Managed Security Review for CIS AWS Foundations Benchmark v1.5.0
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews on CIS AWS Foundations Benchmark v1.5.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Item in Standard | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure that security contact information is registered to AWS accounts | 1.2 | Info | decision.api.shisho.dev/v1beta:aws_iam_account_alternate_contact |
| Ensure the AWS root user does not have access keys | 1.4 | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_key |
| Ensure MFA is enabled for the root user account | 1.5 | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_mfa |
| Ensure Hardware MFA is enabled for the root user account | 1.6 | High | decision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa |
| Ensure the AWS root user is used only for limited usage | 1.7 | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_usage |
| Ensure IAM password policy requires enough minimum length | 1.8 | High | decision.api.shisho.dev/v1beta:aws_iam_password_length |
| Ensure IAM password policy prevents password reuse | 1.9 | High | decision.api.shisho.dev/v1beta:aws_iam_password_reuse |
| Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | 1.10 | High | decision.api.shisho.dev/v1beta:aws_iam_user_mfa |
| Ensure access keys during initial user setup for all IAM users with a console password | 1.11 | Medium | decision.api.shisho.dev/v1beta:aws_iam_console_user_keys |
| Ensure credentials unused for specific days are disabled | 1.12 | High | decision.api.shisho.dev/v1beta:aws_iam_credentials_inventory |
| Ensure there is only one active access key available for any single IAM user | 1.13 | Medium | decision.api.shisho.dev/v1beta:aws_iam_user_available_access_keys |
| Ensure AWS IAM access keys are rotated per pre-defined time window | 1.14 | Medium | decision.api.shisho.dev/v1beta:aws_iam_key_rotation |
| Ensure IAM users receive permissions only through groups | 1.15 | Low | decision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment |
| Ensure IAM policies that allow full administrative privileges are not attached | 1.16 | Critical | decision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation |
| Ensure a support role has been created to manage incidents with AWS Support | 1.17 | Low | decision.api.shisho.dev/v1beta:aws_iam_role_for_support |
| Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | 1.19 | Low | decision.api.shisho.dev/v1beta:aws_iam_server_certificates |
| Ensure that IAM Access analyzer is enabled for all regions | 1.20 | Info | decision.api.shisho.dev/v1beta:aws_iam_access_analyzers |
| Ensure all S3 buckets are encrypted | 2.1.1 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_encryption |
| Ensure S3 buckets deny HTTP requests | 2.1.2 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_transport |
| Ensure MFA Delete is enabled on S3 buckets | 2.1.3 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete |
| Ensure S3 buckets enabled block public access feature | 2.1.5 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block |
| Ensure EBS volume encryption is enabled in all regions | 2.2.1 | Low | decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline |
| Ensure encryption is enabled for RDS instances | 2.3.1 | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_encryption |
| Ensure auto minor version upgrade feature is enabled for RDS instances | 2.3.2 | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade |
| Ensure that public access is not given to RDS instances | 2.3.3 | High | decision.api.shisho.dev/v1beta:aws_rds_instance_accessibility |
| Ensure EFS file systems are encrypted | 2.4.1 | Medium | decision.api.shisho.dev/v1beta:aws_efs_volume_encryption |
| Ensure CloudTrail is enabled in all regions | 3.1 | High | decision.api.shisho.dev/v1beta:aws_cloudtrail_usage |
| Ensure CloudTrail log file validation is enabled | 3.2 | Medium | decision.api.shisho.dev/v1beta:aws_cloudtrail_log_file_validation |
| Ensure the S3 bucket for CloudTrail logs is not publicly accessible | 3.3 | Low | decision.api.shisho.dev/v1beta:aws_cloudtrail_log_bucket_accessibility |
| Ensure CloudTrail trails are integrated with CloudWatch Logs | 3.4 | Info | decision.api.shisho.dev/v1beta:aws_cloudtrail_cloudwatch_logs_integration |
| Ensure AWS Config is enabled in all regions | 3.5 | Info | decision.api.shisho.dev/v1beta:aws_config_recorder_status |
| Ensure access logging is enabled for important S3 buckets | 3.6 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging |
| Ensure CloudTrail logs are encrypted at rest using KMS CMKs | 3.7 | Low | decision.api.shisho.dev/v1beta:aws_cloudtrail_cmk_encryption |
| Ensure rotation for customer created symmetric CMKs is enabled | 3.8 | Low | decision.api.shisho.dev/v1beta:aws_kms_symmetric_cmk_rotation |
| Ensure AWS VPC flow logging is enabled | 3.9 | Medium | decision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging |
| Ensure CloudTrail trails are logging S3 bucket data write events | 3.10 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_write_trail |
| Ensure CloudTrail trails are logging S3 bucket read events | 3.11 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_read_trail |
| Ensure a log metric filter and alarm exist for unauthorized API calls | 4.1 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_unauthorized_api_calls |
| Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | 4.2 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_signin_mfa |
| Ensure a log metric filter and alarm exist for usage of the root user | 4.3 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_root_user_usage |
| Ensure a log metric filter and alarm exist for IAM policy changes | 4.4 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_iam_policy_changes |
| Ensure a log metric filter and alarm exist for CloudTrail configuration changes | 4.5 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_cloudtrail_changes |
| Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | 4.6 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_auth_failure |
| Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | 4.7 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_cmk_changes |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | 4.8 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_bucket_policy_changes |
| Ensure a log metric filter and alarm exist for AWS Config configuration changes | 4.9 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_config_changes |
| Ensure a log metric filter and alarm exist for security group changes | 4.10 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_security_group_changes |
| Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | 4.11 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_nacl_changes |
| Ensure a log metric filter and alarm exist for changes to network gateways | 4.12 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_network_gateway_changes |
| Ensure a log metric filter and alarm exist for route table changes | 4.13 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_route_table_changes |
| Ensure a log metric filter and alarm exist for VPC changes | 4.14 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_vpc_changes |
| Ensure a log metric filter and alarm exist for AWS Organizations changes | 4.15 | Info | decision.api.shisho.dev/v1beta:aws_logmetric_organizations_changes |
| Ensure AWS Security Hub is enabled | 4.16 | Info | decision.api.shisho.dev/v1beta:aws_securityhub_usage |
| Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | 5.1 | High | decision.api.shisho.dev/v1beta:aws_networking_acl_ingress |
| Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | 5.2 | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4 |
| Ensure no security groups allow ingress from ::/0 to remote server administration ports | 5.3 | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6 |
| Ensure the default security group restricts all traffic | 5.4 | Info | decision.api.shisho.dev/v1beta:aws_networking_sg_baseline |