Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AWS > CIS v1.5.0 #496

Merged
merged 11 commits into from
Aug 30, 2022
13 changes: 7 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# AWS Compliance Mod for Steampipe

475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.
475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.5.0) CIS benchmarks**.

Run checks in a dashboard:
![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v140_dashboard.png)
Expand All @@ -11,8 +11,9 @@ Or in a terminal:
Includes support for:
* [AWS CIS v1.3.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v130)
* [AWS CIS v1.4.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v140)
* [AWS CIS v1.5.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v150) 🚀 New!
* [Audit Manager Control Tower](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.control_tower)
* [CISA Cyber Essentials](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cisa_cyber_essentials) 🚀 New!
* [CISA Cyber Essentials](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cisa_cyber_essentials)
* [FedRAMP Low Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_low_rev_4)
* [FedRAMP Moderate Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_moderate_rev_4)
* [Federal Financial Institutions Examination Council (FFIEC)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.ffiec)
Expand All @@ -22,9 +23,9 @@ Includes support for:
* [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa)
* [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4)
* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5)
* [NIST 800-171 Revision 2](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_171_rev_2) 🚀 New!
* [NIST 800-171 Revision 2](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_171_rev_2)
* [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf)
* [Other Compliance Checks](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.other) 🚀 New!
* [Other Compliance Checks](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.other)
* [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321)
* [AWS Foundational Security Best Practices](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.foundational_security)
* [Reserve Bank of India (RBI) Cyber Security Framework](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.rbi_cyber_security)
Expand Down Expand Up @@ -84,13 +85,13 @@ steampipe check all
Run a single benchmark:

```sh
steampipe check benchmark.cis_v140
steampipe check benchmark.cis_v150
```

Run a specific control:

```sh
steampipe check control.cis_v140_2_1_1
steampipe check control.cis_v150_2_1_1
```

Different output formats are also available, for more information please see
Expand Down
24 changes: 24 additions & 0 deletions cis_v150/cis.sp
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
locals {
cis_v150_common_tags = merge(local.aws_compliance_common_tags, {
cis = "true"
cis_version = "v1.5.0"
})
}


benchmark "cis_v150" {
title = "CIS v1.5.0"
description = "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings."
documentation = file("./cis_v150/docs/cis_overview.md")
children = [
benchmark.cis_v150_1,
benchmark.cis_v150_2,
benchmark.cis_v150_3,
benchmark.cis_v150_4,
benchmark.cis_v150_5
]

tags = merge(local.cis_v150_common_tags, {
type = "Benchmark"
})
}
34 changes: 34 additions & 0 deletions cis_v150/docs/cis_overview.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.

## Overview

The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. Specific Amazon Web Services in scope include:

- AWS Identity and Access Management (IAM)
- IAM Access Analyzer
- AWS Config
- AWS CloudTrail
- AWS CloudWatch
- AWS Simple Notification Service (SNS)
- AWS Simple Storage Service (S3)
- Elastic Compute Cloud (EC2)
- Elastic File System (EFS)
- Relational Database Service (RDS)
- AWS VPC (Default)

## Profiles

### Level 1

Items in this profile intend to:
- be practical and prudent;
- provide security focused best practice hardening of a technology; and
- limit impact to the utility of the technology beyond acceptable means.

### Level 2 (extends Level 1)

This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:
- are intended for environments or use cases where security is more critical than manageability and usability
- acts as defense in depth measure
- may impact the utility or performance of the technology
- may include additional licensing, cost, or addition of third party software.
3 changes: 3 additions & 0 deletions cis_v150/docs/cis_v150_1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## Overview

This section contains recommendations for configuring identity and access management related options.
21 changes: 21 additions & 0 deletions cis_v150/docs/cis_v150_1_1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
## Description

Ensure your *Contact Information* and *Alternate Contacts* are correct in the AWS account settings page of your AWS account.

In addition to the primary contact information, you may enter the following contacts:

- **Billing**: When your monthly invoice is available, or your payment method needs to be updated. If your Receive PDF Invoice By Email is turned on in your Billing preferences, your alternate billing contact will receive the PDF invoices as well.
- **Operations**: When your service is, or will be, temporarily unavailable in one of more Regions. Any notification related to operations.
- **Security**: When you have notifications from the AWS Abuse team for potentially fraudulent activity on your AWS account. Any notification related to security.

As a best practice, avoid using contact information for individuals, and instead use group email addresses and shared company phone numbers.

AWS uses the contact information to inform you of important service events, billing issues, and security issues. Keeping your contact information up to date ensure timely delivery of important information to the relevant stakeholders. Incorrect contact information may result in communications delays that could impact your ability to operate.

## Remediation

There is no API available for setting contact information - you must log in to the AWS console to verify and set your contact information.

1. Sign into the AWS console, and navigate to [Account Settings](https://console.aws.amazon.com/billing/home?#/account).
2. Verify that the information in the **Contact Information** section is correct and complete. If changes are required, click **Edit**, make your changes, and then click **Update**.
3. Verify that the information in the **Alternate Contacts** section is correct and complete. If changes are required, click **Edit**, make your changes, and then click **Update**.
24 changes: 24 additions & 0 deletions cis_v150/docs/cis_v150_1_10.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
## Description

Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS console, they will be prompted for their username and password as well as for an authentication code from their virtual or physical MFA device. It is recommended that MFA to be enabled for all users that have a console password.

Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that creates a time-sensitive key and have knowledge of a credential.

## Remediation

### From Console

Perform the following action to enabled virtual MFA for the intended user:

1. Sign into the AWS console, and navigate to [IAM Console](https://console.aws.amazon.com/iam/home#/).
2. In the left navigation pane, choose Users.
3. In the user name list, choose the **name** of the intended user.
4. Choose the **Security credentials** tab, and then choose **Manage** for `Assigned MFA Device`.
5. In the Manage MFA device wizard, choose **virtual MFA device** and click on **continue**.
6. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic.
7. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](https://aws.amazon.com/iam/features/mfa/?audit=2019q1#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
8. Determine whether the MFA app supports QR codes, and then do one of the following:
- Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
9. Once you configure, the virtual MFA device starts generating MFA codes.
10. Type two consecutive MFA codes, MFA code 1 and MFA code 2 fields. Then click **Assign MFA**. Now the virtual MFA is enabled for the AWS account.
38 changes: 38 additions & 0 deletions cis_v150/docs/cis_v150_1_11.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
## Description

AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user access type you have to determine what type of access they require.

**Programmatic access**:The IAM user might need to make API calls, use the AWS CLI, or use the tools for windows powershell. In that case, create an access key (access key ID and a secret access key) for that user.
**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.

After user profile is created, user can create access keys for programmatic access which will provide an indication that it is needed for their work. User can also put a support ticket to have access keys created for them.

## Remediation

### From Console:

Perform the following action to check if an access key is created during user creation:

1. Sign into the AWS console and navigate to the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, choose Users.
3. Click on the **User name** where column `Password age` and `Access key age` is not set to **None**.
4. Click on **Security credentials** tab.
5. Compare the user `Creation time` to the Access Key `Created` date and time.
6. For any that match, the key was created during initial user setup.

**Note**: Keys that were created at the same time as the user profile and do not have a last used date should be deleted.

Perform the following action to delete access keys:

1. Sign into the AWS console as an **Administrator** and navigate to the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, choose Users.
3. Click on the **User name** for which access key is to be deleted.
4. Click on **Security credentials** tab.
5. Click on the **Make inactive** to `deactivate` the keys that were created at the same time as the user profile but have not been used.
6. Now click X (delete) for the `Inactive` keys.

### From Command Line:

```bash
aws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>
```
26 changes: 26 additions & 0 deletions cis_v150/docs/cis_v150_1_12.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
## Description

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days to be deactivated or removed.

Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned users to be used.

## Remediation

### From Console:

Perform the following action to disable user console password:

1. Sign into the AWS console and navigate to the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, choose Users.
3. Select the **User name** whose `Console last sign-in` is greater than 45 days.
4. Click on **Security credentials** tab.
5. In section `Sign-in credentials`, `Console password` click **Manage**.
6. Select `Disable`, click **Apply**

Perform the following action to deactivate access keys:

1. Sign into the AWS console as an **Administrator** and navigate to the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, choose Users.
3. Click on the **User name** for which access key is over 45 days old.
4. Click on **Security credentials** tab.
5. Click on the **Make inactive** to `deactivate` the key that is over 45 days old and that have not been used.
27 changes: 27 additions & 0 deletions cis_v150/docs/cis_v150_1_13.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
## Description

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

One of the best ways to protect your account is to not allow users to have multiple access keys as this is being used for programmatic requests.

## Remediation

### From Console:

Perform the following action to deactivate access keys:

1. Sign into the AWS console as an **Administrator** and navigate to the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, choose Users.
3. Click on the **User name** for which more than one active access key exists.
4. Click on **Security credentials** tab.
5. Click on the **Make inactive** to `deactivate` the non-operational key.

**Note**: Test your application to make sure that the active access key is working.

### From Command Line:

Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key.

```bash
aws iam update-access-key --access-key-id <access-key-id> --status Inactive - -user-name <user-name>
```
35 changes: 35 additions & 0 deletions cis_v150/docs/cis_v150_1_14.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
## Description

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys to be rotated within 90 days.

Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

## Remediation

### From Console:

Perform the following action to deactivate access keys:

1. Sign into the AWS console as an **Administrator** and navigate to the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, choose Users.
3. Click on the **User name** for which access key exists that have not been rotated in 90 days.
4. Click on **Security credentials** tab.
5. Click on the **Make inactive** to `deactivate` the key that have not been rotated in 90 days.
6. Click **Create access key** and update programmatic call with new key pair.

**Note**: Test your application to make sure that the new key pair is working.

### From Command Line:

While the first access key is still active, create a second access key, which is active by default. Run the following command:

```bash
aws iam create-access-key
```

At this point, the user has two active access keys.
- Update all applications and tools to use the new access key pair.
- Change the state of the first access key to `Inactive` using below command:
```bash
aws iam update-access-key
```
40 changes: 40 additions & 0 deletions cis_v150/docs/cis_v150_1_15.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
## Description

IAM users are granted access to services, functions, and data through IAM policies. There are multiple ways to define policies for an user, such as:
- Add the user to an IAM group that has an attached policy.
- Attach an inline policy directly to an user.
- Attach a managed policy directly to an user.

Only the first implementation is recommended.

Assigning IAM policy only through groups simplifies permissions management to a single, flexible layer consistent with organizational functional roles. By simplifying permissions management, the likelihood of excessive permissions is reduced.

## Remediation

### From Console

Perform the following to create an IAM group and assign a list of policies to it:

1. Sign into the AWS console and open the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, click **User groups** and then click **Create group**.
3. In the `User group name` box, type the name of the group.
4. In the list of policies, select the `check box` for each policy that you want to apply to all members of the group (You can attach up to 10 policies to this user group).
5. Click **Create group**. Group is created with the list of permissions.

Perform the following to add a user to a given group:

1. Sign into the AWS console and open the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, click **User groups**.
3. Select the `Group name` to add an user to.
4. Click `Add users` to group.
5. Select the users to be added to the group.
6. Click **Add users**. Users are added to the group.

Perform the following to remove a direct association between an user and the policy:

1. Sign into the AWS console and open the [IAM Dashboard](https://console.aws.amazon.com/iam/home#/home).
2. In the left navigation pane, click on **Users**.
3. For each user:
- Select the user, it will take you to `Permissions` tab.
- Expand Permissions policies.
- Click `X` for each policy and then click **Remove** (depending on policy type).
Loading