CIS AWS Benchmark v1.2.0 - AWS Audit Manager
What is CIS?Using this frameworkNext stepsAdditional resources

CIS AWS Benchmark v1.2.0

AWS Audit Manager provides two prebuilt frameworks that support the Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.2.0.

Note

What is CIS?

The CIS is a nonprofit that developed the CIS AWS Foundations Benchmark. This benchmark serves as a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available in that they provide you with clear, step-by-step implementation and assessment procedures.

For more information, see the CIS AWS Foundations Benchmark blog posts on the AWS Security Blog.

Difference between CIS Benchmarks and CIS Controls

CIS Benchmarks are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the specific systems that your organization use. CIS Controls are foundational best practice guidelines for organization-level systems to follow to help protect against known cyberattack vectors.

Examples

  • CIS Benchmarks are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.

    Example: CIS AWS Benchmark v1.2.0 - Ensure MFA is enabled for the "root user" account.

    This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.

  • CIS Controls are for your organization as a whole. They aren't specific to only one vendor product.

    Example: CIS v7.1 - Use Multi-Factor Authentication for All Administrative Access

    This control describes what's expected to be applied within your organization. It doesn't describe how you should apply it for the systems and workloads that you're running (regardless of where they are).

Using this framework

You can use the CIS AWS Benchmark v1.2 frameworks in AWS Audit Manager to help you prepare for CIS audits. You can also customize these frameworks and their controls to support internal audits with specific requirements.

Using the frameworks as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.

The framework details are as follows:

Framework name in AWS Audit Manager Number of automated controls Number of manual controls Number of control sets
Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.2.0, Level 1 33 3 4
Center for Internet Security (CIS) Amazon Web Services (AWS) Benchmark v1.2.0, Level 1 and 2 45 4 4
Important

To ensure that these frameworks collect the intended evidence from AWS Security Hub, make sure that you enabled all standards in Security Hub.

To ensure that these frameworks collect the intended evidence from AWS Config, make sure that you enable the necessary AWS Config rules. To review a list of the AWS Config rules that are used as data source mappings for these standard frameworks, download the following files:

  1. AuditManager_ConfigDataSourceMappings_CIS-AWS-Benchmark-v1.2.0,-Level-1.zip

  2. AuditManager_ConfigDataSourceMappings_CIS-AWS-Benchmark-v1.2.0,-Level-1-and-2.zip

The controls in these frameworks aren't intended to verify if your systems are compliant with CIS AWS Benchmark best practices. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

Prerequisites for using these frameworks

Many controls in the CIS AWS Benchmark v1.2 frameworks use AWS Config as a data source type. To support these controls, you must enable AWS Config on all accounts in each AWS Region where you enabled Audit Manager. You must also make sure that specific AWS Config rules are enabled, and that these rules are configured correctly.

The following AWS Config rules and parameters are required to collect the correct evidence and capture an accurate compliance status for the CIS AWS Foundations Benchmark v1.2. For instructions on how to enable or configure a rule, see Working with AWS Config Managed Rules.

Required AWS Config rule Required parameters
ACCESS_KEYS_ROTATED
maxAccessKeyAge

  • The maximum number of days without rotation.

  • Type: Int

  • Default: 90 days

  • Compliance requirement: A maximum of 90 days
CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Not applicable
CLOUD_TRAIL_ENCRYPTION_ENABLED Not applicable
CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED Not applicable
CMK_BACKING_KEY_ROTATION_ENABLED Not applicable
IAM_PASSWORD_POLICY
MaxPasswordAge (Optional)

  • The number of days before password expiration.

  • Type: int

  • Default: 90

  • Compliance requirement: A maximum of 90 days
IAM_PASSWORD_POLICY
MinimumPasswordLength (Optional)

  • The minimum length of the password.

  • Type: int

  • Default: 14

  • Compliance requirement: A minimum of 14 characters
IAM_PASSWORD_POLICY
PasswordReusePrevention (Optional)

  • The number of passwords before allowing reuse.

  • Type: int

  • Default: 24

  • Compliance requirement: A minimum of 24 passwords before reuse
IAM_PASSWORD_POLICY
RequireLowercaseCharacters (Optional)

  • Require at least one lowercase character in password.

  • Type: Boolean

  • Default: True

  • Compliance requirement: At least one lowercase character
IAM_PASSWORD_POLICY
RequireNumbers (Optional)

  • Require at least one number in password.

  • Type: Boolean

  • Default: True

  • Compliance requirement: At least one number character
IAM_PASSWORD_POLICY
RequireSymbols (Optional)

  • Require at least one symbol in password.

  • Type: Boolean

  • Default: True

  • Compliance requirement: At least one symbol character
IAM_PASSWORD_POLICY
RequireUppercaseCharacters (Optional)

  • Require at least one uppercase character in password.

  • Type: Boolean

  • Default: True

  • Compliance requirement: At least one uppercase character

IAM_POLICY_IN_USE
policyARN

  • An IAM policy ARN to be checked.

  • Type: String

  • Compliance requirement: Creates an IAM role for managing incidents with AWS.

policyUsageType (Optional)

  • Specifies whether you expect the policy to be attached to a user, group, or role.

  • Type: String

  • Valid values: IAM_USER | IAM_GROUP | IAM_ROLE | ANY

  • Default value: ANY

  • Compliance requirement: Attach the trust policy to the created IAM role
IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Not applicable
IAM_ROOT_ACCESS_KEY_CHECK Not applicable
IAM_USER_NO_POLICIES_CHECK Not applicable
IAM_USER_UNUSED_CREDENTIALS_CHECK
maxCredentialUsageAge

  • The maximum number of days that a credential can't be used.

  • Type: Int

  • Default: 90 days

  • Compliance requirement: 90 days or greater
INCOMING_SSH_DISABLED Not applicable
MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Not applicable
MULTI_REGION_CLOUD_TRAIL_ENABLED Not applicable
RESTRICTED_INCOMING_TRAFFIC
blockedPort1 (Optional)

  • The blocked TCP port number.

  • Type: int

  • Default: 20

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

blockedPort2 (Optional)

  • The blocked TCP port number.

  • Type: int

  • Default: 21

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

blockedPort3 (Optional)

  • The blocked TCP port number.

  • Type: int

  • Default: 3389

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

blockedPort4 (Optional)

  • The blocked TCP port number.

  • Type: int

  • Default: 3306

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports

blockedPort5 (Optional)

  • The blocked TCP port number.

  • Type: int

  • Default: 4333

  • Compliance requirement: Ensure that no security groups allow ingress on blocked ports
ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Not applicable
ROOT_ACCOUNT_MFA_ENABLED Not applicable
S3_BUCKET_LOGGING_ENABLED
targetBucket (Optional)

  • The target S3 bucket for storing server access logs.

  • Type: String

  • Compliance requirement: Enable logging

targetPrefix (Optional)

  • The prefix of the S3 bucket for storing server access logs.

  • Type: String

  • Compliance requirement: Identify the S3 bucket for CloudTrail logging
S3_BUCKET_PUBLIC_READ_PROHIBITED Not applicable
VPC_DEFAULT_SECURITY_GROUP_CLOSED Not applicable
VPC_FLOW_LOGS_ENABLED
trafficType (Optional)

  • The trafficType of the flow logs.

  • Type: String

  • Compliance requirement: Flow logging is enabled

Next steps

For instructions on how to view detailed information about these frameworks, including the list of standard controls that they contain, see Reviewing a framework in AWS Audit Manager.

For instructions on how to create an assessment using these frameworks, see Creating an assessment in AWS Audit Manager.

For instructions on how to customize these frameworks to support your specific requirements, see Making an editable copy of an existing framework in AWS Audit Manager.

Additional resources