingress_cifs_rules.group_id is null then sg.group_id || ' ingress restricted for CIFS ports (445) from 0.0.0.0/0 and ::/0.' + else sg.group_id || ' contains ' || ingress_cifs_rules.num_cifs_rules || ' ingress rule(s) allowing access on CIFS ports (445) from 0.0.0.0/0 or ::/0..' end as reason ${local.tag_dimensions_sql} ${local.common_dimensions_sql} From 5f46dc73d1fd1e42ab1840dbfea53c176607d531 Mon Sep 17 00:00:00 2001 From: Cody Bruno Date: Fri, 25 Oct 2024 14:12:36 -0400 Subject: [PATCH 06/10] Rename vpc_security_group_restrict_ingress_cifs_port_all control and query name --- all_controls/vpc.pp | 2 +- cis_v400/section_5.pp | 2 +- conformance_pack/vpc.pp | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/all_controls/vpc.pp b/all_controls/vpc.pp index 4e2de9a7..3e68f04c 100644 --- a/all_controls/vpc.pp +++ b/all_controls/vpc.pp @@ -24,7 +24,6 @@ control.vpc_route_table_restrict_public_access_to_igw, control.vpc_security_group_allows_ingress_authorized_ports, control.vpc_security_group_allows_ingress_to_cassandra_ports, - control.vpc_security_group_allows_ingress_to_cifs_ports, control.vpc_security_group_allows_ingress_to_memcached_port, control.vpc_security_group_allows_ingress_to_mongodb_ports, control.vpc_security_group_allows_ingress_to_oracle_ports, @@ -33,6 +32,7 @@ control.vpc_security_group_remote_administration_ipv4, control.vpc_security_group_remote_administration_ipv6, control.vpc_security_group_remote_administration, + control.vpc_security_group_restrict_ingress_cifs_port_all, control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_kafka_port, control.vpc_security_group_restrict_ingress_kibana_port, diff --git a/cis_v400/section_5.pp b/cis_v400/section_5.pp index bce7583c..f8cf4da4 100644 --- a/cis_v400/section_5.pp +++ b/cis_v400/section_5.pp @@ -61,7 +61,7 @@ title = "5.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access" description = "Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches." documentation = file("./cis_v400/docs/cis_v400_5_1_2.md") - query = query.vpc_security_group_allows_ingress_to_cifs_ports + query = query.vpc_security_group_restrict_ingress_cifs_port_all tags = merge(local.cis_v400_5_1_common_tags, { cis_item_id = "5.1.2" diff --git a/conformance_pack/vpc.pp b/conformance_pack/vpc.pp index b1e07901..d458f595 100644 --- a/conformance_pack/vpc.pp +++ b/conformance_pack/vpc.pp @@ -457,10 +457,10 @@ tags = local.conformance_pack_vpc_common_tags } -control "vpc_security_group_allows_ingress_to_cifs_ports" { - title = "Ensure CIFS access is restricted to trusted networks to prevent unauthorized access" +control "vpc_security_group_restrict_ingress_cifs_port_all" { + title = "VPC security groups should restrict ingress CIFS access from 0.0.0.0/0 and ::/0" description = "Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches." - query = query.vpc_security_group_allows_ingress_to_cifs_ports + query = query.vpc_security_group_restrict_ingress_cifs_port_all tags = local.conformance_pack_vpc_common_tags } @@ -2007,7 +2007,7 @@ EOQ } -query "vpc_security_group_allows_ingress_to_cifs_ports" { +query "vpc_security_group_restrict_ingress_cifs_port_all" { sql = <<-EOQ with ingress_cifs_rules as ( select @@ -2038,8 +2038,8 @@ else 'alarm' end as status, case - when ingress_cifs_rules.group_id is null then sg.group_id || ' ingress restricted for CIFS ports (445) from 0.0.0.0/0 and ::/0.' - else sg.group_id || ' contains ' || ingress_cifs_rules.num_cifs_rules || ' ingress rule(s) allowing access on CIFS ports (445) from 0.0.0.0/0 or ::/0..' + when ingress_cifs_rules.group_id is null then sg.group_id || ' ingress restricted for CIFS port (445) from 0.0.0.0/0 and ::/0.' + else sg.group_id || ' contains ' || ingress_cifs_rules.num_cifs_rules || ' ingress rule(s) allowing access on CIFS port (445) from 0.0.0.0/0 or ::/0..' end as reason ${local.tag_dimensions_sql} ${local.common_dimensions_sql} From 62753690046ab9cfa2386fda243de0d2a576a619 Mon Sep 17 00:00:00 2001 From: Cody Bruno Date: Fri, 25 Oct 2024 14:39:08 -0400 Subject: [PATCH 07/10] Add ec2_ebs_default_encryption_enabled control and query as deprecated items --- all_controls/ec2.pp | 2 +- conformance_pack/ec2.pp | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/all_controls/ec2.pp b/all_controls/ec2.pp index 42b76a3d..a95b0835 100644 --- a/all_controls/ec2.pp +++ b/all_controls/ec2.pp @@ -12,7 +12,7 @@ control.ec2_ami_not_older_than_90_days, control.ec2_ami_restrict_public_access, control.ec2_client_vpn_endpoint_client_connection_logging_enabled, - control.ebs_encryption_by_default_enabled, + control.ec2_ebs_default_encryption_enabled, control.ec2_instance_attached_ebs_volume_delete_on_termination_enabled, control.ec2_instance_detailed_monitoring_enabled, control.ec2_instance_ebs_optimized, diff --git a/conformance_pack/ec2.pp b/conformance_pack/ec2.pp index 02bd55e5..7ee866f8 100644 --- a/conformance_pack/ec2.pp +++ b/conformance_pack/ec2.pp @@ -20,6 +20,26 @@ tags = local.conformance_pack_ec2_common_tags } +control "ec2_ebs_default_encryption_enabled" { + title = "EBS default encryption should be enabled" + description = "[DEPRECATED] This control has been deprecated and will be removed in a future release, use the ebs_encryption_by_default_enabled control instead. To help protect data at rest, ensure that encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes." + query = query.ec2_ebs_default_encryption_enabled + tags = merge(local.conformance_pack_ec2_common_tags, { + cis_controls_v8_ig1 = "true" + cisa_cyber_essentials = "true" + ffiec = "true" + gxp_21_cfr_part_11 = "true" + gxp_eu_annex_11 = "true" + hipaa_final_omnibus_security_rule_2013 = "true" + hipaa_security_rule_2003 = "true" + nist_800_171_rev_2 = "true" + nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" + nist_csf = "true" + pci_dss_v321 = "true" + soc_2 = "true" + }) +} control "ec2_instance_detailed_monitoring_enabled" { title = "EC2 instance detailed monitoring should be enabled" @@ -491,6 +511,27 @@ tags = local.conformance_pack_ec2_common_tags } +query "ec2_ebs_default_encryption_enabled" { + sql = <<-EOQ + select + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, + case + when r.opt_in_status = 'not-opted-in' then 'skip' + when not default_ebs_encryption_enabled then 'alarm' + else 'ok' + end as status, + case + when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' + when not default_ebs_encryption_enabled then r.region || ' default EBS encryption disabled.' + else r.region || ' default EBS encryption enabled.' + end as reason + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")} + from + aws_region as r + left join aws_ec2_regional_settings as s on s.account_id = r.account_id and s.region = r.region; + EOQ +} + query "ec2_instance_detailed_monitoring_enabled" { sql = <<-EOQ select From d0449766b548efc256313d30f0c18dd21bda8ec3 Mon Sep 17 00:00:00 2001 From: Cody Bruno Date: Fri, 25 Oct 2024 14:42:51 -0400 Subject: [PATCH 08/10] Update examples in README and docs to use CIS v4.0.0 benchmark --- README.md | 8 ++++---- docs/index.md | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 845c8120..175269cc 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # AWS Compliance Mod for Powerpipe -540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v3.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, Reserve Bank of India, Audit Manager Control Tower, Australian Cyber Security Center (ACSC) Essential Eight, and more! +540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v4.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, Reserve Bank of India, Audit Manager Control Tower, Australian Cyber Security Center (ACSC) Essential Eight, and more! Run checks in a dashboard: ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v300_dashboard.png) @@ -71,7 +71,7 @@ powerpipe benchmark list Run a benchmark: ```sh -powerpipe benchmark run aws_compliance.benchmark.cis_v300 +powerpipe benchmark run aws_compliance.benchmark.cis_v400 ``` Different output formats are also available, for more information please see @@ -91,7 +91,7 @@ vi powerpipe.ppvars Alternatively you can pass variables on the command line: ```sh -powerpipe benchmark run aws_compliance.benchmark.cis_v300 --var 'tag_dimensions=["Environment", "Owner"]' +powerpipe benchmark run aws_compliance.benchmark.cis_v400 --var 'tag_dimensions=["Environment", "Owner"]' ``` Or through environment variables: @@ -99,7 +99,7 @@ Or through environment variables: ```sh export PP_VAR_common_dimensions='["account_id", "connection_name", "region"]' export PP_VAR_tag_dimensions='["Environment", "Owner"]' -powerpipe benchmark run aws_compliance.benchmark.cis_v300 +powerpipe benchmark run aws_compliance.benchmark.cis_v400 ``` ## Open Source & Contributing diff --git a/docs/index.md b/docs/index.md index 792f023a..40da57a7 100644 --- a/docs/index.md +++ b/docs/index.md @@ -70,7 +70,7 @@ powerpipe benchmark list Run a benchmark: ```sh -powerpipe benchmark run aws_compliance.benchmark.cis_v300 +powerpipe benchmark run aws_compliance.benchmark.cis_v400 ``` Different output formats are also available, for more information please see @@ -90,7 +90,7 @@ vi powerpipe.ppvars Alternatively you can pass variables on the command line: ```sh -powerpipe benchmark run aws_compliance.benchmark.cis_v300 --var 'tag_dimensions=["Environment", "Owner"]' +powerpipe benchmark run aws_compliance.benchmark.cis_v400 --var 'tag_dimensions=["Environment", "Owner"]' ``` Or through environment variables: @@ -98,7 +98,7 @@ Or through environment variables: ```sh export PP_VAR_common_dimensions='["account_id", "connection_name", "region"]' export PP_VAR_tag_dimensions='["Environment", "Owner"]' -powerpipe benchmark run aws_compliance.benchmark.cis_v300 +powerpipe benchmark run aws_compliance.benchmark.cis_v400 ``` ## Open Source & Contributing From bb65da96fae0d61ef20abc21b7336159eb141994 Mon Sep 17 00:00:00 2001 From: Cody Bruno Date: Fri, 25 Oct 2024 14:51:37 -0400 Subject: [PATCH 09/10] Add CHANGELOG for v1.1.0 --- CHANGELOG.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebad8a58..6850bb14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,26 @@ +## v1.1.0 [2024-10-25] + +_What's new?_ + +- Added CIS v4.0.0 benchmark (`steampipe check benchmark.cis_v400`). ([#836](https://github.com/turbot/steampipe-mod-aws-compliance/pull/836)) +- Added `ebs_encryption_by_default_enabled` and `vpc_security_group_restrict_ingress_cifs_port_all` controls to the `All Controls` benchmark. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835)) + +_Enhancements_ + +- Added the `ebs_encryption_by_default_enabled` control to the `rbi_cyber_security_annex_i_1_3` benchmark. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835)) +- Set `python3.8` as deprecated Lambda runtime in `lambda_function_use_latest_runtime` control. ([#833](https://github.com/turbot/steampipe-mod-aws-compliance/pull/833)) (Thanks to [@sbldevnet](https://github.com/sbldevnet) for the contribution!) +- Updated `iam_access_analyzer_enabled_without_findings` and `ssm_document_prohibit_public_access` controls to use latest columns and tables from the AWS plugin. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835)) + +_Bug fixes_ + +- VPC security group rule controls that check for restricted port access now correctly detect rules with ports in a port range instead of only exact port matches. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835)) +- Fixed the 2.2.1 control in CIS v1.5.0, v2.0.0, v3.0.0 benchmarks to check if EBS encryption by default is enabled instead of individual volume encryption settings. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835)) +- Fixed the `fedramp_moderate_rev_4_sc_28` benchmark to check if EBS encryption by default is enabled instead of individual volume encryption settings. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835)) + +_Deprecated_ + +- Deprecated the `ec2_ebs_default_encryption_enabled` control and query. Please use the `ebs_encryption_by_default` control and query instead. + ## v1.0.1 [2024-10-24] _Bug fixes_ @@ -8,6 +31,10 @@ _Bug fixes_ This mod now requires [Powerpipe](https://powerpipe.io). [Steampipe](https://steampipe.io) users should check the [migration guide](https://powerpipe.io/blog/migrating-from-steampipe). +_Bug fixes_ + +- Cleanup various typos in CIS docs. ([#828](https://github.com/turbot/steampipe-mod-aws-compliance/pull/828)) (Thanks to [@vil02](https://github.com/vil02) for the contribution!) + ## v0.98 [2024-08-30] _What's new?_ From 2a653a9739af1ec14124865794025ab5ebc7b60a Mon Sep 17 00:00:00 2001 From: Cody Bruno Date: Fri, 25 Oct 2024 15:01:15 -0400 Subject: [PATCH 10/10] Update EBS encryption by default queries to only check regions in connection config --- conformance_pack/ebs.pp | 13 +++++-------- conformance_pack/ec2.pp | 13 +++++-------- 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/conformance_pack/ebs.pp b/conformance_pack/ebs.pp index eb854100..bd6eebd3 100644 --- a/conformance_pack/ebs.pp +++ b/conformance_pack/ebs.pp @@ -188,21 +188,18 @@ query "ebs_encryption_by_default_enabled" { sql = <<-EOQ select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, + 'arn:' || partition || '::' || region || ':' || account_id as resource, case - when r.opt_in_status = 'not-opted-in' then 'skip' when not default_ebs_encryption_enabled then 'alarm' else 'ok' end as status, case - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when not default_ebs_encryption_enabled then r.region || ' default EBS encryption disabled.' - else r.region || ' default EBS encryption enabled.' + when not default_ebs_encryption_enabled then region || ' EBS encryption by default disabled.' + else region || ' EBS encryption by default enabled.' end as reason - ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")} + ${local.common_dimensions_sql} from - aws_region as r - left join aws_ec2_regional_settings as s on s.account_id = r.account_id and s.region = r.region; + aws_ec2_regional_settings; EOQ } diff --git a/conformance_pack/ec2.pp b/conformance_pack/ec2.pp index 7ee866f8..b667c28e 100644 --- a/conformance_pack/ec2.pp +++ b/conformance_pack/ec2.pp @@ -514,21 +514,18 @@ query "ec2_ebs_default_encryption_enabled" { sql = <<-EOQ select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, + 'arn:' || partition || '::' || region || ':' || account_id as resource, case - when r.opt_in_status = 'not-opted-in' then 'skip' when not default_ebs_encryption_enabled then 'alarm' else 'ok' end as status, case - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when not default_ebs_encryption_enabled then r.region || ' default EBS encryption disabled.' - else r.region || ' default EBS encryption enabled.' + when not default_ebs_encryption_enabled then region || ' default EBS encryption disabled.' + else region || ' default EBS encryption enabled.' end as reason - ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")} + ${local.common_dimensions_sql} from - aws_region as r - left join aws_ec2_regional_settings as s on s.account_id = r.account_id and s.region = r.region; + aws_ec2_regional_settings; EOQ }