# Managed Security Review for CIS AWS Foundations Benchmark v1.5.0 This page explains _managed_ security reviews on CIS AWS Foundations Benchmark v1.5.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans. ## To use managed security reviews By applying Shisho Cloud workflows to your organization, you'll see security review results soon: - [Workflows for CIS AWS Foundations Benchmark v1.5.0](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/cis-benchmark/aws-v1.5.0) ## All managed review items | Title | Item in Standard | Default Severity | ID in Shisho Cloud | | ------------------------------------------------------------------------------------------------------- | ---------------- | ---------------- | --------------------------------------------------------------------------- | | Ensure that security contact information is registered to AWS accounts | 1.2 | Info | `decision.api.shisho.dev/v1beta:aws_iam_account_alternate_contact` | | Ensure the AWS root user does not have access keys | 1.4 | Critical | `decision.api.shisho.dev/v1beta:aws_iam_root_user_key` | | Ensure MFA is enabled for the root user account | 1.5 | Critical | `decision.api.shisho.dev/v1beta:aws_iam_root_user_mfa` | | Ensure Hardware MFA is enabled for the root user account | 1.6 | High | `decision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa` | | Ensure the AWS root user is used only for limited usage | 1.7 | Critical | `decision.api.shisho.dev/v1beta:aws_iam_root_user_usage` | | Ensure IAM password policy requires enough minimum length | 1.8 | High | `decision.api.shisho.dev/v1beta:aws_iam_password_length` | | Ensure IAM password policy prevents password reuse | 1.9 | High | `decision.api.shisho.dev/v1beta:aws_iam_password_reuse` | | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | 1.10 | High | `decision.api.shisho.dev/v1beta:aws_iam_user_mfa` | | Ensure access keys during initial user setup for all IAM users with a console password | 1.11 | Medium | `decision.api.shisho.dev/v1beta:aws_iam_console_user_keys` | | Ensure credentials unused for specific days are disabled | 1.12 | High | `decision.api.shisho.dev/v1beta:aws_iam_credentials_inventory` | | Ensure there is only one active access key available for any single IAM user | 1.13 | Medium | `decision.api.shisho.dev/v1beta:aws_iam_user_available_access_keys` | | Ensure AWS IAM access keys are rotated per pre-defined time window | 1.14 | Medium | `decision.api.shisho.dev/v1beta:aws_iam_key_rotation` | | Ensure IAM users receive permissions only through groups | 1.15 | Low | `decision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment` | | Ensure IAM policies that allow full administrative privileges are not attached | 1.16 | Critical | `decision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation` | | Ensure a support role has been created to manage incidents with AWS Support | 1.17 | Low | `decision.api.shisho.dev/v1beta:aws_iam_role_for_support` | | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | 1.19 | Low | `decision.api.shisho.dev/v1beta:aws_iam_server_certificates` | | Ensure that IAM Access analyzer is enabled for all regions | 1.20 | Info | `decision.api.shisho.dev/v1beta:aws_iam_access_analyzers` | | Ensure all S3 buckets are encrypted | 2.1.1 | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_encryption` | | Ensure S3 buckets deny HTTP requests | 2.1.2 | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_transport` | | Ensure MFA Delete is enabled on S3 buckets | 2.1.3 | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete` | | Ensure S3 buckets enabled block public access feature | 2.1.5 | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block` | | Ensure EBS volume encryption is enabled in all regions | 2.2.1 | Low | `decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline` | | Ensure encryption is enabled for RDS instances | 2.3.1 | Medium | `decision.api.shisho.dev/v1beta:aws_rds_instance_encryption` | | Ensure auto minor version upgrade feature is enabled for RDS instances | 2.3.2 | Low | `decision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade` | | Ensure that public access is not given to RDS instances | 2.3.3 | High | `decision.api.shisho.dev/v1beta:aws_rds_instance_accessibility` | | Ensure EFS file systems are encrypted | 2.4.1 | Medium | `decision.api.shisho.dev/v1beta:aws_efs_volume_encryption` | | Ensure CloudTrail is enabled in all regions | 3.1 | High | `decision.api.shisho.dev/v1beta:aws_cloudtrail_usage` | | Ensure CloudTrail log file validation is enabled | 3.2 | Medium | `decision.api.shisho.dev/v1beta:aws_cloudtrail_log_file_validation` | | Ensure the S3 bucket for CloudTrail logs is not publicly accessible | 3.3 | Low | `decision.api.shisho.dev/v1beta:aws_cloudtrail_log_bucket_accessibility` | | Ensure CloudTrail trails are integrated with CloudWatch Logs | 3.4 | Info | `decision.api.shisho.dev/v1beta:aws_cloudtrail_cloudwatch_logs_integration` | | Ensure AWS Config is enabled in all regions | 3.5 | Info | `decision.api.shisho.dev/v1beta:aws_config_recorder_status` | | Ensure access logging is enabled for important S3 buckets | 3.6 | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging` | | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | 3.7 | Low | `decision.api.shisho.dev/v1beta:aws_cloudtrail_cmk_encryption` | | Ensure rotation for customer created symmetric CMKs is enabled | 3.8 | Low | `decision.api.shisho.dev/v1beta:aws_kms_symmetric_cmk_rotation` | | Ensure AWS VPC flow logging is enabled | 3.9 | Medium | `decision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging` | | Ensure CloudTrail trails are logging S3 bucket data write events | 3.10 | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_write_trail` | | Ensure CloudTrail trails are logging S3 bucket read events | 3.11 | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_read_trail` | | Ensure a log metric filter and alarm exist for unauthorized API calls | 4.1 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_unauthorized_api_calls` | | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | 4.2 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_console_signin_mfa` | | Ensure a log metric filter and alarm exist for usage of the root user | 4.3 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_console_root_user_usage` | | Ensure a log metric filter and alarm exist for IAM policy changes | 4.4 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_iam_policy_changes` | | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | 4.5 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_cloudtrail_changes` | | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | 4.6 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_console_auth_failure` | | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | 4.7 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_cmk_changes` | | Ensure a log metric filter and alarm exist for S3 bucket policy changes | 4.8 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_bucket_policy_changes` | | Ensure a log metric filter and alarm exist for AWS Config configuration changes | 4.9 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_config_changes` | | Ensure a log metric filter and alarm exist for security group changes | 4.10 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_security_group_changes` | | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | 4.11 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_nacl_changes` | | Ensure a log metric filter and alarm exist for changes to network gateways | 4.12 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_network_gateway_changes` | | Ensure a log metric filter and alarm exist for route table changes | 4.13 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_route_table_changes` | | Ensure a log metric filter and alarm exist for VPC changes | 4.14 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_vpc_changes` | | Ensure a log metric filter and alarm exist for AWS Organizations changes | 4.15 | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_organizations_changes` | | Ensure AWS Security Hub is enabled | 4.16 | Info | `decision.api.shisho.dev/v1beta:aws_securityhub_usage` | | Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | 5.1 | High | `decision.api.shisho.dev/v1beta:aws_networking_acl_ingress` | | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | 5.2 | High | `decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4` | | Ensure no security groups allow ingress from ::/0 to remote server administration ports | 5.3 | High | `decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6` | | Ensure the default security group restricts all traffic | 5.4 | Info | `decision.api.shisho.dev/v1beta:aws_networking_sg_baseline` |