Skip to main content

Managed Security Review for CIS AWS Foundations Benchmark v1.5.0

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews on CIS AWS Foundations Benchmark v1.5.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleItem in StandardDefault SeverityID in Shisho Cloud
Ensure the AWS root user does not have access keys1.4Highdecision.api.shisho.dev/v1beta:aws_iam_root_user_key
Ensure MFA is enabled for the root user account1.5Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_mfa
Ensure Hardware MFA is enabled for the root user account1.6Highdecision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa
Ensure the AWS root user is used only for limited usage1.7Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_usage
Ensure IAM password policy requires enough minimum length1.8Highdecision.api.shisho.dev/v1beta:aws_iam_password_length
Ensure IAM password policy prevents password reuse1.9Highdecision.api.shisho.dev/v1beta:aws_iam_password_reuse
Ensure credentials unused for specific days are disabled1.12Mediumdecision.api.shisho.dev/v1beta:aws_iam_credentials_inventory
Ensure AWS IAM access keys are rotated per pre-defined time window1.14Mediumdecision.api.shisho.dev/v1beta:aws_iam_key_rotation
Ensure IAM policies that allow full administrative privileges are not attached1.16Criticaldecision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation
Ensure all S3 buckets are encrypted2.1.1Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_encryption
Ensure S3 buckets deny HTTP requests2.1.2Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_transport
Ensure MFA Delete is enabled on S3 buckets2.1.3Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete
Ensure S3 buckets enabled block public access feature2.1.5Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block
Ensure EBS volume encryption is enabled in all regions2.2.1Mediumdecision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline
Ensure encryption is enabled for RDS instances2.3.1Mediumdecision.api.shisho.dev/v1beta:aws_rds_instance_encryption
Ensure auto minor version upgrade feature is enabled for RDS instances2.3.2Lowdecision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade
Ensure that public access is not given to RDS instances2.3.3Criticaldecision.api.shisho.dev/v1beta:aws_rds_instance_accessibility
Ensure EFS file systems are encrypted2.4.1Mediumdecision.api.shisho.dev/v1beta:aws_efs_volume_encryption
Ensure access logging is enabled for important S3 buckets3.6Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports5.1Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4
Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports5.1Highdecision.api.shisho.dev/v1beta:aws_networking_acl_ingress
Ensure no security groups allow ingress from ::/0 to remote server administration ports5.3Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6
Block all traffic by the default security group to avoid using it5.4Infodecision.api.shisho.dev/v1beta:aws_networking_sg_baseline