################################################################################## # # Conformance Pack: # Operational Best Practices for CIS AWS Foundations Benchmark Level 1 # # This conformance pack helps verify compliance with CIS AWS Foundations Benchmark Level 1 requirements. # # See Parameters section for names and descriptions of required parameters. # ################################################################################## Parameters: AccessKeysRotatedParamMaxAccessKeyAge: Default: '90' Type: String IamPasswordPolicyParamMaxPasswordAge: Default: '90' Type: String IamPasswordPolicyParamMinimumPasswordLength: Default: '14' Type: String IamPasswordPolicyParamPasswordReusePrevention: Default: '24' Type: String IamPasswordPolicyParamRequireLowercaseCharacters: Default: 'true' Type: String IamPasswordPolicyParamRequireNumbers: Default: 'true' Type: String IamPasswordPolicyParamRequireSymbols: Default: 'true' Type: String IamPasswordPolicyParamRequireUppercaseCharacters: Default: 'true' Type: String IamPolicyInUseParamPolicyARN: Default: arn:aws:iam::aws:policy/AWSSupportAccess Type: String IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Default: '45' Type: String RestrictedIncomingTrafficParamBlockedPort3: Default: '3389' Type: String S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets: Default: 'True' Type: String S3BucketVersioningEnabledParamIsMfaDeleteEnabled: Default: 'TRUE' Type: String Resources: AccessKeysRotated: Properties: ConfigRuleName: access-keys-rotated InputParameters: maxAccessKeyAge: Fn::If: - accessKeysRotatedParamMaxAccessKeyAge - Ref: AccessKeysRotatedParamMaxAccessKeyAge - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED Type: AWS::Config::ConfigRule CloudTrailCloudWatchLogsEnabled: Properties: ConfigRuleName: cloud-trail-cloud-watch-logs-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Type: AWS::Config::ConfigRule Ec2EbsEncryptionByDefault: Properties: ConfigRuleName: ec2-ebs-encryption-by-default Source: Owner: AWS SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT Type: AWS::Config::ConfigRule EncryptedVolumes: Properties: ConfigRuleName: encrypted-volumes Scope: ComplianceResourceTypes: - AWS::EC2::Volume Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES Type: AWS::Config::ConfigRule IamNoInlinePolicyCheck: Properties: ConfigRuleName: iam-no-inline-policy-check Scope: ComplianceResourceTypes: - AWS::IAM::User - AWS::IAM::Role - AWS::IAM::Group Source: Owner: AWS SourceIdentifier: IAM_NO_INLINE_POLICY_CHECK Type: AWS::Config::ConfigRule IamPasswordPolicy: Properties: ConfigRuleName: iam-password-policy InputParameters: MaxPasswordAge: Fn::If: - iamPasswordPolicyParamMaxPasswordAge - Ref: IamPasswordPolicyParamMaxPasswordAge - Ref: AWS::NoValue MinimumPasswordLength: Fn::If: - iamPasswordPolicyParamMinimumPasswordLength - Ref: IamPasswordPolicyParamMinimumPasswordLength - Ref: AWS::NoValue PasswordReusePrevention: Fn::If: - iamPasswordPolicyParamPasswordReusePrevention - Ref: IamPasswordPolicyParamPasswordReusePrevention - Ref: AWS::NoValue RequireLowercaseCharacters: Fn::If: - iamPasswordPolicyParamRequireLowercaseCharacters - Ref: IamPasswordPolicyParamRequireLowercaseCharacters - Ref: AWS::NoValue RequireNumbers: Fn::If: - iamPasswordPolicyParamRequireNumbers - Ref: IamPasswordPolicyParamRequireNumbers - Ref: AWS::NoValue RequireSymbols: Fn::If: - iamPasswordPolicyParamRequireSymbols - Ref: IamPasswordPolicyParamRequireSymbols - Ref: AWS::NoValue RequireUppercaseCharacters: Fn::If: - iamPasswordPolicyParamRequireUppercaseCharacters - Ref: IamPasswordPolicyParamRequireUppercaseCharacters - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule IamPolicyInUse: Properties: ConfigRuleName: iam-policy-in-use InputParameters: policyARN: Fn::If: - iamPolicyInUseParamPolicyARN - Ref: IamPolicyInUseParamPolicyARN - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: IAM_POLICY_IN_USE Type: AWS::Config::ConfigRule IamPolicyNoStatementsWithAdminAccess: Properties: ConfigRuleName: iam-policy-no-statements-with-admin-access Scope: ComplianceResourceTypes: - AWS::IAM::Policy Source: Owner: AWS SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Type: AWS::Config::ConfigRule IamRootAccessKeyCheck: Properties: ConfigRuleName: iam-root-access-key-check Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK Type: AWS::Config::ConfigRule IamUserGroupMembershipCheck: Properties: ConfigRuleName: iam-user-group-membership-check Scope: ComplianceResourceTypes: - AWS::IAM::User Source: Owner: AWS SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK Type: AWS::Config::ConfigRule IamUserNoPoliciesCheck: Properties: ConfigRuleName: iam-user-no-policies-check Scope: ComplianceResourceTypes: - AWS::IAM::User Source: Owner: AWS SourceIdentifier: IAM_USER_NO_POLICIES_CHECK Type: AWS::Config::ConfigRule IamUserUnusedCredentialsCheck: Properties: ConfigRuleName: iam-user-unused-credentials-check InputParameters: maxCredentialUsageAge: Fn::If: - iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK Type: AWS::Config::ConfigRule IncomingSshDisabled: Properties: ConfigRuleName: restricted-ssh Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: INCOMING_SSH_DISABLED Type: AWS::Config::ConfigRule MfaEnabledForIamConsoleAccess: Properties: ConfigRuleName: mfa-enabled-for-iam-console-access Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Type: AWS::Config::ConfigRule MultiRegionCloudTrailEnabled: Properties: ConfigRuleName: multi-region-cloudtrail-enabled Source: Owner: AWS SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED Type: AWS::Config::ConfigRule RdsSnapshotEncrypted: Properties: ConfigRuleName: rds-snapshot-encrypted Scope: ComplianceResourceTypes: - AWS::RDS::DBSnapshot - AWS::RDS::DBClusterSnapshot Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED Type: AWS::Config::ConfigRule RdsStorageEncrypted: Properties: ConfigRuleName: rds-storage-encrypted Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED Type: AWS::Config::ConfigRule RestrictedIncomingTraffic: Properties: ConfigRuleName: restricted-common-ports InputParameters: blockedPort3: Fn::If: - restrictedIncomingTrafficParamBlockedPort3 - Ref: RestrictedIncomingTrafficParamBlockedPort3 - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC Type: AWS::Config::ConfigRule RootAccountMfaEnabled: Properties: ConfigRuleName: root-account-mfa-enabled Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED Type: AWS::Config::ConfigRule S3AccountLevelPublicAccessBlocksPeriodic: Properties: ConfigRuleName: s3-account-level-public-access-blocks-periodic InputParameters: BlockPublicAcls: Fn::If: - s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls - Ref: AWS::NoValue BlockPublicPolicy: Fn::If: - s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy - Ref: AWS::NoValue IgnorePublicAcls: Fn::If: - s3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls - Ref: AWS::NoValue RestrictPublicBuckets: Fn::If: - s3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC Type: AWS::Config::ConfigRule S3BucketLevelPublicAccessProhibited: Properties: ConfigRuleName: s3-bucket-level-public-access-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED Type: AWS::Config::ConfigRule S3BucketLoggingEnabled: Properties: ConfigRuleName: s3-bucket-logging-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED Type: AWS::Config::ConfigRule S3BucketPublicReadProhibited: Properties: ConfigRuleName: s3-bucket-public-read-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Type: AWS::Config::ConfigRule S3BucketPublicWriteProhibited: Properties: ConfigRuleName: s3-bucket-public-write-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Type: AWS::Config::ConfigRule S3BucketVersioningEnabled: Properties: ConfigRuleName: s3-bucket-versioning-enabled InputParameters: isMfaDeleteEnabled: Fn::If: - s3BucketVersioningEnabledParamIsMfaDeleteEnabled - Ref: S3BucketVersioningEnabledParamIsMfaDeleteEnabled - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED Type: AWS::Config::ConfigRule AccountContactDetailsConfigured: Properties: ConfigRuleName: account-contact-details-configured Description: Ensure the contact email and telephone number for AWS accounts are current and map to more than one individual in your organization. Within the My Account section of the console ensure correct information is specified in the Contact Information section. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AccountSecurityContactConfigured: Properties: ConfigRuleName: account-security-contact-configured Description: Ensure the contact email and telephone number for the your organizations security team are current. Within the My Account section of the AWS Management Console ensure the correct information is specified in the Security section. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AccountSecurityQuestionsConfigured: Properties: ConfigRuleName: account-security-questions-configured Description: Ensure the security questions that can be used to authenticate individuals calling AWS customer service for support are configured. Within the My Account section of the AWS Management Console ensure three security challenge questions are configured. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule RootAccountRegularUse: Properties: ConfigRuleName: root-account-regular-use Description: Ensure the use of the root account is avoided for everyday tasks. Within IAM, run a credential report to examine when the root user was last used. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule IAMUserConsoleAndAPIAccessAtCreation: Properties: ConfigRuleName: iam-user-console-and-api-access-at-creation Description: Ensure access keys are not setup during the initial user setup for all IAM users that have a console password. For all IAM users with console access, compare the user 'Creation time` to the Access Key `Created` date. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule IAMUserSingleAccessKey: Properties: ConfigRuleName: iam-user-single-access-key Description: Ensure there is only one active access key available for any single IAM user. For all IAM users check that there is only one active key used within the Security Credentials tab for each user within IAM. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule IAMExpiredCertificates: Properties: ConfigRuleName: iam-expired-certificates Description: Ensure that all the expired SSL/TLS certificates stored in IAM are removed. From the command line with the installed AWS CLI run the 'aws iam list-server-certificates' command and determine if there are any expired server certificates. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule IAMAccessAnalyzerEnabled: Properties: ConfigRuleName: iam-access-analyzer-enabled Description: Ensure that IAM Access analyzer is enabled. Within the IAM section of the console, select Access analyzer and ensure that the STATUS is set to Active. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmUnauthorizedAPIcalls: Properties: ConfigRuleName: alarm-unauthorized-api-calls Description: Ensure a log metric filter and an alarm exists for unauthorized API calls. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmSignInWithoutMFA: Properties: ConfigRuleName: alarm-sign-in-without-mfa Description: Ensure a log metric filter and an alarm exists for AWS Management Console sign-in without Multi-Factor Authentication (MFA). Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmRootAccountUse: Properties: ConfigRuleName: alarm-root-account-use Description: Ensure a log metric filter and an alarm exists for usage of the root account. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmIAMpolicyChange: Properties: ConfigRuleName: alarm-iam-policy-change Description: Ensure a log metric filter and an alarm exists for IAM policy changes. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmCloudtrailConfigChange: Properties: ConfigRuleName: alarm-cloudtrail-config-change Description: Ensure a log metric filter and an alarm exists for AWS CloudTrail configuration changes. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmS3BucketPolicyChange: Properties: ConfigRuleName: alarm-s3-bucket-policy-change Description: Ensure a log metric filter and an alarm exists for Amazon S3 bucket policy changes. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmVPCNetworkGatewayChange: Properties: ConfigRuleName: alarm-vpc-network-gateway-change Description: Ensure a log metric filter and an alarm exists for changes to network gateways. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmVPCroutetableChange: Properties: ConfigRuleName: alarm-vpc-route-table-change Description: Ensure a log metric filter and an alarm exists for route table changes. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmVPCChange: Properties: ConfigRuleName: alarm-vpc-change Description: Ensure a log metric filter and an alarm exists for Amazon Virtual Private Cloud (VPC) changes. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule AlarmOrganizationsChange: Properties: ConfigRuleName: alarm-organizations-change Description: Ensure a log metric filter and an alarm exists for AWS Organizations changes. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule VPCNetworkACLOpenAdminPorts: Properties: ConfigRuleName: vpc-networkacl-open-admin-ports Description: Ensure no network ACLs allow public ingress to the remote server administration ports. Within the VPC section of the console, ensure there are network ACLs with a source of '0.0.0.0/0' with allowing ports or port ranges including remote server admin ports. Source: Owner: AWS SourceIdentifier: AWS_CONFIG_PROCESS_CHECK Type: AWS::Config::ConfigRule Conditions: accessKeysRotatedParamMaxAccessKeyAge: Fn::Not: - Fn::Equals: - '' - Ref: AccessKeysRotatedParamMaxAccessKeyAge iamPasswordPolicyParamMaxPasswordAge: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamMaxPasswordAge iamPasswordPolicyParamMinimumPasswordLength: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamMinimumPasswordLength iamPasswordPolicyParamPasswordReusePrevention: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamPasswordReusePrevention iamPasswordPolicyParamRequireLowercaseCharacters: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireLowercaseCharacters iamPasswordPolicyParamRequireNumbers: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireNumbers iamPasswordPolicyParamRequireSymbols: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireSymbols iamPasswordPolicyParamRequireUppercaseCharacters: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireUppercaseCharacters iamPolicyInUseParamPolicyARN: Fn::Not: - Fn::Equals: - '' - Ref: IamPolicyInUseParamPolicyARN iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Fn::Not: - Fn::Equals: - '' - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge restrictedIncomingTrafficParamBlockedPort3: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort3 s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy s3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls s3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets s3BucketVersioningEnabledParamIsMfaDeleteEnabled: Fn::Not: - Fn::Equals: - '' - Ref: S3BucketVersioningEnabledParamIsMfaDeleteEnabled