CIS AWS Foundations Benchmark Rule Bundle failures for Organization enabled services
As part of Stax's commitment to best practice, Stax configures certain services at the AWS Organization level as part of Stax Assurance on behalf of its customers. This means that it is configured within every region of every account in your AWS Organization. The CIS AWS Foundations Benchmark definitions are yet to cater for Organization enabled services and still audits on a per account basis. As a result, some rules in the CIS AWS Foundations Benchmark Rule Bundle may fail.
If you wish for this to not be reflected in your compliance score, you may disable the rule or ignore the failing resource from being evaluated in the rule. These rules are listed below.
Alignment with CIS AWS Foundations Benchmark Versions
Presently Stax-managed AWS Organizations are configured to align with the AWS Foundations Benchmark version 1.2.0.
Metric Filter and Alarm Controls
- CIS AWS Foundations Benchmark v1.1: 3.1 - 3.15
- CIS AWS Foundations Benchmark v1.2: 3.1 - 3.14
- CIS AWS Foundations Benchmark v1.3: 4.1 - 4.15
- CIS AWS Foundations Benchmark v1.4: 4.1 - 4.15
These controls require users to establish various metric filters and alarms on the CloudTrail Logs which are passed to CloudWatch Logs. Historically, these CloudWatch Logs have been stored in each member account, as CloudTrail is configurable on an account by account basis. However, AWS now allows users to configure CloudTrail at the Organization level. This means that the CloudWatch Logs are centralized and stored in the management account only. Stax configures CloudTrail at the Organization level and configures the metric filters and alarms stipulated by CIS on the CloudWatch Logs in the management account. The advantages of enabling CloudTrail at the Organization level are twofold:
- Simplicity: CloudTrail and the associated event and log delivery services do not need to be configured in every account. Organization CloudTrail automatically performs the logging tasks in member accounts using a service-linked role
- Automation: When new accounts are created in your Stax Organization, Organization CloudTrail automatically logs events upon creation of the new account and stores these logs accordingly. This means that CloudTrail does not need to be configured in each new account
Currently, the CIS AWS Foundations Benchmark audits the metric filter and alarm controls on CloudWatch Logs in each member account and does not take into consideration the Organization-level CloudTrail offering.
IAM Access Analyzer Controls
- CIS AWS Foundations Benchmark v1.3: 1.21
- CIS AWS Foundations Benchmark v1.4: 1.20
These controls require users to enable IAM Access Analyzer across all regions and accounts in your AWS Organization. Stax enables IAM Access Analyzer for all Stax accounts by configuring your Organization as the zone of trust. This means that IAM Access Analyzer is enabled at the Organization level, rather than at the account level. The advantages of enabling IAM Access Analyzer at the Organization level are twofold:
- Simplicity: Analyzers do not need to be created in every account. Instead, analyzers are created in one account and this account analyzes AWS resources in other accounts via a service-linked role.
- Automation: When new accounts are created in your Stax Organization, IAM Access Analyzer automatically scans the new account via the service-linked role. This means that analyzers do not need to be created in each new account.
Currently, the CIS AWS Foundations Benchmark audits for analyzers in each member account and does not take into consideration the Organization-level IAM Access Analyzer offering.