CIS AWS Benchmark Checks in tfsec - crederauk/tfsec-custom-action Wiki

Looking at the issues list of the aws-landing-zone repo, it seems like there's an interest to adopt the CIS Amazon Web Services Foundations Benchmark (v1.4.0 - 05-28-2021) best practices. Following is a list of the practices listed in the benchmark, and their status in tfsec core checks and custom checks implemented by us.

Summary

🛑 Not terraform-related (rules cannot be checked by looking at Terraform code): 23
🛑 Not doable with tfsec custom checks (details): 17
☑️ Done by tfsec (already checked in the list of checks tfsec has): 15
✅ Done: 3

Just to visualize the above ratio:
🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑☑️☑️☑️☑️☑️✅

1 Identity and Access Management

CIS # Policy Status
1.1 Maintain current contact details 🛑 Not terraform-related
1.2 Ensure security contact information is registered 🛑 Not terraform-related
1.3 Ensure security questions are registered in the AWS account 🛑 Not terraform-related
1.4 Ensure no 'root' user account access key exists 🛑 Not terraform-related
1.5 Ensure MFA is enabled for the 'root' user account 🛑 Not terraform-related
1.6 Ensure hardware MFA is enabled for the 'root' user account 🛑 Not terraform-related
1.7 Eliminate use of the 'root' user for administrative and daily tasks 🛑 Not terraform-related
1.8 Ensure IAM password policy requires minimum length of 14 or greater ☑️ Done by tfsec
1.9 Ensure IAM password policy prevents password reuse ☑️ Done by tfsec
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password 🛑 Not terraform-related
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password 🛑 Not terraform-related
1.12 Ensure credentials unused for 45 days or greater are disabled 🛑 Not terraform-related
1.13 Ensure there is only one active access key available for any single IAM user 🛑 Not terraform-related
1.14 Ensure access keys are rotated every 90 days or less 🛑 Not terraform-related
1.15 Ensure IAM Users Receive Permissions Only Through Groups 🛑 Not terraform-related
1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached ☑️ Done by tfsec
1.17 Ensure a support role has been created to manage incidents with AWS Support 🛑 Not terraform-related
1.18 Ensure IAM instance roles are used for AWS resource access from instances 🛑 Not terraform-related
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed 🛑 Not terraform-related
1.20 Ensure that IAM Access analyzer is enabled for all regions 🛑 Not terraform-related
1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments 🛑 Not terraform-related

2 Storage

2.1 Simple Storage Service (S3)

CIS # Policy Status
2.1.1 Ensure all S3 buckets employ encryption-at-rest ☑️ Done by tfsec
2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests 🛑 Not doable with tfsec custom checks
2.1.3 Ensure MFA Delete is enable on S3 buckets ✅ Done
2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required 🛑 Not terraform-related
2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' ☑️ Done by tfsec

2.2 Elastic Compute Cloud (EC2)

CIS # Policy Status
2.2.1 Ensure EBS volume encryption is enabled ✅ Done

2.3 Relational Database Service (RDS)

CIS # Policy Status
2.3.1 Ensure that encryption is enabled for RDS Instances ☑️ Done by tfsec

3 Logging

CIS # Policy Status
3.1 Ensure CloudTrail is enabled in all regions ☑️ Done by tfsec
3.2 Ensure CloudTrail log file validation is enabled ☑️ Done by tfsec
3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible ☑️ Done by tfsec
3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs ✅ Done
3.5 Ensure AWS Config is enabled in all regions ☑️ Done by tfsec
3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket ☑️ Done by tfsec
3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs ☑️ Done by tfsec
3.8 Ensure rotation for customer created CMKs is enabled ☑️ Done by tfsec
3.9 Ensure VPC flow logging is enabled in all VPCs 🛑 Not terraform-related
3.10 Ensure that Object level logging for write events is enabled for S3 bucket 🛑 Not terraform-related
3.11 Ensure that Object level logging for read events is enabled for S3 bucket 🛑 Not terraform-related

4 Monitoring

CIS # Policy Status
4.1 Ensure a log metric filter and alarm exist for unauthorized API calls 🛑 Not doable with tfsec custom checks
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in 🛑 Not doable with tfsec custom checks
4.3 Ensure a log metric filter and alarm exist for usage of 'root' account 🛑 Not doable with tfsec custom checks
4.4 Ensure a log metric filter and alarm exist for IAM policy changes 🛑 Not doable with tfsec custom checks
4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 🛑 Not doable with tfsec custom checks
4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures 🛑 Not doable with tfsec custom checks
4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs 🛑 Not doable with tfsec custom checks
4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes 🛑 Not doable with tfsec custom checks
4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 🛑 Not doable with tfsec custom checks
4.10 Ensure a log metric filter and alarm exist for security group changes 🛑 Not doable with tfsec custom checks
4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 🛑 Not doable with tfsec custom checks
4.12 Ensure a log metric filter and alarm exist for changes to network gateways 🛑 Not doable with tfsec custom checks
4.13 Ensure a log metric filter and alarm exist for route table changes 🛑 Not doable with tfsec custom checks
4.14 Ensure a log metric filter and alarm exist for VPC changes 🛑 Not doable with tfsec custom checks
4.15 Ensure a log metric filter and alarm exist for AWS Organizations changes 🛑 Not doable with tfsec custom checks

5 Networking

CIS # Policy Status
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports ☑️ Done by tfsec
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports ☑️ Done by tfsec
5.3 Ensure the default security group of every VPC restricts all traffic 🛑 Not terraform-related
5.4 Ensure routing tables for VPC peering are "least access" 🛑 Not terraform-related