Add cis_v120 benchmark

README.md

@@ -9,9 +9,10 @@ Or in a terminal:
 ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v140_console.png)
 
 Includes support for:
+* [AWS CIS v1.2.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v120) 🚀 New!
 * [AWS CIS v1.3.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v130)
 * [AWS CIS v1.4.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v140)
-* [AWS CIS v1.5.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v150) 🚀 New!
+* [AWS CIS v1.5.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v150)
 * [Audit Manager Control Tower](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.control_tower)
 * [CISA Cyber Essentials](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cisa_cyber_essentials)
 * [FedRAMP Low Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_low_rev_4)

cis_v120/cis.sp

@@ -0,0 +1,22 @@
+locals {
+  cis_v120_common_tags = merge(local.aws_compliance_common_tags, {
+    cis         = "true"
+    cis_version = "v1.2.0"
+  })
+}
+
+benchmark "cis_v120" {
+  title         = "CIS v1.2.0"
+  description   = "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings."
+  documentation = file("./cis_v120/docs/cis_overview.md")
+  children = [
+    benchmark.cis_v120_1,
+    benchmark.cis_v120_2,
+    benchmark.cis_v120_3,
+    benchmark.cis_v120_4
+  ]
+
+  tags = merge(local.cis_v120_common_tags, {
+    type = "Benchmark"
+  })
+}

cis_v120/docs/cis_overview.md

@@ -0,0 +1,29 @@
+To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.
+
+## Overview
+
+The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. Specific Amazon Web Services in scope include:
+
+- AWS Identity and Access Management (IAM)
+- AWS Config
+- AWS CloudTrail
+- AWS CloudWatch
+- AWS Simple Notification Service (SNS)
+- AWS Simple Storage Service (S3)
+- AWS VPC (Default)
+
+## Profiles
+
+### Level 1
+
+Items in this profile intend to:
+- be practical and prudent;
+- provide a clear security benefit; and
+- not inhibit the utility of the technology beyond acceptable means.
+
+### Level 2 
+
+This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:
+- are intended for environments or use cases where security is paramount
+- acts as defense in depth measure
+- may negatively inhibit the utility or performance of the technology.

cis_v120/docs/cis_v120_1.md

@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring identity and access management related options.

cis_v120/docs/cis_v120_1_1.md

@@ -0,0 +1,9 @@
+## Description
+
+The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.
+
+The "root" account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.
+
+## Remediation
+
+Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.

cis_v120/docs/cis_v120_1_10.md

@@ -0,0 +1,25 @@
+## Description
+
+IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.
+
+Preventing password reuse increases account resiliency against brute force login attempts.
+
+## Remediation
+
+Perform the following to set the password policy as prescribed:
+
+### Via AWS Console
+
+1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
+2. Go to IAM Service on the AWS Console.
+3. Click on Account Settings on the Left Pane.
+4. Check "Prevent password reuse".
+5. Set "Number of passwords to remember" is set to `24`.
+
+### Via CLI
+
+```bash
+aws iam update-account-password-policy --password-reuse-prevention 24
+```
+
+**Note**: All commands starting with "aws iam update-account-password-policy" can be combined into a single command.

cis_v120/docs/cis_v120_1_11.md

@@ -0,0 +1,30 @@
+## Description
+
+IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less.
+
+Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help in the following scenarios:
+
+- Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat.
+- Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted.
+- Many people use the same password for many systems such as work, email, and personal.
+- Compromised end user workstations might have a keystroke logger.
+
+## Remediation
+
+Perform the following to set the password policy as prescribed:
+
+### Via AWS Console:
+
+1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings).
+2. Go to IAM Service on the AWS Console.
+3. Click on Account Settings on the Left Pane.
+4. Check "Enable password expiration".
+5. Set "Password expiration period (in days):" to 90 or less.
+
+### Via CLI
+
+```bash
+aws iam update-account-password-policy --max-password-age 90
+```
+
+**Note**: All commands starting with "aws iam update-account-password-policy" can be combined into a single command.

cis_v120/docs/cis_v120_1_12.md

@@ -0,0 +1,21 @@
+## Description
+
+The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.
+
+Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.
+
+## Remediation
+
+Perform the following to delete or disable active root access keys being
+
+### Via the AWS Console
+
+Perform the following action to disable user console password:
+
+1. Sign in to the AWS Management Console as Root and open the [IAM console](https://console.aws.amazon.com/iam/).
+2. Click on `<Root_Account_Name>` at the top right and select `Security Credentials` from the drop down list.
+3. On the pop out screen Click on `Continue to Security Credentials`.
+4. Click on `Access Keys` (Access Key ID and Secret Access Key).
+5. Under the `Status` column if there are any Keys which are Active
+  - Click on `Make Inactive` - (Temporarily disable Key - may be needed again).
+  - Click `Delete` - (Deleted keys cannot be recovered).

cis_v120/docs/cis_v120_1_13.md

@@ -0,0 +1,30 @@
+## Description
+
+The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.
+
+**Note**: When virtual MFA is used for root accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.
+
+Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.
+
+## Remediation
+
+Perform the following to establish MFA for the root account:
+
+### From Console:
+
+Perform the following action to deactivate access keys:
+
+1. Sign in to the AWS Management Console and open the [IAM console](https://console.aws.amazon.com/iam/).
+**Note**: to manage MFA devices for the root AWS account, you must use your root account credentials to sign in to AWS. You cannot manage MFA devices for the root account using other credentials.
+2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account.
+3. Choose `Activate MFA`.
+4. In the wizard, choose `A virtual MFA` device and then choose `Next Step`.
+5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.
+6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](https://aws.amazon.com/iam/features/mfa/?audit=2019q1#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
+7. Determine whether the MFA app supports QR codes, and then do one of the following:
+  - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
+  - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
+
+When you are finished, the virtual MFA device starts generating one-time passwords.
+
+1. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one- time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.

cis_v120/docs/cis_v120_1_14.md

@@ -0,0 +1,25 @@
+## Description
+
+The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA.
+
+A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.
+
+**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.
+
+Link to order AWS compatible hardware MFA device: http://onlinenoram.gemalto.com/
+
+## Remediation
+
+Perform the following to establish a hardware MFA for the root account:
+
+1. Sign in to the AWS Management Console and open the [IAM console](https://console.aws.amazon.com/iam/).
+
+**Note**: To manage MFA devices for the root AWS account, you must use your root account credentials to sign in to AWS. You cannot manage MFA devices for the root account using other credentials.
+
+2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account.
+3. Choose `Activate MFA`.
+4. In the wizard, choose `A hardware MFA` device and then choose `Next Step`.
+5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device.
+6. In the `Authentication Code` 1 box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.
+7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number.
+8. Choose `Next Step`. The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.

cis_v120/docs/cis_v120_1_15.md

@@ -0,0 +1,22 @@
+## Description
+
+The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.
+
+When creating a new AWS account, a default super user is automatically created. This account is referred to as the "root" account. It is recommended that the use of this account be limited and highly controlled. During events in which the Root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover root login access.
+
+## Remediation
+
+Perform the following in the AWS Management Console:
+
+1. Login to the AWS Account as root.
+2. Click on the `<Root_Account_Name>` from the top right of the console.
+3. From the drop-down menu Click My Account.
+4. Scroll down to the `Configure Security Questions` section.
+5. Click on `Edit`.
+6. Click on each `Question`.
+  - From the drop-down select an appropriate question
+  - Click on the `Answer` section
+  - Enter an appropriate answer.
+    - Follow process for all 3 questions
+7. Click `Update` when complete.
+8. Place Questions and Answers and place in a secure physical location.

cis_v120/docs/cis_v120_1_16.md

@@ -0,0 +1,36 @@
+## Description
+
+By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.
+
+Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
+
+## Remediation
+
+Perform the following to create an IAM group and assign a policy to it:
+
+1. Sign in to the AWS Management Console and open the [IAM console](https://console.aws.amazon.com/iam/).
+2. In the navigation pane, click Groups and then click `Create New Group`.
+3. In the `Group Name` box, type the name of the group and then click `Next Step`.
+4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step`.
+5. Click `Create Group`.
+
+Perform the following to add a user to a given group:
+
+1. Sign in to the AWS Management Console and open the [IAM console](https://console.aws.amazon.com/iam/).
+2. In the navigation pane, click `Groups`.
+3. Select the group to add a user to.
+4. Click `Add Users To Group`.
+5. Select the users to be added to the group.
+6. Click `Add Users`.
+
+Perform the following to remove a direct association between a user and policy:
+
+1. Sign in to the AWS Management Console and open the [IAM console](https://console.aws.amazon.com/iam/).
+2. In the left navigation pane, click on Users.
+3. For each user:
+  - Select the user.
+  - Click on the `Permissions` tab.
+  - Expand `Managed Policies`.
+  - Click `Detach Policy` for each policy.
+  - Expand `Inline Policies`.
+  - Click `Remove Policy` for each policy.

cis_v120/docs/cis_v120_1_17.md

@@ -0,0 +1,20 @@
+## Description
+
+Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.
+
+An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.
+
+If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers’ and AWS’ best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.
+
+## Remediation
+
+This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ).
+
+- Sign in to the AWS Management Console and open the [Billing and Cost Management console](https://console.aws.amazon.com/billing/home#/).
+- On the navigation bar, choose your account name, and then choose My Account.
+- On the Account Settings page, next to Account Settings, choose Edit.
+- Next to the field that you need to update, choose Edit.
+- After you have entered your changes, choose Save changes.
+- After you have made your changes, choose Done.
+- To edit your contact information, under Contact Information, choose Edit.
+- For the fields that you want to change, type your updated information, and then choose Update.

cis_v120/docs/cis_v120_1_18.md

@@ -0,0 +1,16 @@
+## Description
+
+AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.
+
+Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.
+
+## Remediation
+
+Perform the following in the AWS Management Console to establish security contact information:
+
+1. Click on your account name at the top right corner of the console.
+2. From the drop-down menu Click `My Account`.
+3. Scroll down to the `Alternate Contacts` section.
+4. Enter contact information in the `Security` section.
+
+**Note**: Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.