Which file is used to determine from where the root user is allowed to log in?
For the CIS AWS Foundations standard, Security Hub supports the following controls. For each control, the information includes the required AWS Config rule and the remediation steps. Show
1.1 – Avoid the use of the root userSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic The root user has unrestricted access to all services and resources in an AWS account. We highly recommend that you avoid using the root user for daily tasks. Minimizing the use of the root user and adopting the principle of least privilege for access management reduce the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root user credentials only when required to perform account and service management tasks. Apply IAM policies directly to groups and roles but not users. For a tutorial on how to set up an administrator for daily use, see Creating your first IAM admin user and group in the IAM User Guide To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either
own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
1.2 – Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console passwordSeverity: Medium AWS Config rule: Schedule type: Periodic Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password as well as for an authentication code from their AWS MFA device. CIS recommends that you enable MFA for all accounts that have a console password. MFA provides increased security for console access. It requires the authenticating principal to possess a device that emits a time-sensitive key and to have knowledge of a credential. The AWS Config rule used for this check may take up to 4 hours to accurately report results for MFA. Any findings that are generated within the first 4 hours after you enable the CIS security checks might not be accurate. It may also take up to 4 hours after you remediate this issue for the check to pass. AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. RemediationTo add MFA for IAM users, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide. 1.3 – Ensure credentials unused for 90 days or greater are disabledSeverity: Medium AWS Config rule:
Schedule type: Periodic IAM users can access AWS resources using different types of credentials, such as passwords or access keys. CIS recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The AWS Config rule for this control uses the AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. RemediationTo get some of the information that you need to monitor accounts for dated credentials, use the IAM console. For example, when you view users in your account, there is a column for Access key age, Password age, and Last activity. If the value in any of these columns is greater than 90 days, make the credentials for those users inactive. You can also use credential reports to monitor user accounts and identify those with no activity for 90 or more days. You can download credential reports in .csv format from the IAM console. For more information about credential reports, see Getting credential reports for your AWS Account. After you identify the inactive accounts or unused credentials, use the following steps to disable them.
1.4 – Ensure access keys are rotated every 90 days or lessSeverity: Medium AWS
Config rule: Schedule type: Periodic Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. When you rotate access keys regularly, you reduce the chance that an access key is used that is associated with a compromised or terminated account. Rotate access keys to ensure that data can't be accessed with an old key that might have been lost, cracked, or stolen. This control is not supported in Africa (Cape Town) or Europe (Milan). AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. RemediationTo ensure that access keys aren't more than 90 days old
1.5 – Ensure IAM password policy requires at least one uppercase letterSeverity: Medium AWS Config rule: Schedule type: Periodic Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. CIS recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts. RemediationTo modify the password policy
1.6 – Ensure IAM password policy requires at least one lowercase letterSeverity: Medium AWS Config rule: Schedule type: Periodic Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. CIS recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts. RemediationTo modify the password policy
1.7 – Ensure IAM password policy requires at least one symbolSeverity: Medium AWS Config rule: Schedule type: Periodic Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. CIS recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts. RemediationTo modify the password policy
1.8 – Ensure IAM password policy requires at least one numberSeverity: Medium AWS Config rule: Schedule type: Periodic Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. CIS recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts. RemediationTo modify the password policy
1.9 – Ensure IAM password policy requires a minimum length of 14 or greaterSeverity: Medium AWS Config rule: Schedule type: Periodic Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. CIS recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts. RemediationTo modify the password policy
1.10 – Ensure IAM password policy prevents password reuseSeverity: Low AWS Config rule: Schedule type: Periodic This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. CIS recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts. RemediationTo modify the password policy
1.11 – Ensure IAM password policy expires passwords within 90 days or lessSeverity: Low AWS Config rule: Schedule type: Periodic IAM password policies can require passwords to be rotated or expired after a given number of days. CIS recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios:
RemediationTo modify the password policy
1.12 – Ensure no root user access key existsSeverity: Critical AWS Config rule:
Schedule type: Periodic The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account. CIS recommends that all access keys be associated with the root user be removed. Removing access keys associated with the root user limits vectors that the account can be compromised by. Removing the root user access keys also encourages the creation and use of role-based accounts that are least privileged. This control is not supported in Asia Pacific (Osaka). RemediationTo delete the root user access key, see Deleting access keys for the root user in the IAM User Guide. 1.13 – Ensure MFA is enabled for the root userSeverity: Critical AWS Config rule: Schedule type: Periodic The root user has complete access to all the services and resources in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. When you use virtual MFA for the root user, CIS recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company. This control is not supported in the following Regions.
RemediationTo add MFA to the root user, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide. 1.14 – Ensure hardware MFA is enabled for the root userSeverity: Critical AWS Config rule: Schedule type: Periodic The root user has complete access to all services and resources in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. For Level 2, CIS recommends that you protect root user credentials with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA doesn't suffer the attack surface introduced by the mobile smartphone that a virtual MFA resides on. Using hardware MFA for many, many accounts might create a logistical device management issue. If this occurs, consider implementing this Level 2 recommendation selectively to the highest security accounts. You can then apply the Level 1 recommendation to the remaining accounts. Both time-based one-time password (TOTP) and Universal 2nd Factor (U2F) tokens are viable as hardware MFA options. This control is not supported in the following Regions.
RemediationTo add a hardware MFA device for the root user, see Enable a hardware MFA device for the AWS account root user (console) in the IAM User Guide. 1.16 – Ensure IAM policies are attached only to groups or rolesSeverity: Low AWS Config rule:
Schedule type: Change triggered By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges. IAM users created by Amazon Simple Email Service are automatically created using inline policies. Security Hub automatically exempts these users from this control. AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. RemediationTo resolve this issue, create an IAM group, and attach the policy to the group. Then, add the users to the group. The policy is applied to each user in the group. To remove a policy attached directly to a user, see Adding and removing IAM identity permissions in the IAM User Guide. 1.20 - Ensure a support role has been created to manage incidents with AWS SupportSeverity: Low AWS Config rule: Schedule type: Periodic AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with AWS Support. This control is not supported in the following Regions.
RemediationTo remediate this issue, create a role to allow authorized users to manage AWS Support incidents. To create the role to use for AWS Support access
1.22 – Ensure IAM policies that allow full "*:*" administrative privileges are not createdSeverity: High AWS Config rule: Schedule type: Change triggered This control checks whether the default version of IAM policies (also known as
customer managed policies) has administrator access by including a statement with The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies. IAM policies define a set of privileges granted to users, groups, or roles. It's recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. You should remove IAM policies that have a statement with AWS Config should be enabled in all Regions in which you use Security Hub. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. RemediationTo modify your IAM policies so that they do not allow full "*" administrative privileges, see Editing IAM policies in the IAM User Guide. 2.1 – Ensure CloudTrail is enabled in all RegionsSeverity: High AWS Config rule:
Schedule type: Periodic This control checks that there is at least one multi-Region CloudTrail trail. It also checks that the CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally:
By default, CloudTrail trails that are created using the AWS Management Console are multi-Region trails. RemediationTo create a new trail in CloudTrail
To update an existing trail in CloudTrail
2.2 – Ensure CloudTrail log file validation is enabledSeverity: Medium AWS Config rule: Schedule type: Periodic CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. CIS recommends that you enable file validation on all trails. Enabling log file validation provides additional integrity checking of CloudTrail logs. RemediationTo enable CloudTrail log file validation
2.3 – Ensure the S3 bucket CloudTrail logs to is not publicly accessibleSeverity: Critical AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic and change triggered CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is No data. If the bucket is publicly accessible, the check generates a failed finding. RemediationTo remove public access for an Amazon S3 bucket
2.4 – Ensure CloudTrail trails are integrated with Amazon CloudWatch LogsSeverity: Low AWS Config rule: Schedule type: Periodic CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. CIS recommends that you send CloudTrail logs to CloudWatch Logs. The intent of this recommendation is to ensure that account activity is captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but doesn't preclude the use of an alternate solution. Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. It provides the opportunity to establish alarms and notifications for anomalous or sensitivity account activity. RemediationTo ensure that CloudTrail trails are integrated with CloudWatch Logs
For more information, see Configuring CloudWatch Logs monitoring with the console in the AWS CloudTrail User Guide. 2.5 – Ensure AWS Config is enabledSeverity: Medium AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. CIS recommends that you enable AWS Config in all Regions. The AWS configuration item history that AWS Config captures enables security analysis, resource change tracking, and compliance auditing. CIS 2.5 requires that AWS Config is enabled in all Regions in which you use Security Hub. Because Security Hub is a regional service, the check performed for this control checks only the current Region for the account. It does not check all Regions. You also must record global resources so that security checks against global resources can be checked in each Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. You may also consider disabling these IAM controls (CIS 1.2, CIS 1.3, CIS 1.4, CIS 1.16, CIS 1.22) in Regions in which global resource recording is not enabled. Since IAM is a global service, IAM resources will only be recorded in the Region in which global resource recording is enabled. To run this check, Security Hub performs custom logic to perform the audit steps prescribed for it in the CIS AWS Foundations Benchmark v1.2. Security Hub also requires that global resources are recorded in each Region, because Security Hub is a regional service and performs its security checks on a Region-by-Region basis. RemediationTo configure AWS Config settings
For more information about using AWS Config from the AWS Command Line Interface, see Turning on AWS Config in the AWS Config Developer Guide. You can also use an AWS CloudFormation template to automate this process. For more information, see the AWS CloudFormation StackSets sample template in the AWS CloudFormation User Guide. 2.6 – Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucketSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled. If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is No data. If the bucket is publicly accessible, the check generates a failed finding. RemediationTo enable S3 bucket access logging
2.7 – Ensure CloudTrail logs are encrypted at rest using AWS KMS keysSeverity: Medium AWS Config rule: Schedule type: Periodic CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (AWS KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses hardware security modules (HSMs) to protect the security of encryption keys. You can configure CloudTrail logs to leverage server-side encryption (SSE) and KMS keys to further protect CloudTrail logs. CIS recommends that you configure CloudTrail to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data because a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the KMS key policy. If you are using AWS Control Tower, you can encrypt your CloudTrail logs with an AWS KMS key. For more information, see Optionally configure AWS KMS keys in the AWS Control Tower User Guide RemediationTo enable encryption for CloudTrail logs
You might need to modify the policy for CloudTrail to successfully interact with your KMS key. For more information, see Encrypting CloudTrail log files with AWS KMS–Managed Keys (SSE-KMS) in the AWS CloudTrail User Guide. 2.8 – Ensure rotation for customer-created KMS keys is enabledSeverity: Medium AWS Config rule: Schedule type: Periodic AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the KMS key. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. CIS recommends that you enable KMS key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed. RemediationTo enable KMS key rotation
2.9 – Ensure VPC flow logging is enabled in all VPCsSeverity: Medium AWS Config rule: Schedule type: Periodic VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs. CIS recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or insight during security workflows. RemediationTo enable VPC flow logging
3.1 – Ensure a log metric filter and alarm exist for unauthorized API callsSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.1 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFASeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.2 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.3 – Ensure a log metric filter and alarm exist for usage of root userSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for root user login attempts. Monitoring for root user logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.3 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.4 – Ensure a log metric filter and alarm exist for IAM policy changesSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.4 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. Note that the alarm checks for specific API operations by name. One of these operations is To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changesSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.5 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either
own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.6 – Ensure a log metric filter and alarm exist for AWS Management Console authentication failuresSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.6 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS
topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.7 – Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keysSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.7 in the
CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. The control also fails if When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check
results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get
access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.8 – Ensure a log metric filter and alarm exist for S3 bucket policy changesSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.8 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.9 – Ensure a log metric filter and alarm exist for AWS Config configuration changesSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.9 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.10 – Ensure a log metric filter and alarm exist for security group changesSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. CIS recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.10 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling
RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.11 – Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)Severity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. CIS recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.11 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The
check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get
access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.12 – Ensure a log metric filter and alarm exist for changes to network gatewaysSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. CIS recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.12 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The
check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get
access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.13 – Ensure a log metric filter and alarm exist for route table changesSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.13 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
3.14 – Ensure a log metric filter and alarm exist for VPC changesSeverity: Low AWS Config rule: None (custom Security Hub rule) Schedule type: Periodic You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub uses custom logic to perform the exact audit steps prescribed for control 3.14 in the CIS AWS Foundations Benchmark v1.2. This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. When Security Hub performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in
The check results in
a control status of
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the
Amazon SNS topic by calling RemediationThe steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. To create an Amazon SNS topic
Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in 2.1 – Ensure CloudTrail is enabled in all Regions. Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. To create a metric filter and alarm
4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22Severity: High AWS Config rule:
Schedule type: Change triggered Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. CIS recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk. This control is not supported in the following Regions.
RemediationPerform the following steps for each security group associated with a VPC.
4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389Severity: High AWS Config rule: Schedule type: Change triggered The name of the associated AWS Config managed rule is Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. CIS recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk. This control is not supported in the following Regions.
RemediationPerform the following steps for each security group associated with a VPC.
4.3 – Ensure the default security group of every VPC restricts all trafficSeverity: High AWS Config rule: Schedule type: Change triggered A VPC comes with a default security group with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. CIS recommends that the default security group restrict all traffic. Update the default security group for the default VPC in every Region to comply. Any new VPCs automatically contain a default security group that you need to remediate to comply with this recommendation. When implementing this recommendation, you can use VPC flow logging, enabled for 2.9 – Ensure VPC flow logging is enabled in all VPCs , to determine the least-privilege port access that systems require to work properly. VPC flow logging can log all packet acceptances and rejections that occur under the current security groups. Configuring all VPC default security groups to restrict all traffic encourages least-privilege security group development and mindful placement of AWS resources into security groups. This in turn reduces the exposure of those resources. RemediationTo update the default security group to restrict all access
For more information, see Working with Security Groups in the Amazon VPC User Guide. How do I know if I am logged in as root?If you are able to use sudo to run any command (for example passwd to change the root password), you definitely have root access. A UID of 0 (zero) means "root", always.
What command would you use to log in as the root account?You need to use the su or sudo or doas command to switch to root user account.
Which file contains user account information?The /etc/passwd file stores essential information required during login. In other words, it stores user account information. The /etc/passwd is a plain text file. It contains a list of the system's accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more.
How do I find the root user?How to get root access on Linux operating system?. Please click on the lower left corner of the icon (start button).. Click Terminal menu item to open the terminal.. Input the command below: % sudo su –. Press Enter.. Your terminal prompt will become #.. You now have root privleges on all operations in the terminal window.. |