CIS AWS Foundations Benchmark - AWS Security Hub

CIS AWS Foundations Benchmark

The Center for Internet Security (CIS) AWS Foundations Benchmark serves as a set of security configuration best practices for AWS. These industry-accepted best practices provide you with clear, step-by-step implementation and assessment procedures. Ranging from operating systems to cloud services and network devices, the controls in this benchmark help you protect the specific systems that your organization uses.

AWS Security Hub supports CIS AWS Foundations Benchmark v3.0.0, 1.4.0, and v1.2.0.

This page lists the security controls that each version supports and provides a comparison of the versions.

CIS AWS Foundations Benchmark v3.0.0

Security Hub supports version 3.0.0 of the CIS AWS Foundations Benchmark.

Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks:

  • CIS Benchmark for CIS AWS Foundations Benchmark, v3.0.0, Level 1

  • CIS Benchmark for CIS AWS Foundations Benchmark, v3.0.0, Level 2

Controls that apply to CIS AWS Foundations Benchmark v3.0.0

[Account.1] Security contact information should be provided for an AWS account

[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

[CloudTrail.2] CloudTrail should have encryption at-rest enabled

[CloudTrail.4] CloudTrail log file validation should be enabled

[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

[Config.1] AWS Config should be enabled and use the service-linked role for resource recording

[EC2.2] VPC default security groups should not allow inbound or outbound traffic

[EC2.6] VPC flow logging should be enabled in all VPCs

[EC2.7] EBS default encryption should be enabled

[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports

[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports

[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS

[IAM.2] IAM users should not have IAM policies attached

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[IAM.5] MFA should be enabled for all IAM users that have a console password

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.9] MFA should be enabled for the root user

[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater

[IAM.16] Ensure IAM password policy prevents password reuse

[IAM.18] Ensure a support role has been created to manage incidents with AWS Support

[IAM.22] IAM user credentials unused for 45 days should be removed

[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed

[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached

[IAM.28] IAM Access Analyzer external access analyzer should be enabled

[KMS.4] AWS KMS key rotation should be enabled

[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration

[RDS.3] RDS DB instances should have encryption at-rest enabled

[RDS.13] RDS automatic minor version upgrades should be enabled

[S3.1] S3 general purpose buckets should have block public access settings enabled

[S3.5] S3 general purpose buckets should require requests to use SSL

[S3.8] S3 general purpose buckets should block public access

[S3.20] S3 general purpose buckets should have MFA delete enabled

[S3.22] S3 general purpose buckets should log object-level write events

[S3.23] S3 general purpose buckets should log object-level read events

CIS AWS Foundations Benchmark v1.4.0

Security Hub supports v1.4.0 of the CIS AWS Foundations Benchmark.

Controls that apply to CIS AWS Foundations Benchmark v1.4.0

[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

[CloudTrail.2] CloudTrail should have encryption at-rest enabled

[CloudTrail.4] CloudTrail log file validation should be enabled

[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs

[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user

[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes

[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes

[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes

[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes

[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes

[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways

[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes

[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes

[Config.1] AWS Config should be enabled and use the service-linked role for resource recording

[EC2.2] VPC default security groups should not allow inbound or outbound traffic

[EC2.6] VPC flow logging should be enabled in all VPCs

[EC2.7] EBS default encryption should be enabled

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

[IAM.1] IAM policies should not allow full "*" administrative privileges

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[IAM.5] MFA should be enabled for all IAM users that have a console password

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.9] MFA should be enabled for the root user

[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater

[IAM.16] Ensure IAM password policy prevents password reuse

[IAM.18] Ensure a support role has been created to manage incidents with AWS Support

[IAM.22] IAM user credentials unused for 45 days should be removed

[KMS.4] AWS KMS key rotation should be enabled

[RDS.3] RDS DB instances should have encryption at-rest enabled

[S3.1] S3 general purpose buckets should have block public access settings enabled

[S3.5] S3 general purpose buckets should require requests to use SSL

[S3.8] S3 general purpose buckets should block public access

[S3.20] S3 general purpose buckets should have MFA delete enabled

Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0

Security Hub supports version 1.2.0 of the CIS AWS Foundations Benchmark.

Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks:

  • CIS Benchmark for CIS AWS Foundations Benchmark, v1.2.0, Level 1

  • CIS Benchmark for CIS AWS Foundations Benchmark, v1.2.0, Level 2

Controls that apply to CIS AWS Foundations Benchmark v1.2.0

[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

[CloudTrail.2] CloudTrail should have encryption at-rest enabled

[CloudTrail.4] CloudTrail log file validation should be enabled

[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs

[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user

[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls

[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes

[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes

[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes

[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes

[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes

[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways

[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes

[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes

[Config.1] AWS Config should be enabled and use the service-linked role for resource recording

[EC2.2] VPC default security groups should not allow inbound or outbound traffic

[EC2.6] VPC flow logging should be enabled in all VPCs

[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22

[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389

[IAM.1] IAM policies should not allow full "*" administrative privileges

[IAM.2] IAM users should not have IAM policies attached

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[IAM.5] MFA should be enabled for all IAM users that have a console password

[IAM.6] Hardware MFA should be enabled for the root user

[IAM.8] Unused IAM user credentials should be removed

[IAM.9] MFA should be enabled for the root user

[IAM.11] Ensure IAM password policy requires at least one uppercase letter

[IAM.12] Ensure IAM password policy requires at least one lowercase letter

[IAM.13] Ensure IAM password policy requires at least one symbol

[IAM.14] Ensure IAM password policy requires at least one number

[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater

[IAM.16] Ensure IAM password policy prevents password reuse

[IAM.17] Ensure IAM password policy expires passwords within 90 days or less

[IAM.18] Ensure a support role has been created to manage incidents with AWS Support

[KMS.4] AWS KMS key rotation should be enabled

Version comparison for CIS AWS Foundations Benchmark

This section summarizes the differences among the Center for Internet Security (CIS) AWS Foundations Benchmark v3.0.0, v1.4.0, and v1.2.0.

Security Hub supports each of these versions of the CIS AWS Foundations Benchmark, but we recommend using v3.0.0 to stay current on security best practices. You can have multiple versions of the standard enabled at the same time. For instructions on enabling standards, see Enabling a security standard in Security Hub. If you want to upgrade to v3.0.0, it's best to enable it first before disabling an older version. If you use the Security Hub integration with AWS Organizations to centrally manage multiple AWS accounts and you want to batch enable v3.0.0 across all accounts, you can use central configuration.

Mapping of controls to CIS requirements in each version

Understand which controls each version of the CIS AWS Foundations Benchmark supports.

Control ID and title CIS v3.0.0 requirement CIS v1.4.0 requirement CIS v1.2.0 requirement

[Account.1] Security contact information should be provided for an AWS account

1.2

1.2

1.18

[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

3.1

3.1

2.1

[CloudTrail.2] CloudTrail should have encryption at-rest enabled

3.5

3.7

2.7

[CloudTrail.4] CloudTrail log file validation should be enabled

3.2

3.2

2.2

[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs

Not supported – CIS removed this requirement

3.4

2.4

[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

Not supported – CIS removed this requirement

3.3

2.3

[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

3.4

3.6

2.6

[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user

Not supported – manual check

4.3

3.3

[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls

Not supported – manual check

Not supported – manual check

3.1

[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

Not supported – manual check

Not supported – manual check

3.2

[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes

Not supported – manual check

4.4

3.4

[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes

Not supported – manual check

4.5

3.5

[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

Not supported – manual check

4.6

3.6

[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

Not supported – manual check

4.7

3.7

[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes

Not supported – manual check

4.8

3.8

[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes

Not supported – manual check

4.9

3.9

[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes

Not supported – manual check

4.10

3.10

[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

Not supported – manual check

4.11

3.11

[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways

Not supported – manual check

4.12

3.12

[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes

Not supported – manual check

4.13

3.13

[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes

Not supported – manual check

4.14

3.14

[Config.1] AWS Config should be enabled and use the service-linked role for resource recording

3.3

3.5

2.5

[EC2.2] VPC default security groups should not allow inbound or outbound traffic

5.4

5.3

4.3

[EC2.6] VPC flow logging should be enabled in all VPCs

3.7

3.9

2.9

[EC2.7] EBS default encryption should be enabled

2.2.1

2.2.1

Not supported

[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)

5.6

Not supported

Not supported

[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22

Not supported – replaced by requirements 5.2 and 5.3

Not supported – replaced by requirements 5.2 and 5.3

4.1

[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389

Not supported – replaced by requirements 5.2 and 5.3

Not supported – replaced by requirements 5.2 and 5.3

4.2

[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

5.1

5.1

Not supported

[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports

5.2

Not supported

Not supported

[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports

5.3

Not supported

Not supported

[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS

2.4.1

Not supported

Not supported

[IAM.1] IAM policies should not allow full "*" administrative privileges

Not supported

1.16

1.22

[IAM.2] IAM users should not have IAM policies attached

1.15

Not supported

1.16

[IAM.3] IAM users' access keys should be rotated every 90 days or less

1.14

1.14

1.4

[IAM.4] IAM root user access key should not exist

1.4

1.4

1.12

[IAM.5] MFA should be enabled for all IAM users that have a console password

1.10

1.10

1.2

[IAM.6] Hardware MFA should be enabled for the root user

1.6

1.6

1.14

[IAM.8] Unused IAM user credentials should be removed

Not supported – see [IAM.22] IAM user credentials unused for 45 days should be removed instead

Not supported – see [IAM.22] IAM user credentials unused for 45 days should be removed instead

1.3

[IAM.9] MFA should be enabled for the root user

1.5

1.5

1.13

[IAM.11] Ensure IAM password policy requires at least one uppercase letter

Not supported – CIS removed this requirement

Not supported – CIS removed this requirement

1.5

[IAM.12] Ensure IAM password policy requires at least one lowercase letter

Not supported – CIS removed this requirement

Not supported – CIS removed this requirement

1.6

[IAM.13] Ensure IAM password policy requires at least one symbol

Not supported – CIS removed this requirement

Not supported – CIS removed this requirement

1.7

[IAM.14] Ensure IAM password policy requires at least one number

Not supported – CIS removed this requirement

Not supported – CIS removed this requirement

1.8

[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater

1.8

1.8

1.9

[IAM.16] Ensure IAM password policy prevents password reuse

1.9

1.9

1.10

[IAM.17] Ensure IAM password policy expires passwords within 90 days or less

Not supported – CIS removed this requirement

Not supported – CIS removed this requirement

1.11

[IAM.18] Ensure a support role has been created to manage incidents with AWS Support

1.17

1.17

1.2

[IAM.20] Avoid the use of the root user

Not supported – CIS removed this requirement

Not supported – CIS removed this requirement

1.1

[IAM.22] IAM user credentials unused for 45 days should be removed

1.12

1.12

Not supported – CIS added this requirement in later versions

[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed

1.19

Not supported – CIS added this requirement in later versions

Not supported – CIS added this requirement in later versions

[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached

1.22

Not supported – CIS added this requirement in later versions

Not supported – CIS added this requirement in later versions

[IAM.28] IAM Access Analyzer external access analyzer should be enabled

1.20

Not supported – CIS added this requirement in later versions

Not supported – CIS added this requirement in later versions

[KMS.4] AWS KMS key rotation should be enabled

3.6

3.8

2.8

[Macie.1] Amazon Macie should be enabled

Not supported – manual check

Not supported – manual check

Not supported – manual check

[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration

2.3.3

Not supported – CIS added this requirement in later versions

Not supported – CIS added this requirement in later versions

[RDS.3] RDS DB instances should have encryption at-rest enabled

2.3.1

2.3.1

Not supported – CIS added this requirement in later versions

[RDS.13] RDS automatic minor version upgrades should be enabled

2.3.2

Not supported – CIS added this requirement in later versions

Not supported – CIS added this requirement in later versions

[S3.1] S3 general purpose buckets should have block public access settings enabled

2.1.4

2.1.5

Not supported – CIS added this requirement in later versions

[S3.5] S3 general purpose buckets should require requests to use SSL

2.1.1

2.1.2

Not supported – CIS added this requirement in later versions

[S3.8] S3 general purpose buckets should block public access

2.1.4

2.1.5

Not supported – CIS added this requirement in later versions

[S3.20] S3 general purpose buckets should have MFA delete enabled

2.1.2

2.1.3

Not supported – CIS added this requirement in later versions

ARNs for CIS AWS Foundations Benchmark

When you enable one or more versions of CIS AWS Foundations Benchmark, you'll begin receiving findings in the AWS Security Finding Format (ASFF). In ASFF, each version uses the following Amazon Resource Name (ARN):

CIS AWS Foundations Benchmark v3.0.0

arn:aws:securityhub:region::standards/cis-aws-foundations-benchmark/v/3.0.0

CIS AWS Foundations Benchmark v1.4.0

arn:aws:securityhub:region::standards/cis-aws-foundations-benchmark/v/1.4.0

CIS AWS Foundations Benchmark v1.2.0

arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0

You can use the GetEnabledStandards operation of the Security Hub API to find out the ARN of an enabled standard.

The preceding values are for StandardsArn. However, StandardsSubscriptionArn refers to the standard subscription resource that Security Hub creates when you subscribe to a standard by calling BatchEnableStandards in a Region.

Note

When you enable a version of CIS AWS Foundations Benchmark, Security Hub may take up to 18 hours to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information about the schedule for generating control findings, see Schedule for running security checks.

Finding fields differ if you turn on consolidated control findings. For more information about these differences, see Impact of consolidation on ASFF fields and values. For sample control findings, see Sample control findings in Security Hub.

CIS requirements that aren't supported in Security Hub

As noted in the preceding table, Security Hub doesn't support every CIS requirement in every version of the CIS AWS Foundations Benchmark. Many of the unsupported requirements can be evaluated only manually by reviewing the state of your AWS resources.