CIS AWS Foundations Benchmark v3.0.0
cloud-audit maps 55 of 62 CIS AWS v3.0 recommendations to automated checks. The remaining 7 require manual review (console-only or organizational controls).
Coverage Summary
| Section |
Controls |
Automated |
Manual |
| 1 - Identity and Access Management |
22 |
18 |
4 |
| 2 - Storage |
9 |
9 |
0 |
| 3 - Logging |
9 |
9 |
0 |
| 4 - Monitoring |
16 |
16 |
0 |
| 5 - Networking |
6 |
3 |
3 |
| Total |
62 |
55 (89%) |
7 (11%) |
Section 1: Identity and Access Management
| CIS ID |
Title |
Level |
cloud-audit Check |
| 1.1 |
Maintain current contact details |
L1 |
Manual |
| 1.2 |
Security contact information registered |
L1 |
aws-account-001 |
| 1.3 |
Security questions registered |
L1 |
Manual |
| 1.4 |
No root access key exists |
L1 |
aws-iam-008 |
| 1.5 |
MFA enabled for root |
L1 |
aws-iam-001 |
| 1.6 |
Hardware MFA for root |
L2 |
aws-iam-015 |
| 1.7 |
No root usage for daily tasks |
L1 |
Manual |
| 1.8 |
Password policy min length 14 |
L1 |
aws-iam-006 |
| 1.9 |
Password reuse prevention >= 24 |
L1 |
aws-iam-006 |
| 1.10 |
MFA for all console users |
L1 |
aws-iam-002 |
| 1.11 |
No access keys during user setup |
L1 |
Manual |
| 1.12 |
Credentials unused 45+ days disabled |
L1 |
aws-iam-004 |
| 1.13 |
Only one active access key per user |
L1 |
aws-iam-009 |
| 1.14 |
Access keys rotated every 90 days |
L1 |
aws-iam-003 |
| 1.15 |
Users receive permissions via groups only |
L1 |
aws-iam-010 |
| 1.16 |
No admin policies with : attached |
L1 |
aws-iam-005 |
| 1.17 |
Support role exists (AWSSupportAccess) |
L1 |
aws-iam-011 |
| 1.18 |
IAM instance roles on EC2 |
L2 |
aws-iam-016 |
| 1.19 |
Expired SSL/TLS certificates removed |
L1 |
aws-iam-013 |
| 1.20 |
IAM Access Analyzer enabled all regions |
L1 |
aws-iam-012 |
| 1.21 |
Centralized identity federation |
L2 |
Manual |
| 1.22 |
CloudShellFullAccess restricted |
L1 |
aws-iam-014 |
Section 2: Storage
| CIS ID |
Title |
Level |
cloud-audit Check |
| 2.1.1 |
S3 bucket policy denies HTTP |
L2 |
aws-s3-006 |
| 2.1.2 |
MFA Delete enabled on S3 |
L2 |
aws-s3-007 |
| 2.1.3 |
S3 data discovered and classified |
L2 |
Manual |
| 2.1.4 |
S3 Block Public Access enabled |
L1 |
aws-s3-001 |
| 2.2.1 |
EBS default encryption enabled |
L1 |
aws-ec2-006 |
| 2.3.1 |
RDS encryption at rest |
L1 |
aws-rds-002 |
| 2.3.2 |
RDS auto minor version upgrade |
L1 |
aws-rds-004 |
| 2.3.3 |
RDS not publicly accessible |
L1 |
aws-rds-001 |
| 2.4.1 |
EFS encryption enabled |
L1 |
aws-efs-001 |
Section 3: Logging
| CIS ID |
Title |
Level |
cloud-audit Check |
| 3.1 |
CloudTrail enabled all regions |
L1 |
aws-ct-001 |
| 3.2 |
CloudTrail log file validation |
L2 |
aws-ct-002 |
| 3.3 |
AWS Config enabled all regions |
L2 |
aws-cfg-001, aws-cfg-002 |
| 3.4 |
CloudTrail S3 bucket access logging |
L1 |
aws-ct-004 |
| 3.5 |
CloudTrail encrypted with KMS |
L2 |
aws-ct-005 |
| 3.6 |
KMS key rotation enabled |
L2 |
aws-kms-001 |
| 3.7 |
VPC flow logging enabled |
L2 |
aws-vpc-003 |
| 3.8 |
S3 object-level write logging |
L2 |
aws-ct-006 |
| 3.9 |
S3 object-level read logging |
L2 |
aws-ct-007 |
Section 4: Monitoring
All Section 4 controls verify that CloudWatch metric filters and alarms are configured on the CloudTrail log group.
| CIS ID |
Title |
Level |
cloud-audit Check |
| 4.1 |
Unauthorized API calls monitored |
L2 |
aws-cw-002 |
| 4.2 |
Console sign-in without MFA monitored |
L1 |
aws-cw-003 |
| 4.3 |
Root account usage monitored |
L1 |
aws-cw-001 |
| 4.4 |
IAM policy changes monitored |
L1 |
aws-cw-004 |
| 4.5 |
CloudTrail config changes monitored |
L1 |
aws-cw-005 |
| 4.6 |
Console auth failures monitored |
L2 |
aws-cw-006 |
| 4.7 |
CMK disable/deletion monitored |
L2 |
aws-cw-007 |
| 4.8 |
S3 bucket policy changes monitored |
L1 |
aws-cw-008 |
| 4.9 |
Config changes monitored |
L2 |
aws-cw-009 |
| 4.10 |
Security group changes monitored |
L2 |
aws-cw-010 |
| 4.11 |
NACL changes monitored |
L2 |
aws-cw-011 |
| 4.12 |
Network gateway changes monitored |
L1 |
aws-cw-012 |
| 4.13 |
Route table changes monitored |
L1 |
aws-cw-013 |
| 4.14 |
VPC changes monitored |
L1 |
aws-cw-014 |
| 4.15 |
Organizations changes monitored |
L1 |
aws-cw-015 |
| 4.16 |
Security Hub enabled |
L2 |
aws-sh-001 |
Section 5: Networking
| CIS ID |
Title |
Level |
cloud-audit Check |
| 5.1 |
No NACL ingress 0.0.0.0/0 to admin ports |
L1 |
aws-vpc-004 |
| 5.2 |
No SG ingress 0.0.0.0/0 to admin ports |
L1 |
aws-vpc-002 |
| 5.3 |
No SG ingress ::/0 to admin ports |
L1 |
aws-vpc-002 |
| 5.4 |
Default SG restricts all traffic |
L2 |
aws-vpc-005 |
| 5.5 |
VPC peering routing least access |
L2 |
Manual |
| 5.6 |
IMDSv2 only |
L1 |
aws-ec2-004 |
Attack Chain Integration
The compliance engine maps attack chains to CIS controls they violate. When an attack chain is detected, the compliance report shows which CIS controls are impacted:
| Attack Chain |
CIS Controls Violated |
| AC-01 Internet-Exposed Admin Instance |
5.2, 5.3, 1.18 |
| AC-02 SSRF to Credential Theft |
5.2, 5.3, 5.6 |
| AC-09 Unmonitored Admin Access |
1.5, 3.1 |
| AC-10 Completely Blind Admin |
1.5, 3.1, 4.3 |
| AC-25 Root Keys Without Audit Trail |
1.4, 3.1 |
Manual Review Items
7 CIS controls cannot be automated via AWS API and require manual verification:
- 1.1 - Contact details are current (console only)
- 1.3 - Security questions configured (console only)
- 1.7 - Root account not used for daily tasks (review credential report)
- 1.11 - Access keys not created during user setup (review credential report)
- 1.21 - Centralized identity federation (organizational review)
- 2.1.3 - S3 data classification with Macie (requires Macie setup)
- 5.5 - VPC peering routing least access (review route tables)
Source
CIS Amazon Web Services Foundations Benchmark v3.0.0: cisecurity.org