aws-cis-controls-assessment 1.0.3__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- aws_cis_assessment/__init__.py +11 -0
- aws_cis_assessment/cli/__init__.py +3 -0
- aws_cis_assessment/cli/examples.py +274 -0
- aws_cis_assessment/cli/main.py +1259 -0
- aws_cis_assessment/cli/utils.py +356 -0
- aws_cis_assessment/config/__init__.py +1 -0
- aws_cis_assessment/config/config_loader.py +328 -0
- aws_cis_assessment/config/rules/cis_controls_ig1.yaml +590 -0
- aws_cis_assessment/config/rules/cis_controls_ig2.yaml +412 -0
- aws_cis_assessment/config/rules/cis_controls_ig3.yaml +100 -0
- aws_cis_assessment/controls/__init__.py +1 -0
- aws_cis_assessment/controls/base_control.py +400 -0
- aws_cis_assessment/controls/ig1/__init__.py +239 -0
- aws_cis_assessment/controls/ig1/control_1_1.py +586 -0
- aws_cis_assessment/controls/ig1/control_2_2.py +231 -0
- aws_cis_assessment/controls/ig1/control_3_3.py +718 -0
- aws_cis_assessment/controls/ig1/control_3_4.py +235 -0
- aws_cis_assessment/controls/ig1/control_4_1.py +461 -0
- aws_cis_assessment/controls/ig1/control_access_keys.py +310 -0
- aws_cis_assessment/controls/ig1/control_advanced_security.py +512 -0
- aws_cis_assessment/controls/ig1/control_backup_recovery.py +510 -0
- aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py +197 -0
- aws_cis_assessment/controls/ig1/control_critical_security.py +422 -0
- aws_cis_assessment/controls/ig1/control_data_protection.py +898 -0
- aws_cis_assessment/controls/ig1/control_iam_advanced.py +573 -0
- aws_cis_assessment/controls/ig1/control_iam_governance.py +493 -0
- aws_cis_assessment/controls/ig1/control_iam_policies.py +383 -0
- aws_cis_assessment/controls/ig1/control_instance_optimization.py +100 -0
- aws_cis_assessment/controls/ig1/control_network_enhancements.py +203 -0
- aws_cis_assessment/controls/ig1/control_network_security.py +672 -0
- aws_cis_assessment/controls/ig1/control_s3_enhancements.py +173 -0
- aws_cis_assessment/controls/ig1/control_s3_security.py +422 -0
- aws_cis_assessment/controls/ig1/control_vpc_security.py +235 -0
- aws_cis_assessment/controls/ig2/__init__.py +172 -0
- aws_cis_assessment/controls/ig2/control_3_10.py +698 -0
- aws_cis_assessment/controls/ig2/control_3_11.py +1330 -0
- aws_cis_assessment/controls/ig2/control_5_2.py +393 -0
- aws_cis_assessment/controls/ig2/control_advanced_encryption.py +355 -0
- aws_cis_assessment/controls/ig2/control_codebuild_security.py +263 -0
- aws_cis_assessment/controls/ig2/control_encryption_rest.py +382 -0
- aws_cis_assessment/controls/ig2/control_encryption_transit.py +382 -0
- aws_cis_assessment/controls/ig2/control_network_ha.py +467 -0
- aws_cis_assessment/controls/ig2/control_remaining_encryption.py +426 -0
- aws_cis_assessment/controls/ig2/control_remaining_rules.py +363 -0
- aws_cis_assessment/controls/ig2/control_service_logging.py +402 -0
- aws_cis_assessment/controls/ig3/__init__.py +49 -0
- aws_cis_assessment/controls/ig3/control_12_8.py +395 -0
- aws_cis_assessment/controls/ig3/control_13_1.py +467 -0
- aws_cis_assessment/controls/ig3/control_3_14.py +523 -0
- aws_cis_assessment/controls/ig3/control_7_1.py +359 -0
- aws_cis_assessment/core/__init__.py +1 -0
- aws_cis_assessment/core/accuracy_validator.py +425 -0
- aws_cis_assessment/core/assessment_engine.py +1266 -0
- aws_cis_assessment/core/audit_trail.py +491 -0
- aws_cis_assessment/core/aws_client_factory.py +313 -0
- aws_cis_assessment/core/error_handler.py +607 -0
- aws_cis_assessment/core/models.py +166 -0
- aws_cis_assessment/core/scoring_engine.py +459 -0
- aws_cis_assessment/reporters/__init__.py +8 -0
- aws_cis_assessment/reporters/base_reporter.py +454 -0
- aws_cis_assessment/reporters/csv_reporter.py +835 -0
- aws_cis_assessment/reporters/html_reporter.py +2162 -0
- aws_cis_assessment/reporters/json_reporter.py +561 -0
- aws_cis_controls_assessment-1.0.3.dist-info/METADATA +248 -0
- aws_cis_controls_assessment-1.0.3.dist-info/RECORD +77 -0
- aws_cis_controls_assessment-1.0.3.dist-info/WHEEL +5 -0
- aws_cis_controls_assessment-1.0.3.dist-info/entry_points.txt +2 -0
- aws_cis_controls_assessment-1.0.3.dist-info/licenses/LICENSE +21 -0
- aws_cis_controls_assessment-1.0.3.dist-info/top_level.txt +2 -0
- docs/README.md +94 -0
- docs/assessment-logic.md +766 -0
- docs/cli-reference.md +698 -0
- docs/config-rule-mappings.md +393 -0
- docs/developer-guide.md +858 -0
- docs/installation.md +299 -0
- docs/troubleshooting.md +634 -0
- docs/user-guide.md +487 -0
|
@@ -0,0 +1,590 @@
|
|
|
1
|
+
implementation_group: IG1
|
|
2
|
+
total_rules: 74
|
|
3
|
+
description: Essential cyber hygiene - foundational safeguards for all enterprises
|
|
4
|
+
controls:
|
|
5
|
+
'1.1':
|
|
6
|
+
title: Establish and Maintain Detailed Enterprise Asset Inventory
|
|
7
|
+
weight: 1.0
|
|
8
|
+
config_rules:
|
|
9
|
+
- name: eip-attached
|
|
10
|
+
resource_types:
|
|
11
|
+
- AWS::EC2::EIP
|
|
12
|
+
parameters: {}
|
|
13
|
+
description: Assessment for eip-attached Config rule - ensures Elastic IPs are
|
|
14
|
+
attached.
|
|
15
|
+
remediation_guidance: Follow AWS Config rule guidance for eip-attached
|
|
16
|
+
- name: ec2-stopped-instance
|
|
17
|
+
resource_types:
|
|
18
|
+
- AWS::EC2::Instance
|
|
19
|
+
parameters: {}
|
|
20
|
+
description: Assessment for ec2-stopped-instance Config rule - checks for long-stopped
|
|
21
|
+
instances.
|
|
22
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-stopped-instance
|
|
23
|
+
- name: vpc-network-acl-unused-check
|
|
24
|
+
resource_types:
|
|
25
|
+
- AWS::EC2::NetworkAcl
|
|
26
|
+
parameters: {}
|
|
27
|
+
description: Assessment for vpc-network-acl-unused-check Config rule - ensures
|
|
28
|
+
NACLs are in use.
|
|
29
|
+
remediation_guidance: Follow AWS Config rule guidance for vpc-network-acl-unused-check
|
|
30
|
+
- name: ec2-instance-managed-by-systems-manager
|
|
31
|
+
resource_types:
|
|
32
|
+
- AWS::EC2::Instance
|
|
33
|
+
parameters: {}
|
|
34
|
+
description: Assessment for ec2-instance-managed-by-systems-manager Config rule.
|
|
35
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-instance-managed-by-systems-manager
|
|
36
|
+
- name: ec2-security-group-attached-to-eni
|
|
37
|
+
resource_types:
|
|
38
|
+
- AWS::EC2::SecurityGroup
|
|
39
|
+
parameters: {}
|
|
40
|
+
description: Assessment for ec2-security-group-attached-to-eni Config rule.
|
|
41
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-security-group-attached-to-eni
|
|
42
|
+
'1.5':
|
|
43
|
+
title: Control 1.5
|
|
44
|
+
weight: 1.0
|
|
45
|
+
config_rules:
|
|
46
|
+
- name: root-account-hardware-mfa-enabled
|
|
47
|
+
resource_types:
|
|
48
|
+
- AWS::IAM::Root
|
|
49
|
+
parameters: {}
|
|
50
|
+
description: Assessment for root-account-hardware-mfa-enabled AWS Config rule.
|
|
51
|
+
remediation_guidance: Follow AWS Config rule guidance for root-account-hardware-mfa-enabled
|
|
52
|
+
'11.2':
|
|
53
|
+
title: Control 11.2
|
|
54
|
+
weight: 1.0
|
|
55
|
+
config_rules:
|
|
56
|
+
- name: ebs-optimized-instance
|
|
57
|
+
resource_types:
|
|
58
|
+
- AWS::EC2::Instance
|
|
59
|
+
parameters: {}
|
|
60
|
+
description: Assessment for ebs-optimized-instance AWS Config rule.
|
|
61
|
+
remediation_guidance: Follow AWS Config rule guidance for ebs-optimized-instance
|
|
62
|
+
- name: dynamodb-in-backup-plan
|
|
63
|
+
resource_types:
|
|
64
|
+
- AWS::DynamoDB::Table
|
|
65
|
+
parameters: {}
|
|
66
|
+
description: Assessment for dynamodb-in-backup-plan AWS Config rule.
|
|
67
|
+
remediation_guidance: Follow AWS Config rule guidance for dynamodb-in-backup-plan
|
|
68
|
+
- name: ebs-in-backup-plan
|
|
69
|
+
resource_types:
|
|
70
|
+
- AWS::EC2::Volume
|
|
71
|
+
parameters: {}
|
|
72
|
+
description: Assessment for ebs-in-backup-plan AWS Config rule.
|
|
73
|
+
remediation_guidance: Follow AWS Config rule guidance for ebs-in-backup-plan
|
|
74
|
+
- name: efs-in-backup-plan
|
|
75
|
+
resource_types:
|
|
76
|
+
- AWS::EFS::FileSystem
|
|
77
|
+
parameters: {}
|
|
78
|
+
description: Assessment for efs-in-backup-plan AWS Config rule.
|
|
79
|
+
remediation_guidance: Follow AWS Config rule guidance for efs-in-backup-plan
|
|
80
|
+
- name: db-instance-backup-enabled
|
|
81
|
+
resource_types:
|
|
82
|
+
- AWS::RDS::DBInstance
|
|
83
|
+
parameters: {}
|
|
84
|
+
description: Assessment for db-instance-backup-enabled AWS Config rule.
|
|
85
|
+
remediation_guidance: Follow AWS Config rule guidance for db-instance-backup-enabled
|
|
86
|
+
- name: redshift-backup-enabled
|
|
87
|
+
resource_types:
|
|
88
|
+
- AWS::Redshift::Cluster
|
|
89
|
+
parameters: {}
|
|
90
|
+
description: Assessment for redshift-backup-enabled AWS Config rule.
|
|
91
|
+
remediation_guidance: Follow AWS Config rule guidance for redshift-backup-enabled
|
|
92
|
+
- name: dynamodb-pitr-enabled
|
|
93
|
+
resource_types:
|
|
94
|
+
- AWS::DynamoDB::Table
|
|
95
|
+
parameters: {}
|
|
96
|
+
description: Assessment for dynamodb-pitr-enabled AWS Config rule.
|
|
97
|
+
remediation_guidance: Follow AWS Config rule guidance for dynamodb-pitr-enabled
|
|
98
|
+
- name: elasticache-redis-cluster-automatic-backup-check
|
|
99
|
+
resource_types:
|
|
100
|
+
- AWS::ElastiCache::CacheCluster
|
|
101
|
+
parameters: {}
|
|
102
|
+
description: Assessment for elasticache-redis-cluster-automatic-backup-check
|
|
103
|
+
AWS Config rule.
|
|
104
|
+
remediation_guidance: Follow AWS Config rule guidance for elasticache-redis-cluster-automatic-backup-check
|
|
105
|
+
- name: s3-bucket-replication-enabled
|
|
106
|
+
resource_types:
|
|
107
|
+
- AWS::S3::Bucket
|
|
108
|
+
parameters: {}
|
|
109
|
+
description: Assessment for s3-bucket-replication-enabled AWS Config rule.
|
|
110
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-replication-enabled
|
|
111
|
+
'12.2':
|
|
112
|
+
title: Control 12.2
|
|
113
|
+
weight: 1.0
|
|
114
|
+
config_rules:
|
|
115
|
+
- name: vpc-default-security-group-closed
|
|
116
|
+
resource_types:
|
|
117
|
+
- AWS::EC2::SecurityGroup
|
|
118
|
+
parameters: {}
|
|
119
|
+
description: "CIS Control 12.2 - Establish and Maintain a Secure Network Architecture\n\
|
|
120
|
+
\ AWS Config Rule: vpc-default-security-group-closed\n \n Ensures\
|
|
121
|
+
\ default security groups restrict all traffic to prevent accidental exposure."
|
|
122
|
+
remediation_guidance: Follow AWS Config rule guidance for vpc-default-security-group-closed
|
|
123
|
+
- name: restricted-ssh
|
|
124
|
+
resource_types:
|
|
125
|
+
- AWS::EC2::SecurityGroup
|
|
126
|
+
parameters: {}
|
|
127
|
+
description: "CIS Control 12.2 - Establish and Maintain a Secure Network Architecture\n\
|
|
128
|
+
\ AWS Config Rule: restricted-ssh\n \n Ensures security groups do\
|
|
129
|
+
\ not allow unrestricted SSH access from 0.0.0.0/0."
|
|
130
|
+
remediation_guidance: Follow AWS Config rule guidance for restricted-ssh
|
|
131
|
+
'2.2':
|
|
132
|
+
title: Ensure Authorized Software is Currently Supported
|
|
133
|
+
weight: 1.0
|
|
134
|
+
config_rules:
|
|
135
|
+
- name: elastic-beanstalk-managed-updates-enabled
|
|
136
|
+
resource_types:
|
|
137
|
+
- AWS::ElasticBeanstalk::Environment
|
|
138
|
+
parameters: {}
|
|
139
|
+
description: Assessment for elastic-beanstalk-managed-updates-enabled Config
|
|
140
|
+
rule.
|
|
141
|
+
remediation_guidance: Follow AWS Config rule guidance for elastic-beanstalk-managed-updates-enabled
|
|
142
|
+
- name: ecs-fargate-latest-platform-version
|
|
143
|
+
resource_types:
|
|
144
|
+
- AWS::ECS::Service
|
|
145
|
+
parameters: {}
|
|
146
|
+
description: Assessment for ecs-fargate-latest-platform-version Config rule.
|
|
147
|
+
remediation_guidance: Follow AWS Config rule guidance for ecs-fargate-latest-platform-version
|
|
148
|
+
2.2.1:
|
|
149
|
+
title: Control 2.2.1
|
|
150
|
+
weight: 1.0
|
|
151
|
+
config_rules:
|
|
152
|
+
- name: opensearch-in-vpc-only
|
|
153
|
+
resource_types:
|
|
154
|
+
- AWS::OpenSearch::Domain
|
|
155
|
+
parameters: {}
|
|
156
|
+
description: Assessment for opensearch-in-vpc-only AWS Config rule.
|
|
157
|
+
remediation_guidance: Follow AWS Config rule guidance for opensearch-in-vpc-only
|
|
158
|
+
'3.10':
|
|
159
|
+
title: Encrypt Sensitive Data in Transit
|
|
160
|
+
weight: 1.0
|
|
161
|
+
config_rules:
|
|
162
|
+
- name: elasticsearch-node-to-node-encryption-check
|
|
163
|
+
resource_types:
|
|
164
|
+
- AWS::Elasticsearch::Domain
|
|
165
|
+
parameters: {}
|
|
166
|
+
description: Assessment for elasticsearch-node-to-node-encryption-check AWS
|
|
167
|
+
Config rule.
|
|
168
|
+
remediation_guidance: Follow AWS Config rule guidance for elasticsearch-node-to-node-encryption-check
|
|
169
|
+
'3.11':
|
|
170
|
+
title: Encrypt Sensitive Data at Rest
|
|
171
|
+
weight: 1.0
|
|
172
|
+
config_rules:
|
|
173
|
+
- name: cloudwatch-log-group-encrypted
|
|
174
|
+
resource_types:
|
|
175
|
+
- AWS::Logs::LogGroup
|
|
176
|
+
parameters: {}
|
|
177
|
+
description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n AWS Config\
|
|
178
|
+
\ Rule: cloudwatch-log-group-encrypted\n \n Ensures CloudWatch Log Groups\
|
|
179
|
+
\ are encrypted with KMS keys."
|
|
180
|
+
remediation_guidance: Follow AWS Config rule guidance for cloudwatch-log-group-encrypted
|
|
181
|
+
'3.3':
|
|
182
|
+
title: Configure Data Access Control Lists
|
|
183
|
+
weight: 1.0
|
|
184
|
+
config_rules:
|
|
185
|
+
- name: s3-bucket-ssl-requests-only
|
|
186
|
+
resource_types:
|
|
187
|
+
- AWS::S3::Bucket
|
|
188
|
+
parameters: {}
|
|
189
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
190
|
+
\ Config Rule: s3-bucket-ssl-requests-only\n \n Ensures S3 buckets require\
|
|
191
|
+
\ SSL/TLS for all requests to protect data in transit."
|
|
192
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-ssl-requests-only
|
|
193
|
+
- name: s3-bucket-server-side-encryption-enabled
|
|
194
|
+
resource_types:
|
|
195
|
+
- AWS::S3::Bucket
|
|
196
|
+
parameters: {}
|
|
197
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
198
|
+
\ Config Rule: s3-bucket-server-side-encryption-enabled\n \n Ensures\
|
|
199
|
+
\ S3 buckets have server-side encryption enabled to protect data at rest."
|
|
200
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-server-side-encryption-enabled
|
|
201
|
+
- name: s3-bucket-logging-enabled
|
|
202
|
+
resource_types:
|
|
203
|
+
- AWS::S3::Bucket
|
|
204
|
+
parameters: {}
|
|
205
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
206
|
+
\ Config Rule: s3-bucket-logging-enabled\n \n Ensures S3 buckets have\
|
|
207
|
+
\ access logging enabled for audit and compliance."
|
|
208
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-logging-enabled
|
|
209
|
+
- name: iam-root-access-key-check
|
|
210
|
+
resource_types:
|
|
211
|
+
- AWS::::Account
|
|
212
|
+
parameters: {}
|
|
213
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
214
|
+
\ Config Rule: iam-root-access-key-check\n \n Ensures the root user\
|
|
215
|
+
\ does not have access keys attached to prevent unauthorized access."
|
|
216
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-root-access-key-check
|
|
217
|
+
- name: iam-user-unused-credentials-check
|
|
218
|
+
resource_types:
|
|
219
|
+
- AWS::IAM::User
|
|
220
|
+
parameters: {}
|
|
221
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
222
|
+
\ Config Rule: iam-user-unused-credentials-check\n \n Ensures IAM users\
|
|
223
|
+
\ don't have unused credentials that could pose security risks."
|
|
224
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-user-unused-credentials-check
|
|
225
|
+
- name: iam-customer-policy-blocked-kms-actions
|
|
226
|
+
resource_types:
|
|
227
|
+
- AWS::IAM::Policy
|
|
228
|
+
parameters: {}
|
|
229
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
230
|
+
\ Config Rule: iam-customer-policy-blocked-kms-actions\n \n Ensures\
|
|
231
|
+
\ customer-managed IAM policies don't contain blocked KMS actions."
|
|
232
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-customer-policy-blocked-kms-actions
|
|
233
|
+
- name: iam-inline-policy-blocked-kms-actions
|
|
234
|
+
resource_types:
|
|
235
|
+
- AWS::IAM::User
|
|
236
|
+
- AWS::IAM::Role
|
|
237
|
+
- AWS::IAM::Group
|
|
238
|
+
parameters: {}
|
|
239
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
240
|
+
\ Config Rule: iam-inline-policy-blocked-kms-actions\n \n Ensures inline\
|
|
241
|
+
\ IAM policies don't contain blocked KMS actions."
|
|
242
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-inline-policy-blocked-kms-actions
|
|
243
|
+
- name: ebs-snapshot-public-restorable-check
|
|
244
|
+
resource_types:
|
|
245
|
+
- AWS::EC2::Snapshot
|
|
246
|
+
parameters: {}
|
|
247
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
248
|
+
\ Config Rule: ebs-snapshot-public-restorable-check\n \n Ensures EBS\
|
|
249
|
+
\ snapshots are not publicly restorable to prevent data exposure."
|
|
250
|
+
remediation_guidance: Follow AWS Config rule guidance for ebs-snapshot-public-restorable-check
|
|
251
|
+
- name: rds-snapshots-public-prohibited
|
|
252
|
+
resource_types:
|
|
253
|
+
- AWS::RDS::DBSnapshot
|
|
254
|
+
- AWS::RDS::DBClusterSnapshot
|
|
255
|
+
parameters: {}
|
|
256
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
257
|
+
\ Config Rule: rds-snapshots-public-prohibited\n \n Ensures RDS snapshots\
|
|
258
|
+
\ are not publicly accessible to prevent database data exposure."
|
|
259
|
+
remediation_guidance: Follow AWS Config rule guidance for rds-snapshots-public-prohibited
|
|
260
|
+
- name: rds-instance-public-access-check
|
|
261
|
+
resource_types:
|
|
262
|
+
- AWS::RDS::DBInstance
|
|
263
|
+
- AWS::RDS::DBCluster
|
|
264
|
+
parameters: {}
|
|
265
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
266
|
+
\ Config Rule: rds-instance-public-access-check\n \n Ensures RDS instances\
|
|
267
|
+
\ are not publicly accessible to prevent database exposure."
|
|
268
|
+
remediation_guidance: Follow AWS Config rule guidance for rds-instance-public-access-check
|
|
269
|
+
- name: redshift-cluster-public-access-check
|
|
270
|
+
resource_types:
|
|
271
|
+
- AWS::Redshift::Cluster
|
|
272
|
+
parameters: {}
|
|
273
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
274
|
+
\ Config Rule: redshift-cluster-public-access-check\n \n Ensures Redshift\
|
|
275
|
+
\ clusters are not publicly accessible to prevent data warehouse exposure."
|
|
276
|
+
remediation_guidance: Follow AWS Config rule guidance for redshift-cluster-public-access-check
|
|
277
|
+
- name: s3-bucket-level-public-access-prohibited
|
|
278
|
+
resource_types:
|
|
279
|
+
- AWS::S3::Bucket
|
|
280
|
+
parameters: {}
|
|
281
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
282
|
+
\ Config Rule: s3-bucket-level-public-access-prohibited\n \n Ensures\
|
|
283
|
+
\ S3 buckets do not allow public access at the bucket level to prevent data\
|
|
284
|
+
\ exposure."
|
|
285
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-level-public-access-prohibited
|
|
286
|
+
- name: iam-user-mfa-enabled
|
|
287
|
+
resource_types:
|
|
288
|
+
- AWS::IAM::User
|
|
289
|
+
parameters: {}
|
|
290
|
+
description: Assessment for iam-user-mfa-enabled Config rule - ensures IAM users
|
|
291
|
+
have MFA.
|
|
292
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-user-mfa-enabled
|
|
293
|
+
- name: iam-root-access-key-check
|
|
294
|
+
resource_types:
|
|
295
|
+
- AWS::::Account
|
|
296
|
+
parameters: {}
|
|
297
|
+
description: Assessment for iam-root-access-key-check Config rule - ensures
|
|
298
|
+
root has no access keys.
|
|
299
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-root-access-key-check
|
|
300
|
+
- name: s3-bucket-public-read-prohibited
|
|
301
|
+
resource_types:
|
|
302
|
+
- AWS::S3::Bucket
|
|
303
|
+
parameters: {}
|
|
304
|
+
description: Assessment for s3-bucket-public-read-prohibited Config rule.
|
|
305
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-public-read-prohibited
|
|
306
|
+
- name: ec2-instance-no-public-ip
|
|
307
|
+
resource_types:
|
|
308
|
+
- AWS::EC2::Instance
|
|
309
|
+
parameters: {}
|
|
310
|
+
description: Assessment for ec2-instance-no-public-ip Config rule.
|
|
311
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-instance-no-public-ip
|
|
312
|
+
- name: autoscaling-launch-config-public-ip-disabled
|
|
313
|
+
resource_types:
|
|
314
|
+
- AWS::AutoScaling::LaunchConfiguration
|
|
315
|
+
parameters: {}
|
|
316
|
+
description: Assessment for autoscaling-launch-config-public-ip-disabled AWS
|
|
317
|
+
Config rule.
|
|
318
|
+
remediation_guidance: Follow AWS Config rule guidance for autoscaling-launch-config-public-ip-disabled
|
|
319
|
+
- name: efs-access-point-enforce-root-directory
|
|
320
|
+
resource_types:
|
|
321
|
+
- AWS::EFS::AccessPoint
|
|
322
|
+
parameters: {}
|
|
323
|
+
description: Assessment for efs-access-point-enforce-root-directory AWS Config
|
|
324
|
+
rule.
|
|
325
|
+
remediation_guidance: Follow AWS Config rule guidance for efs-access-point-enforce-root-directory
|
|
326
|
+
- name: ec2-managedinstance-association-compliance-status-check
|
|
327
|
+
resource_types:
|
|
328
|
+
- AWS::EC2::Instance
|
|
329
|
+
parameters: {}
|
|
330
|
+
description: "CIS Control 1.1/2.4/4.1 - Systems Management\n AWS Config Rule:\
|
|
331
|
+
\ ec2-managedinstance-association-compliance-status-check\n \n Ensures\
|
|
332
|
+
\ EC2 instances have proper Systems Manager associations for compliance tracking."
|
|
333
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-managedinstance-association-compliance-status-check
|
|
334
|
+
- name: emr-kerberos-enabled
|
|
335
|
+
resource_types:
|
|
336
|
+
- AWS::EMR::Cluster
|
|
337
|
+
parameters: {}
|
|
338
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
339
|
+
\ Config Rule: emr-kerberos-enabled\n \n Ensures EMR clusters have Kerberos\
|
|
340
|
+
\ authentication enabled to prevent unauthorized access."
|
|
341
|
+
remediation_guidance: Follow AWS Config rule guidance for emr-kerberos-enabled
|
|
342
|
+
- name: lambda-inside-vpc
|
|
343
|
+
resource_types:
|
|
344
|
+
- AWS::Lambda::Function
|
|
345
|
+
parameters: {}
|
|
346
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
347
|
+
\ Config Rule: lambda-inside-vpc\n \n Ensures Lambda functions are deployed\
|
|
348
|
+
\ within VPC when needed for network isolation."
|
|
349
|
+
remediation_guidance: Follow AWS Config rule guidance for lambda-inside-vpc
|
|
350
|
+
- name: ecs-task-definition-user-for-host-mode-check
|
|
351
|
+
resource_types:
|
|
352
|
+
- AWS::ECS::TaskDefinition
|
|
353
|
+
parameters: {}
|
|
354
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
355
|
+
\ Config Rule: ecs-task-definition-user-for-host-mode-check\n \n Ensures\
|
|
356
|
+
\ ECS tasks in host mode do not run with elevated privileges to prevent container\
|
|
357
|
+
\ privilege escalation."
|
|
358
|
+
remediation_guidance: Follow AWS Config rule guidance for ecs-task-definition-user-for-host-mode-check
|
|
359
|
+
- name: iam-group-has-users-check
|
|
360
|
+
resource_types:
|
|
361
|
+
- AWS::IAM::Group
|
|
362
|
+
parameters: {}
|
|
363
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
364
|
+
\ Config Rule: iam-group-has-users-check\n \n Ensures IAM groups have\
|
|
365
|
+
\ at least one user for proper access management."
|
|
366
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-group-has-users-check
|
|
367
|
+
- name: iam-policy-no-statements-with-full-access
|
|
368
|
+
resource_types:
|
|
369
|
+
- AWS::IAM::Policy
|
|
370
|
+
parameters: {}
|
|
371
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
372
|
+
\ Config Rule: iam-policy-no-statements-with-full-access\n \n Prevents\
|
|
373
|
+
\ IAM policies with overly broad permissions to prevent privilege escalation."
|
|
374
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-policy-no-statements-with-full-access
|
|
375
|
+
- name: iam-user-no-policies-check
|
|
376
|
+
resource_types:
|
|
377
|
+
- AWS::IAM::User
|
|
378
|
+
parameters: {}
|
|
379
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
380
|
+
\ Config Rule: iam-user-no-policies-check\n \n Ensures IAM policies\
|
|
381
|
+
\ are attached to groups/roles, not users directly for proper access management."
|
|
382
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-user-no-policies-check
|
|
383
|
+
- name: ssm-document-not-public
|
|
384
|
+
resource_types:
|
|
385
|
+
- AWS::SSM::Document
|
|
386
|
+
parameters: {}
|
|
387
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
388
|
+
\ Config Rule: ssm-document-not-public\n \n Ensures SSM documents are\
|
|
389
|
+
\ not publicly accessible to prevent exposure of automation scripts."
|
|
390
|
+
remediation_guidance: Follow AWS Config rule guidance for ssm-document-not-public
|
|
391
|
+
- name: iam-policy-no-statements-with-admin-access
|
|
392
|
+
resource_types:
|
|
393
|
+
- AWS::IAM::Policy
|
|
394
|
+
parameters: {}
|
|
395
|
+
description: Assessment for iam-policy-no-statements-with-admin-access Config
|
|
396
|
+
rule.
|
|
397
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-policy-no-statements-with-admin-access
|
|
398
|
+
- name: iam-no-inline-policy-check
|
|
399
|
+
resource_types:
|
|
400
|
+
- AWS::IAM::User
|
|
401
|
+
- AWS::IAM::Role
|
|
402
|
+
- AWS::IAM::Group
|
|
403
|
+
parameters: {}
|
|
404
|
+
description: Assessment for iam-no-inline-policy-check Config rule.
|
|
405
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-no-inline-policy-check
|
|
406
|
+
- name: iam-user-group-membership-check
|
|
407
|
+
resource_types:
|
|
408
|
+
- AWS::IAM::User
|
|
409
|
+
parameters: {}
|
|
410
|
+
description: Assessment for iam-user-group-membership-check Config rule.
|
|
411
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-user-group-membership-check
|
|
412
|
+
- name: dms-replication-not-public
|
|
413
|
+
resource_types:
|
|
414
|
+
- AWS::DMS::ReplicationInstance
|
|
415
|
+
parameters: {}
|
|
416
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
417
|
+
\ Config Rule: dms-replication-not-public\n \n Ensures DMS replication\
|
|
418
|
+
\ instances are not publicly accessible to prevent data exposure."
|
|
419
|
+
remediation_guidance: Follow AWS Config rule guidance for dms-replication-not-public
|
|
420
|
+
- name: elasticsearch-in-vpc-only
|
|
421
|
+
resource_types:
|
|
422
|
+
- AWS::Elasticsearch::Domain
|
|
423
|
+
parameters: {}
|
|
424
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
425
|
+
\ Config Rule: elasticsearch-in-vpc-only\n \n Ensures Elasticsearch\
|
|
426
|
+
\ domains are deployed within VPC to prevent public access."
|
|
427
|
+
remediation_guidance: Follow AWS Config rule guidance for elasticsearch-in-vpc-only
|
|
428
|
+
- name: ec2-instances-in-vpc
|
|
429
|
+
resource_types:
|
|
430
|
+
- AWS::EC2::Instance
|
|
431
|
+
parameters: {}
|
|
432
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
433
|
+
\ Config Rule: ec2-instances-in-vpc\n \n Ensures EC2 instances are deployed\
|
|
434
|
+
\ within VPC for network security."
|
|
435
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-instances-in-vpc
|
|
436
|
+
- name: emr-master-no-public-ip
|
|
437
|
+
resource_types:
|
|
438
|
+
- AWS::EMR::Cluster
|
|
439
|
+
parameters: {}
|
|
440
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
441
|
+
\ Config Rule: emr-master-no-public-ip\n \n Ensures EMR master nodes\
|
|
442
|
+
\ do not have public IP addresses."
|
|
443
|
+
remediation_guidance: Follow AWS Config rule guidance for emr-master-no-public-ip
|
|
444
|
+
- name: lambda-function-public-access-prohibited
|
|
445
|
+
resource_types:
|
|
446
|
+
- AWS::Lambda::Function
|
|
447
|
+
parameters: {}
|
|
448
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
449
|
+
\ Config Rule: lambda-function-public-access-prohibited\n \n Ensures\
|
|
450
|
+
\ Lambda functions cannot be publicly accessed."
|
|
451
|
+
remediation_guidance: Follow AWS Config rule guidance for lambda-function-public-access-prohibited
|
|
452
|
+
- name: sagemaker-notebook-no-direct-internet-access
|
|
453
|
+
resource_types:
|
|
454
|
+
- AWS::SageMaker::NotebookInstance
|
|
455
|
+
parameters: {}
|
|
456
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
457
|
+
\ Config Rule: sagemaker-notebook-no-direct-internet-access\n \n Ensures\
|
|
458
|
+
\ SageMaker notebooks do not have direct internet access."
|
|
459
|
+
remediation_guidance: Follow AWS Config rule guidance for sagemaker-notebook-no-direct-internet-access
|
|
460
|
+
- name: subnet-auto-assign-public-ip-disabled
|
|
461
|
+
resource_types:
|
|
462
|
+
- AWS::EC2::Subnet
|
|
463
|
+
parameters: {}
|
|
464
|
+
description: "CIS Control 3.3 - Configure Data Access Control Lists\n AWS\
|
|
465
|
+
\ Config Rule: subnet-auto-assign-public-ip-disabled\n \n Ensures subnets\
|
|
466
|
+
\ do not automatically assign public IPs to prevent accidental exposure."
|
|
467
|
+
remediation_guidance: Follow AWS Config rule guidance for subnet-auto-assign-public-ip-disabled
|
|
468
|
+
- name: s3-account-level-public-access-blocks-periodic
|
|
469
|
+
resource_types:
|
|
470
|
+
- AWS::::Account
|
|
471
|
+
parameters: {}
|
|
472
|
+
description: Assessment for s3-account-level-public-access-blocks-periodic AWS
|
|
473
|
+
Config rule.
|
|
474
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-account-level-public-access-blocks-periodic
|
|
475
|
+
- name: s3-bucket-public-write-prohibited
|
|
476
|
+
resource_types:
|
|
477
|
+
- AWS::S3::Bucket
|
|
478
|
+
parameters: {}
|
|
479
|
+
description: Assessment for s3-bucket-public-write-prohibited AWS Config rule.
|
|
480
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-public-write-prohibited
|
|
481
|
+
- name: ec2-imdsv2-check
|
|
482
|
+
resource_types:
|
|
483
|
+
- AWS::EC2::Instance
|
|
484
|
+
parameters: {}
|
|
485
|
+
description: Assessment for ec2-imdsv2-check Config rule.
|
|
486
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-imdsv2-check
|
|
487
|
+
- name: ec2-instance-profile-attached
|
|
488
|
+
resource_types:
|
|
489
|
+
- AWS::EC2::Instance
|
|
490
|
+
parameters: {}
|
|
491
|
+
description: Assessment for ec2-instance-profile-attached Config rule.
|
|
492
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-instance-profile-attached
|
|
493
|
+
'3.4':
|
|
494
|
+
title: Configure Automatic Session Locking on Enterprise Assets
|
|
495
|
+
weight: 1.0
|
|
496
|
+
config_rules:
|
|
497
|
+
- name: s3-bucket-versioning-enabled
|
|
498
|
+
resource_types:
|
|
499
|
+
- AWS::S3::Bucket
|
|
500
|
+
parameters: {}
|
|
501
|
+
description: "CIS Control 3.4 - Enforce Data Retention\n AWS Config Rule:\
|
|
502
|
+
\ s3-bucket-versioning-enabled\n \n Ensures S3 buckets have versioning\
|
|
503
|
+
\ enabled for data protection and recovery."
|
|
504
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-versioning-enabled
|
|
505
|
+
- name: s3-version-lifecycle-policy-check
|
|
506
|
+
resource_types:
|
|
507
|
+
- AWS::S3::Bucket
|
|
508
|
+
parameters: {}
|
|
509
|
+
description: Assessment for s3-version-lifecycle-policy-check Config rule.
|
|
510
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-version-lifecycle-policy-check
|
|
511
|
+
- name: cw-loggroup-retention-period-check
|
|
512
|
+
resource_types:
|
|
513
|
+
- AWS::Logs::LogGroup
|
|
514
|
+
parameters: {}
|
|
515
|
+
description: Assessment for cw-loggroup-retention-period-check Config rule.
|
|
516
|
+
remediation_guidance: Follow AWS Config rule guidance for cw-loggroup-retention-period-check
|
|
517
|
+
'4.1':
|
|
518
|
+
title: Establish and Maintain a Secure Configuration Process
|
|
519
|
+
weight: 1.0
|
|
520
|
+
config_rules:
|
|
521
|
+
- name: account-part-of-organizations
|
|
522
|
+
resource_types:
|
|
523
|
+
- AWS::::Account
|
|
524
|
+
parameters: {}
|
|
525
|
+
description: Assessment for account-part-of-organizations Config rule.
|
|
526
|
+
remediation_guidance: Follow AWS Config rule guidance for account-part-of-organizations
|
|
527
|
+
- name: ec2-volume-inuse-check
|
|
528
|
+
resource_types:
|
|
529
|
+
- AWS::EC2::Volume
|
|
530
|
+
parameters: {}
|
|
531
|
+
description: Assessment for ec2-volume-inuse-check Config rule.
|
|
532
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-volume-inuse-check
|
|
533
|
+
- name: redshift-cluster-maintenancesettings-check
|
|
534
|
+
resource_types:
|
|
535
|
+
- AWS::Redshift::Cluster
|
|
536
|
+
parameters: {}
|
|
537
|
+
description: Assessment for redshift-cluster-maintenancesettings-check Config
|
|
538
|
+
rule.
|
|
539
|
+
remediation_guidance: Follow AWS Config rule guidance for redshift-cluster-maintenancesettings-check
|
|
540
|
+
- name: secretsmanager-rotation-enabled-check
|
|
541
|
+
resource_types:
|
|
542
|
+
- AWS::SecretsManager::Secret
|
|
543
|
+
parameters: {}
|
|
544
|
+
description: Assessment for secretsmanager-rotation-enabled-check Config rule.
|
|
545
|
+
remediation_guidance: Follow AWS Config rule guidance for secretsmanager-rotation-enabled-check
|
|
546
|
+
- name: ecs-task-definition-nonroot-user
|
|
547
|
+
resource_types:
|
|
548
|
+
- AWS::ECS::TaskDefinition
|
|
549
|
+
parameters: {}
|
|
550
|
+
description: Assessment for ecs-task-definition-nonroot-user AWS Config rule.
|
|
551
|
+
remediation_guidance: Follow AWS Config rule guidance for ecs-task-definition-nonroot-user
|
|
552
|
+
- name: access-keys-rotated
|
|
553
|
+
resource_types:
|
|
554
|
+
- AWS::IAM::User
|
|
555
|
+
parameters: {}
|
|
556
|
+
description: Assessment for access-keys-rotated Config rule.
|
|
557
|
+
remediation_guidance: Follow AWS Config rule guidance for access-keys-rotated
|
|
558
|
+
'5.2':
|
|
559
|
+
title: Use Unique Passwords
|
|
560
|
+
weight: 1.0
|
|
561
|
+
config_rules:
|
|
562
|
+
- name: iam-password-policy
|
|
563
|
+
resource_types:
|
|
564
|
+
- AWS::::Account
|
|
565
|
+
parameters: {}
|
|
566
|
+
description: Assessment for iam-password-policy Config rule - ensures strong
|
|
567
|
+
password policy.
|
|
568
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-password-policy
|
|
569
|
+
'8.2':
|
|
570
|
+
title: Control 8.2
|
|
571
|
+
weight: 1.0
|
|
572
|
+
config_rules:
|
|
573
|
+
- name: cloudtrail-enabled
|
|
574
|
+
resource_types:
|
|
575
|
+
- AWS::::Account
|
|
576
|
+
parameters: {}
|
|
577
|
+
description: "CIS Control 8.2 - Collect Audit Logs\n AWS Config Rule: cloudtrail-enabled\n\
|
|
578
|
+
\ \n Ensures CloudTrail is enabled to record AWS Management Console\
|
|
579
|
+
\ actions and API calls."
|
|
580
|
+
remediation_guidance: Follow AWS Config rule guidance for cloudtrail-enabled
|
|
581
|
+
'8.8':
|
|
582
|
+
title: Control 8.8
|
|
583
|
+
weight: 1.0
|
|
584
|
+
config_rules:
|
|
585
|
+
- name: securityhub-enabled
|
|
586
|
+
resource_types:
|
|
587
|
+
- AWS::SecurityHub::Hub
|
|
588
|
+
parameters: {}
|
|
589
|
+
description: Assessment for securityhub-enabled AWS Config rule.
|
|
590
|
+
remediation_guidance: Follow AWS Config rule guidance for securityhub-enabled
|