Skip to main content

Managed Security Review for CIS AWS Foundations Benchmark v3.0.0

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews on CIS AWS Foundations Benchmark v3.0.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleItem in StandardDefault SeverityID in Shisho Cloud
Ensure that security contact information is registered to AWS accounts1.2Infodecision.api.shisho.dev/v1beta:aws_iam_account_alternate_contact
Ensure the AWS root user does not have access keys1.4Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_key
Ensure MFA is enabled for the root user account1.5Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_mfa
Ensure Hardware MFA is enabled for the root user account1.6Highdecision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa
Ensure the AWS root user is used only for limited usage1.7Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_usage
Ensure IAM password policy requires enough minimum length1.8Highdecision.api.shisho.dev/v1beta:aws_iam_password_length
Ensure IAM password policy prevents password reuse1.9Highdecision.api.shisho.dev/v1beta:aws_iam_password_reuse
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password1.10Highdecision.api.shisho.dev/v1beta:aws_iam_user_mfa
Ensure access keys during initial user setup for all IAM users with a console password1.11Mediumdecision.api.shisho.dev/v1beta:aws_iam_console_user_keys
Ensure credentials unused for specific days are disabled1.12Highdecision.api.shisho.dev/v1beta:aws_iam_credentials_inventory
Ensure there is only one active access key available for any single IAM user1.13Mediumdecision.api.shisho.dev/v1beta:aws_iam_user_available_access_keys
Ensure AWS IAM access keys are rotated per pre-defined time window1.14Mediumdecision.api.shisho.dev/v1beta:aws_iam_key_rotation
Ensure IAM users receive permissions only through groups1.15Lowdecision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment
Ensure IAM policies that allow full administrative privileges are not attached1.16Criticaldecision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation
Ensure a support role has been created to manage incidents with AWS Support1.17Lowdecision.api.shisho.dev/v1beta:aws_iam_role_for_support
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed1.19Lowdecision.api.shisho.dev/v1beta:aws_iam_server_certificates
Ensure that IAM Access analyzer is enabled for all regions1.20Infodecision.api.shisho.dev/v1beta:aws_iam_access_analyzers
Ensure S3 buckets deny HTTP requests2.1.1Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_transport
Ensure MFA Delete is enabled on S3 buckets2.1.3Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete
Ensure S3 buckets enabled block public access feature2.1.4Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block
Ensure EBS volume encryption is enabled in all regions2.2.1Lowdecision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline
Ensure encryption is enabled for RDS instances2.3.1Mediumdecision.api.shisho.dev/v1beta:aws_rds_instance_encryption
Ensure auto minor version upgrade feature is enabled for RDS instances2.3.2Lowdecision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade
Ensure that public access is not given to RDS instances2.3.3Highdecision.api.shisho.dev/v1beta:aws_rds_instance_accessibility
Ensure EFS file systems are encrypted2.4.1Mediumdecision.api.shisho.dev/v1beta:aws_efs_volume_encryption
Ensure CloudTrail is enabled in all regions3.1Highdecision.api.shisho.dev/v1beta:aws_cloudtrail_usage
Ensure CloudTrail log file validation is enabled3.2Mediumdecision.api.shisho.dev/v1beta:aws_cloudtrail_log_file_validation
Ensure AWS Config is enabled in all regions3.3Infodecision.api.shisho.dev/v1beta:aws_config_recorder_status
Ensure access logging is enabled for important S3 buckets3.4Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging
Ensure CloudTrail logs are encrypted at rest using KMS CMKs3.5Lowdecision.api.shisho.dev/v1beta:aws_cloudtrail_cmk_encryption
Ensure rotation for customer created symmetric CMKs is enabled3.6Lowdecision.api.shisho.dev/v1beta:aws_kms_symmetric_cmk_rotation
Ensure AWS VPC flow logging is enabled3.7Mediumdecision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging
Ensure CloudTrail trails are logging S3 bucket data write events3.8Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_write_trail
Ensure CloudTrail trails are logging S3 bucket read events3.9Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_read_trail
Ensure a log metric filter and alarm exist for unauthorized API calls4.1Infodecision.api.shisho.dev/v1beta:aws_logmetric_unauthorized_api_calls
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA4.2Infodecision.api.shisho.dev/v1beta:aws_logmetric_console_signin_mfa
Ensure a log metric filter and alarm exist for usage of the root user4.3Infodecision.api.shisho.dev/v1beta:aws_logmetric_console_root_user_usage
Ensure a log metric filter and alarm exist for IAM policy changes4.4Infodecision.api.shisho.dev/v1beta:aws_logmetric_iam_policy_changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes4.5Infodecision.api.shisho.dev/v1beta:aws_logmetric_cloudtrail_changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures4.6Infodecision.api.shisho.dev/v1beta:aws_logmetric_console_auth_failure
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs4.7Infodecision.api.shisho.dev/v1beta:aws_logmetric_cmk_changes
Ensure a log metric filter and alarm exist for S3 bucket policy changes4.8Infodecision.api.shisho.dev/v1beta:aws_logmetric_bucket_policy_changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes4.9Infodecision.api.shisho.dev/v1beta:aws_logmetric_config_changes
Ensure a log metric filter and alarm exist for security group changes4.10Infodecision.api.shisho.dev/v1beta:aws_logmetric_security_group_changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)4.11Infodecision.api.shisho.dev/v1beta:aws_logmetric_nacl_changes
Ensure a log metric filter and alarm exist for changes to network gateways4.12Infodecision.api.shisho.dev/v1beta:aws_logmetric_network_gateway_changes
Ensure a log metric filter and alarm exist for route table changes4.13Infodecision.api.shisho.dev/v1beta:aws_logmetric_route_table_changes
Ensure a log metric filter and alarm exist for VPC changes4.14Infodecision.api.shisho.dev/v1beta:aws_logmetric_vpc_changes
Ensure a log metric filter and alarm exist for AWS Organizations changes4.15Infodecision.api.shisho.dev/v1beta:aws_logmetric_organizations_changes
Ensure AWS Security Hub is enabled4.16Infodecision.api.shisho.dev/v1beta:aws_securityhub_usage
Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports5.1Highdecision.api.shisho.dev/v1beta:aws_networking_acl_ingress
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports5.2Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4
Ensure no security groups allow ingress from ::/0 to remote server administration ports5.3Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6
Ensure the default security group restricts all traffic5.4Infodecision.api.shisho.dev/v1beta:aws_networking_sg_baseline
Ensure that EC2 instances use Instance Metadata Service Version 2 (IMDSv2)5.6Highdecision.api.shisho.dev/v1beta:aws_ec2_instance_imdsv2