CIS AWS Benchmark Checks in tfsec - crederauk/tfsec-custom-action GitHub Wiki
Looking at the issues list of the aws-landing-zone repo, it seems like there's an interest to adopt the CIS Amazon Web Services Foundations Benchmark (v1.4.0 - 05-28-2021) best practices. Following is a list of the practices listed in the benchmark, and their status in tfsec core checks and custom checks implemented by us.
Summary
🛑 Not terraform-related (rules cannot be checked by looking at Terraform code): 23
🛑 Not doable with tfsec custom checks (details): 17
☑️ Done by tfsec (already checked in the list of checks tfsec has): 15
✅ Done: 3
Just to visualize the above ratio:
🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑☑️☑️☑️☑️☑️✅
1 Identity and Access Management
| CIS # | Policy | Status |
|---|---|---|
| 1.1 | Maintain current contact details | 🛑 Not terraform-related |
| 1.2 | Ensure security contact information is registered | 🛑 Not terraform-related |
| 1.3 | Ensure security questions are registered in the AWS account | 🛑 Not terraform-related |
| 1.4 | Ensure no 'root' user account access key exists | 🛑 Not terraform-related |
| 1.5 | Ensure MFA is enabled for the 'root' user account | 🛑 Not terraform-related |
| 1.6 | Ensure hardware MFA is enabled for the 'root' user account | 🛑 Not terraform-related |
| 1.7 | Eliminate use of the 'root' user for administrative and daily tasks | 🛑 Not terraform-related |
| 1.8 | Ensure IAM password policy requires minimum length of 14 or greater | ☑️ Done by tfsec |
| 1.9 | Ensure IAM password policy prevents password reuse | ☑️ Done by tfsec |
| 1.10 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | 🛑 Not terraform-related |
| 1.11 | Do not setup access keys during initial user setup for all IAM users that have a console password | 🛑 Not terraform-related |
| 1.12 | Ensure credentials unused for 45 days or greater are disabled | 🛑 Not terraform-related |
| 1.13 | Ensure there is only one active access key available for any single IAM user | 🛑 Not terraform-related |
| 1.14 | Ensure access keys are rotated every 90 days or less | 🛑 Not terraform-related |
| 1.15 | Ensure IAM Users Receive Permissions Only Through Groups | 🛑 Not terraform-related |
| 1.16 | Ensure IAM policies that allow full ":" administrative privileges are not attached | ☑️ Done by tfsec |
| 1.17 | Ensure a support role has been created to manage incidents with AWS Support | 🛑 Not terraform-related |
| 1.18 | Ensure IAM instance roles are used for AWS resource access from instances | 🛑 Not terraform-related |
| 1.19 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | 🛑 Not terraform-related |
| 1.20 | Ensure that IAM Access analyzer is enabled for all regions | 🛑 Not terraform-related |
| 1.21 | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | 🛑 Not terraform-related |
2 Storage
2.1 Simple Storage Service (S3)
| CIS # | Policy | Status |
|---|---|---|
| 2.1.1 | Ensure all S3 buckets employ encryption-at-rest | ☑️ Done by tfsec |
| 2.1.2 | Ensure S3 Bucket Policy is set to deny HTTP requests | 🛑 Not doable with tfsec custom checks |
| 2.1.3 | Ensure MFA Delete is enable on S3 buckets | ✅ Done |
| 2.1.4 | Ensure all data in Amazon S3 has been discovered, classified and secured when required | 🛑 Not terraform-related |
| 2.1.5 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | ☑️ Done by tfsec |
2.2 Elastic Compute Cloud (EC2)
| CIS # | Policy | Status |
|---|---|---|
| 2.2.1 | Ensure EBS volume encryption is enabled | ✅ Done |
2.3 Relational Database Service (RDS)
| CIS # | Policy | Status |
|---|---|---|
| 2.3.1 | Ensure that encryption is enabled for RDS Instances | ☑️ Done by tfsec |
3 Logging
| CIS # | Policy | Status |
|---|---|---|
| 3.1 | Ensure CloudTrail is enabled in all regions | ☑️ Done by tfsec |
| 3.2 | Ensure CloudTrail log file validation is enabled | ☑️ Done by tfsec |
| 3.3 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | ☑️ Done by tfsec |
| 3.4 | Ensure CloudTrail trails are integrated with CloudWatch Logs | ✅ Done |
| 3.5 | Ensure AWS Config is enabled in all regions | ☑️ Done by tfsec |
| 3.6 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | ☑️ Done by tfsec |
| 3.7 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | ☑️ Done by tfsec |
| 3.8 | Ensure rotation for customer created CMKs is enabled | ☑️ Done by tfsec |
| 3.9 | Ensure VPC flow logging is enabled in all VPCs | 🛑 Not terraform-related |
| 3.10 | Ensure that Object level logging for write events is enabled for S3 bucket | 🛑 Not terraform-related |
| 3.11 | Ensure that Object level logging for read events is enabled for S3 bucket | 🛑 Not terraform-related |
4 Monitoring
| CIS # | Policy | Status |
|---|---|---|
| 4.1 | Ensure a log metric filter and alarm exist for unauthorized API calls | 🛑 Not doable with tfsec custom checks |
| 4.2 | Ensure a log metric filter and alarm exist for Management Console sign-in | 🛑 Not doable with tfsec custom checks |
| 4.3 | Ensure a log metric filter and alarm exist for usage of 'root' account | 🛑 Not doable with tfsec custom checks |
| 4.4 | Ensure a log metric filter and alarm exist for IAM policy changes | 🛑 Not doable with tfsec custom checks |
| 4.5 | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | 🛑 Not doable with tfsec custom checks |
| 4.6 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | 🛑 Not doable with tfsec custom checks |
| 4.7 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | 🛑 Not doable with tfsec custom checks |
| 4.8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes | 🛑 Not doable with tfsec custom checks |
| 4.9 | Ensure a log metric filter and alarm exist for AWS Config configuration changes | 🛑 Not doable with tfsec custom checks |
| 4.10 | Ensure a log metric filter and alarm exist for security group changes | 🛑 Not doable with tfsec custom checks |
| 4.11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | 🛑 Not doable with tfsec custom checks |
| 4.12 | Ensure a log metric filter and alarm exist for changes to network gateways | 🛑 Not doable with tfsec custom checks |
| 4.13 | Ensure a log metric filter and alarm exist for route table changes | 🛑 Not doable with tfsec custom checks |
| 4.14 | Ensure a log metric filter and alarm exist for VPC changes | 🛑 Not doable with tfsec custom checks |
| 4.15 | Ensure a log metric filter and alarm exist for AWS Organizations changes | 🛑 Not doable with tfsec custom checks |
5 Networking
| CIS # | Policy | Status |
|---|---|---|
| 5.1 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | ☑️ Done by tfsec |
| 5.2 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | ☑️ Done by tfsec |
| 5.3 | Ensure the default security group of every VPC restricts all traffic | 🛑 Not terraform-related |
| 5.4 | Ensure routing tables for VPC peering are "least access" | 🛑 Not terraform-related |