Skip to main content

CIS AWS Foundations Benchmark

The Center for Internet Security (CIS) AWS Foundations Benchmark serves as a set of security configuration best practices for AWS. Stax endeavours to meet version 5.0.0 of this framework.

Stax will automatically configure a number of settings for your AWS accounts to meet these best practices. There are also a number of settings that you must opt-in to due to the increased costs or additional information required.

Recommendations

The following are the CIS version 5.0.0 recommendations and how they are addressed by Stax.

Covered by Stax Default configuration

CIS 5.0.0 RefDescriptionStax Considerations
1.1Maintain current contact detailsAWS Accounts created through Stax will follow your configured email address format.
1.3Ensure no 'root' user account access key exists 
1.4Ensure MFA is enabled for the 'root' user account 
1.5Ensure hardware MFA is enabled for the 'root' user account 
1.6Eliminate use of the 'root' user for administrative and daily tasksStax will automatically enable and configure Centralize root access for member accounts, this will prevent the automatic creation of root user credentials when a new AWS Account is created.
Whilst Stax provides a secure default it is important to ensure that these root credentials are not enabled at a later date.
1.7Ensure IAM password policy requires minimum length of 14 or greater 
1.8Ensure IAM password policy prevents password reuseAs part of AWS Account Assurance Stax will set these IAM requirements for each AWS Accounts.
1.11Ensure credentials unused for 45 days or more are disabledStax will deploy and manage an AWS Config Conformance pack to automatically disable these unused credentials.
1.16Ensure a support role has been created to manage incidents with AWS SupportThe stax-aws-support role is provisioned.
1.19Ensure that IAM External Access Analyzer is enabled for all regionsStax will configure an analyzer with a zone of trust for the entire AWS Organization. This is centralized into the Security AWS Account.
1.20Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environmentsStax provides each tenant with their own identity service which is configured as an identity provider for each AWS Account. This allows for AWS Access using role assumption.
3.1Ensure CloudTrail is enabled in all regions 
3.2Ensure CloudTrail log file validation is enabledStax will create and configure a multi-region Organization Trail. This will be automatically applied to all AWS Accounts in the AWS Orgranization. All logs are centralized into the cloudtrail CloudWatch Log Group in the management AWS Account.
3.3Ensure AWS Config is enabled in all regionsStax will configure this for all AWS Accounts.
3.4Ensure that server access logging is enabled on the CloudTrail S3 bucket 
3.5Ensure CloudTrail logs are encrypted at rest using KMS CMKsAll CloudTrail logs are written to an S3 Bucket within the logging AWS Account.
4.1Ensure unauthorized API calls are monitoredSee Note 1
4.2Ensure management console sign-in without MFA is monitoredSee Note 1
4.3Ensure usage of the 'root' account is monitoredSee Note 1
4.4Ensure IAM policy changes are monitoredSee Note 1
4.5Ensure CloudTrail configuration changes are monitoredSee Note 1
4.6Ensure AWS Management Console authentication failures are monitoredSee Note 1
4.7Ensure disabling or scheduled deletion of customer created CMKs is monitoredSee Note 1
4.8Ensure S3 bucket policy changes are monitoredSee Note 1
4.9Ensure AWS Config configuration changes are monitoredSee Note 1
4.10Ensure security group changes are monitoredSee Note 1
4.11Ensure Network Access Control List (NACL) changes are monitoredSee Note 1
4.12Ensure changes to network gateways are monitoredSee Note 1
4.13Ensure route table changes are monitoredSee Note 1
4.14Ensure VPC changes are monitoredSee Note 1
4.15Ensure AWS Organizations changes are monitoredSee Note 1

Note 1: Stax will create a number of filters and alarms based on the CIS recommendations above. Each of these will be filtering the Organization CloudTrail logs for events and centralizing any alarms to the SNS Topic stax-cis-benchmark in the security AWS account. It is recommended to subscribe your tooling or configure Amazon Q Developer to notify you of new messages published to this SNS Topic.

Requires opt-in configuration

CIS 5.0.0 RefDescriptionStax Considerations
1.2Ensure security contact information is registeredUsing the AWS Account Foundation service, Stax allows you to configure the Alternate Contact information to be applied to every AWS Account in your AWS Organization. This contact information will be applied to all new and existing accounts.
1.9Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password 
1.10Do not create access keys during initial setup for IAM users with a console password 
1.12Ensure there is only one active access key for any single IAM user 
1.13Ensure access keys are rotated every 90 days or less 
1.14Ensure IAM users receive permissions only through groupsStax discourages the use of IAM users as part of best practices. You can use Configurable Guardrails to Block the creation of any IAM users.
2.1.4Ensure that S3 is configured with 'Block Public Access' enabledUsing the AWS Account Foundation service, Stax allows you to enable this option for all existing and new AWS Accounts. Additionally Configurable Guardrails can be enabled to prevent this option from being modified.
4.16Ensure AWS Security Hub is enabledStax provides Security Hub as a seperate Foundation service that you can enable and configure. This will delegate the service to the security AWS Account and use central configuration to manage the entire AWS Organization.
5.1.1Ensure EBS volume encryption is enabled in all regions 
5.7Ensure that the EC2 Metadata Service only allows IMDSv2Using the AWS Account Foundation service, Stax allows you to enable this option for all existing and new AWS Accounts. Additionally Configurable Guardrails can be enabled to prevent this option from being modified.

Customer shared responsibility

Recommendations below are complied with by Stax, but can be violated by customer configurations, so are considered "shared" responsibilities that must be addressed by both parties as shared responsibilities.

CIS 5.0.0 RefDescription
1.15Ensure IAM policies that allow full ":" administrative privileges are not attached
1.17Ensure IAM instance roles are used for AWS resource access from instances
1.18Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed
1.21Ensure access to AWSCloudShellFullAccess is restricted
2.1.1Ensure S3 Bucket Policy is set to deny HTTP requests
2.1.2Ensure MFA Delete is enabled on S3 buckets
2.1.3Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary
2.2.1Ensure that encryption-at-rest is enabled for RDS instances
2.2.2Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances
2.2.3Ensure that RDS instances are not publicly accessible
2.2.4Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS
2.3.1Ensure that encryption is enabled for EFS file systems
3.6Ensure rotation for customer-created symmetric CMKs is enabled
3.7Ensure VPC flow logging is enabled in all VPCs
3.8Ensure that object-level logging for write events is enabled for S3 buckets
3.9Ensure that object-level logging for read events is enabled for S3 buckets
5.1.2Ensure CIFS access is restricted to trusted networks to prevent unauthorized access
5.2Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
5.3Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
5.4Ensure no security groups allow ingress from ::/0 to remote server administration ports
5.5Ensure the default security group of every VPC restricts all traffic
5.6Ensure routing tables for VPC peering are "least access"