Ensure CloudTrail trails are integrated with CloudWatch Logs
CIS-AWS
CloudTrail
Checks if CloudTrail trails are integrated with CloudWatch Logs
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
CIS-AWS
CloudTrail
Checks if a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for usage of "root" account
CIS-AWS
CloudTrail
Checks if a log metric filter and alarm exist for usage of "root" account
Ensure IAM password policy require at least one symbol
IAM
CIS-AWS
Checks if IAM password policy require at least one symbol
Ensure CloudTrail is enabled in all regions
CIS-AWS
CloudTrail
Checks if CloudTrail is enabled in all regions
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
CIS-AWS
CloudTrail
Checks if a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
CIS-AWS
CloudTrail
Checks if a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
CloudWatch
CIS-AWS
Checks for log metric filter and Management Console sign-in without MFA alarm in your aws account.
Unrestricted Https Access
EC2
Security
Security
CIS-AWS
It is AWS best practice to get aware of Security Groups which allows HTTPS access from public IP to reduce possibility of breach. Allowing unrestricted HTTPs access can increase threats like hacking, denial-of-service (DoS) attacks and loss of data.
IAM Users - Admin Access and MFA Check
IAM
Security
Security
CIS-AWS
Sends a report of IAM users which have Admin access. Administrator access should be given to trusted users only.
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
CloudTrail
CIS-AWS
Checks if a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
AWS config configuration recorder not enabled
CIS-AWS
Config
Checks if AWS config configuration recorder not enabled
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
CloudTrail
CloudWatch
CIS-AWS
Checks for log metric filter and Management Console sign-in without MFA alarm in your aws account
Ensure a log metric filter and alarm exist for changes to network gateways
CloudTrail
CIS-AWS
Checks if a log metric filter and alarm exist for changes to network gateways