1.1 Maintain current contact details | INCIDENT RESPONSE |
1.2 Ensure security contact information is registered | CONTINGENCY PLANNING, INCIDENT RESPONSE |
1.3 Ensure security questions are registered in the AWS account | INCIDENT RESPONSE |
1.4 Ensure no 'root' user account access key exists | ACCESS CONTROL, MEDIA PROTECTION |
1.5 Ensure MFA is enabled for the 'root' user account | IDENTIFICATION AND AUTHENTICATION |
1.7 Eliminate use of the 'root' user for administrative and daily tasks | ACCESS CONTROL |
1.8 Ensure IAM password policy requires minimum length of 14 or greater | IDENTIFICATION AND AUTHENTICATION |
1.9 Ensure IAM password policy prevents password reuse | IDENTIFICATION AND AUTHENTICATION |
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IDENTIFICATION AND AUTHENTICATION |
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password | ACCESS CONTROL, MEDIA PROTECTION |
1.12 Ensure credentials unused for 45 days or greater are disabled | ACCESS CONTROL |
1.13 Ensure there is only one active access key available for any single IAM user | ACCESS CONTROL |
1.14 Ensure access keys are rotated every 90 days or less | ACCESS CONTROL |
1.15 Ensure IAM Users Receive Permissions Only Through Groups | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
1.16 Ensure IAM policies that allow full '*:*' administrative privileges are not attached | ACCESS CONTROL, MEDIA PROTECTION |
1.17 Ensure a support role has been created to manage incidents with AWS Support | INCIDENT RESPONSE |
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
1.20 Ensure that IAM Access analyzer is enabled for all regions | ACCESS CONTROL, MEDIA PROTECTION |
1.22 Ensure access to AWSCloudShellFullAccess is restricted | ACCESS CONTROL |
2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | ACCESS CONTROL, MEDIA PROTECTION |
2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
2.3.3 Ensure that public access is not given to RDS Instance | ACCESS CONTROL, MEDIA PROTECTION |
2.4.1 Ensure that encryption is enabled for EFS file systems | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.1 Ensure CloudTrail is enabled in all regions | AUDIT AND ACCOUNTABILITY |
3.4 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
4.2 Ensure management console sign-in without MFA is monitored | AUDIT AND ACCOUNTABILITY |
4.3 Ensure usage of 'root' account is monitored | AUDIT AND ACCOUNTABILITY |
4.4 Ensure IAM policy changes are monitored | AUDIT AND ACCOUNTABILITY |
4.5 Ensure CloudTrail configuration changes are monitored | AUDIT AND ACCOUNTABILITY |
4.8 Ensure S3 bucket policy changes are monitored | AUDIT AND ACCOUNTABILITY |
4.12 Ensure changes to network gateways are monitored | AUDIT AND ACCOUNTABILITY |
4.13 Ensure route table changes are monitored | AUDIT AND ACCOUNTABILITY |
4.14 Ensure VPC changes are monitored | AUDIT AND ACCOUNTABILITY |
4.15 Ensure AWS Organizations changes are monitored | AUDIT AND ACCOUNTABILITY |
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
5.6 Ensure that EC2 Metadata Service only allows IMDSv2 | CONFIGURATION MANAGEMENT |