Managed Security Review for CIS AWS Foundations Benchmark v1.5.0
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews on CIS AWS Foundations Benchmark v1.5.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Item in Standard | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure the AWS root user does not have access keys | 1.4 | High | decision.api.shisho.dev/v1beta:aws_iam_root_user_key |
| Ensure MFA is enabled for the root user account | 1.5 | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_mfa |
| Ensure Hardware MFA is enabled for the root user account | 1.6 | High | decision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa |
| Ensure the AWS root user is used only for limited usage | 1.7 | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_usage |
| Ensure IAM password policy requires enough minimum length | 1.8 | High | decision.api.shisho.dev/v1beta:aws_iam_password_length |
| Ensure IAM password policy prevents password reuse | 1.9 | High | decision.api.shisho.dev/v1beta:aws_iam_password_reuse |
| Ensure credentials unused for specific days are disabled | 1.12 | Medium | decision.api.shisho.dev/v1beta:aws_iam_credentials_inventory |
| Ensure AWS IAM access keys are rotated per pre-defined time window | 1.14 | Medium | decision.api.shisho.dev/v1beta:aws_iam_key_rotation |
| Ensure IAM policies that allow full administrative privileges are not attached | 1.16 | Critical | decision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation |
| Ensure all S3 buckets are encrypted | 2.1.1 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_encryption |
| Ensure S3 buckets deny HTTP requests | 2.1.2 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_transport |
| Ensure MFA Delete is enabled on S3 buckets | 2.1.3 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete |
| Ensure S3 buckets enabled block public access feature | 2.1.5 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block |
| Ensure EBS volume encryption is enabled in all regions | 2.2.1 | Medium | decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline |
| Ensure encryption is enabled for RDS instances | 2.3.1 | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_encryption |
| Ensure auto minor version upgrade feature is enabled for RDS instances | 2.3.2 | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade |
| Ensure that public access is not given to RDS instances | 2.3.3 | Critical | decision.api.shisho.dev/v1beta:aws_rds_instance_accessibility |
| Ensure EFS file systems are encrypted | 2.4.1 | Medium | decision.api.shisho.dev/v1beta:aws_efs_volume_encryption |
| Ensure access logging is enabled for important S3 buckets | 3.6 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging |
| Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | 5.1 | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4 |
| Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | 5.1 | High | decision.api.shisho.dev/v1beta:aws_networking_acl_ingress |
| Ensure no security groups allow ingress from ::/0 to remote server administration ports | 5.3 | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6 |
| Block all traffic by the default security group to avoid using it | 5.4 | Info | decision.api.shisho.dev/v1beta:aws_networking_sg_baseline |