Managed Security Review for AWS
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews for AWS provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
- Workflows for CIS AWS Foundations Benchmark v1.5.0
- Workflows for AWS Foundational Security Best Practices (FSBP)
All managed review items
| Title | Related Standards | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure Application Load Balancer deletion protection is enabled | ELB.6 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_alb_delete_protection |
| Ensure Application Load Balancers mitigate HTTP desync attacks | ELB.12 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_alb_desync_mitigation |
| Ensure Application Load Balancers drop invalid HTTP headers | ELB.4 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_alb_invalid_header_handling |
| Ensure Application Load Balancers have an active logging bucket | ELB.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_alb_logging |
| Ensure CloudFront distributions have a default root object | CloudFront.1 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_cloudfront_default_root_object |
| Ensure CloudFront distributions have an active logging bucket | CloudFront.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_logging |
| Ensure CloudFront distributions with S3 backends use origin access control enabled | CloudFront.13 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_access_control |
| Ensure that connections to CloudFront distribution origins are forced to use HTTPS | CloudFront.9 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport |
| Ensure that HTTPS connections to CloudFront distribution origins use secure SSL/TLS protocols | CloudFront.10 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport_version |
| Ensure that connections to CloudFront distributions are forced to use HTTPS | CloudFront.3 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_transport |
| Ensure CloudTrail trails are integrated with CloudWatch Logs | 3.4 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_cloudtrail_cloudwatch_logs_integration |
| Ensure CloudTrail logs are encrypted at rest using KMS CMKs | 3.7 (CIS AWS v1.5.0) | Low | decision.api.shisho.dev/v1beta:aws_cloudtrail_cmk_encryption |
| Ensure the S3 bucket for CloudTrail logs is not publicly accessible | 3.3 (CIS AWS v1.5.0) | Low | decision.api.shisho.dev/v1beta:aws_cloudtrail_log_bucket_accessibility |
| Ensure CloudTrail log file validation is enabled | 3.2 (CIS AWS v1.5.0) | Medium | decision.api.shisho.dev/v1beta:aws_cloudtrail_log_file_validation |
| Ensure CloudTrail is enabled in all regions | 3.1 (CIS AWS v1.5.0) | High | decision.api.shisho.dev/v1beta:aws_cloudtrail_usage |
| Ensure AWS Config is enabled in all regions | 3.5 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_config_recorder_status |
| Ensure EBS volume encryption is enabled in all regions | 2.2.1 (CIS AWS v1.5.0), EC2.7 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline |
| Ensure root filesystem operation by ECS containers is limited to read-only access | ECS.5 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_ecs_container_fs_permission |
| Ensure ECS containers run as non-privileged | ECS.4 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_ecs_container_privilege |
| Ensure public IP addresses are not assigned to ECS services automatically | ECS.2 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_ecs_service_public_ip |
| Ensure EFS file systems are encrypted | 2.4.1 (CIS AWS v1.5.0) | Medium | decision.api.shisho.dev/v1beta:aws_efs_volume_encryption |
| Ensure that IAM Access analyzer is enabled for all regions | 1.20 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_iam_access_analyzers |
| Ensure that security contact information is registered to AWS accounts | 1.2 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_iam_account_alternate_contact |
| Ensure IAM policies that allow full administrative privileges are not attached | 1.16 (CIS AWS v1.5.0), IAM.1 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation |
| Ensure access keys during initial user setup for all IAM users with a console password | 1.11 (CIS AWS v1.5.0) | Medium | decision.api.shisho.dev/v1beta:aws_iam_console_user_keys |
| Ensure credentials unused for specific days are disabled | 1.12 (CIS AWS v1.5.0), IAM.22 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_iam_credentials_inventory |
| Ensure AWS IAM access keys are rotated per pre-defined time window | 1.14 (CIS AWS v1.5.0), IAM.3 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_iam_key_rotation |
| Ensure IAM password policy requires enough minimum length | IAM.15 (AWS FSBP), 1.8 (CIS AWS v1.5.0) | High | decision.api.shisho.dev/v1beta:aws_iam_password_length |
| Ensure IAM password policy prevents password reuse | 1.9 (CIS AWS v1.5.0), IAM.16 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_iam_password_reuse |
| Ensure a support role has been created to manage incidents with AWS Support | 1.17 (CIS AWS v1.5.0), IAM.18 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_iam_role_for_support |
| Ensure Hardware MFA is enabled for the root user account | 1.6 (CIS AWS v1.5.0), IAM.6 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa |
| Ensure the AWS root user does not have access keys | 1.4 (CIS AWS v1.5.0), IAM.4 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_key |
| Ensure MFA is enabled for the root user account | IAM.9 (AWS FSBP), 1.5 (CIS AWS v1.5.0) | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_mfa |
| Ensure the AWS root user is used only for limited usage | 1.7 (CIS AWS v1.5.0) | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_usage |
| Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | 1.19 (CIS AWS v1.5.0) | Low | decision.api.shisho.dev/v1beta:aws_iam_server_certificates |
| Ensure there is only one active access key available for any single IAM user | 1.13 (CIS AWS v1.5.0) | Medium | decision.api.shisho.dev/v1beta:aws_iam_user_available_access_keys |
| Ensure IAM users receive permissions only through groups | 1.15 (CIS AWS v1.5.0), IAM.2 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment |
| Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | 1.10 (CIS AWS v1.5.0), IAM.5 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_iam_user_mfa |
| Ensure rotation for customer created symmetric CMKs is enabled | 3.8 (CIS AWS v1.5.0) | Low | decision.api.shisho.dev/v1beta:aws_kms_symmetric_cmk_rotation |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | 4.8 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_bucket_policy_changes |
| Ensure a log metric filter and alarm exist for CloudTrail configuration changes | 4.5 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_cloudtrail_changes |
| Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | 4.7 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_cmk_changes |
| Ensure a log metric filter and alarm exist for AWS Config configuration changes | 4.9 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_config_changes |
| Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | 4.6 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_auth_failure |
| Ensure a log metric filter and alarm exist for usage of the root user | 4.3 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_root_user_usage |
| Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | 4.2 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_signin_mfa |
| Ensure a log metric filter and alarm exist for IAM policy changes | 4.4 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_iam_policy_changes |
| Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | 4.11 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_nacl_changes |
| Ensure a log metric filter and alarm exist for changes to network gateways | 4.12 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_network_gateway_changes |
| Ensure a log metric filter and alarm exist for AWS Organizations changes | 4.15 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_organizations_changes |
| Ensure a log metric filter and alarm exist for route table changes | 4.13 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_route_table_changes |
| Ensure a log metric filter and alarm exist for security group changes | 4.10 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_security_group_changes |
| Ensure a log metric filter and alarm exist for unauthorized API calls | 4.1 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_unauthorized_api_calls |
| Ensure a log metric filter and alarm exist for VPC changes | 4.14 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_vpc_changes |
| Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | 5.1 (CIS AWS v1.5.0), EC2.21 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_networking_acl_ingress |
| Ensure the default security group restricts all traffic | 5.4 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_networking_sg_baseline |
| Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | 5.2 (CIS AWS v1.5.0), EC2.14 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4 |
| Ensure no security groups allow ingress from ::/0 to remote server administration ports | 5.3 (CIS AWS v1.5.0) | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6 |
| Ensure AWS VPC flow logging is enabled | EC2.6 (AWS FSBP), 3.9 (CIS AWS v1.5.0) | Medium | decision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging |
| Ensure that public access is not given to RDS instances | 2.3.3 (CIS AWS v1.5.0), RDS.2 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_rds_instance_accessibility |
| Ensure auto minor version upgrade feature is enabled for RDS instances | 2.3.2 (CIS AWS v1.5.0), RDS.13 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade |
| Ensure encryption is enabled for RDS instances | 2.3.1 (CIS AWS v1.5.0), RDS.3 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_encryption |
| Ensure access logging is enabled for important S3 buckets | 3.6 (CIS AWS v1.5.0), S3.9 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging |
| Ensure all S3 buckets are encrypted | 2.1.1 (CIS AWS v1.5.0), S3.4 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_encryption |
| Ensure MFA Delete is enabled on S3 buckets | 2.1.3 (CIS AWS v1.5.0) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete |
| Ensure S3 buckets enabled block public access feature | 2.1.5 (CIS AWS v1.5.0), S3.8 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block |
| Ensure CloudTrail trails are logging S3 bucket read events | 3.11 (CIS AWS v1.5.0) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_read_trail |
| Ensure S3 buckets deny HTTP requests | 2.1.2 (CIS AWS v1.5.0) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_transport |
| Ensure CloudTrail trails are logging S3 bucket data write events | 3.10 (CIS AWS v1.5.0) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_write_trail |
| Ensure AWS Security Hub is enabled | 4.16 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_securityhub_usage |