Mapping with the CIS Amazon Web Services Foundations Benchmark¶
This section shows the control-level alignment for the CIS Amazon Web Services Foundations Benchmark v5.0.0.
| CIS ID | TrustOnCloud Control ID | Comments |
|---|---|---|
| 1.3 | Iam.C105 states that root credentials should be managed centrally from the management account which is recommended, and it would prevent usage of root user and/or its access keys. | |
| 1.4 | Iam.C81 assured by Iam.C82 under CO27 | Where Iam.C105 cannot be enforced, Iam.C81 recommends using MFA. |
| 1.5 | Iam.C84 assured by Iam.C85 under CO27 | |
| 1.6 | While not specific for the root user, threat Iam.T7 and its controls Iam.C1 and Iam.C2 recommend maintaining the list of IAM permissions able to launch attacks. Additionally, review control Iam.C105 assured by Iam.C110 under CO29 to remove root usage from member accounts in an organization. | |
| 1.9 | Iam.C81 assured by Iam.C82 under CO27 | |
| 1.11 | Iam.C28 assured by Iam.C29 under CO6 | |
| 1.13 | Iam.C29 under CO6 | |
| 1.15 | Iam.C60 assured by Iam.C61 under Iam.CO1 | |
| 1.17 | Iam.C66 assured by Iam.C67 under CO21 | |
| 1.18 | Not recommended, the feature class exists in IAM ThreatModel, but points to ACM as the service to use for certificates. | |
| 1.19 | Iam.C17 under CO1 | |
| 1.20 | Iam.C24 under CO5, Iam.C31 assured by Iam.C32 under CO7 | |
| 1.21 | Iam.C1 and Iam.C2 recommend checking for permissions, they are not specific for CloudShell. | |
| 2.1.1 | S3.C6 assured by S3.C7 under CO1 | Our control includes RCPs as prevention mechanism. |
| 2.1.2 | MFA delete is supported for IAM users only, and we don’t recommend IAM users. S3.C38 assured by S3.C39, can be used to implement a guardrail via RCP or SCP. | |
| 2.1.3 | S3.C118 under CO4 | |
| 2.1.4 | S3.C49 assured by S3.C50 for account level settings, S3.C51 assured by S3.C52 for bucket level settings, under CO13. S3.C53 assured by S3.C54 under CO13 for S3 access points | |
| 2.2.1 | Rds.C35 assured by Rds.C36 under CO10 | |
| 2.2.2 | Rds.C93 assured by Rds.C94 under CO4 | |
| 2.2.3 | Rds.C1 assured by Rds.C3 under CO1 | |
| 2.2.4 | Rds.C160 assured by Rds.C161 under CO35 | |
| 2.3.1 | Efs.C13 assured by Efs.C15 for using authorized KMS keys, Efs.C16 assured by Efs.C18 to prevent unencrypted file systems, both under CO5 | |
| 3.1 | Cloudtrail.C28 assured by Cloudtrail.C29 under CO8 | |
| 3.2 | Cloudtrail.C11 assured by Cloudtrail.C12 under CO4 | |
| 3.3 | Cloudtrail.C28 assured by Cloudtrail.C29 under CO8 | |
| 3.4 | S3.C58 under CO15, S3.C166 under CO39 | |
| 3.5 | Cloudtrail.C25 assured by Cloudtrail.C27 under CO7 | |
| 3.6 | Kms.C9 assured by Kms.C10 under Kms.CO3 | |
| 3.7 | Vpc.C130 assured by Vpc.C131 under CO13, and CO6 to protect VPC flow logs | |
| 3.8 | S3.C8 under CO3 | |
| 3.9 | S3.C8 under CO3 | |
| 4.1 | Iam.C4, Iam.C5 under CO1 for unauthorized actions | We have some additional controls for protecting the log pipeline: Cloudtrail.C4 assured by Cloudtrail.C5 under CO2 for using authorized CloudWatch log groups for trails. Cloudwatch.C17 under CO6 for ensuring authorized metric filters are created, and Cloudwatch.C23 under CO9 to ensure only authorized alarms are created. |
| 4.2 | Iam.C24 assured by Iam.C26 under CO5 states that no IAM user should have a login profile. | |
| 4.3 | Iam.C78 under CO1 using GuardDuty, and Iam.C105 states that root credentials should be managed centrally from the management account which is recommended, Iam.C107 monitors for the short term root credential usage with GuardDuty. | |
| 4.4 | Iam.C4, Iam.C5, and Iam.C64 under Iam.CO1 Iam.C20 under Iam.CO11 Iam.C57 under Iam.CO18 |
There are no specific monitoring controls for these actions, these tend to be very noisy. In practice, it results in a high number of false positives. We focus our monitoring controls on Indicators of Compromise (IoC) through the controls Iam.C4 (denied calls), Iam.C5 (abnormal calls), Iam.C20 (unauthorized IP source), Iam.C57 (unauthorized service roles), Iam.C64 (unauthorized user agents). GuardDuty finding “PrivilegeEscalation:IAMUser/AnomalousBehavior” also covers many of these behaviors (Iam.C77). The APIs mentioned are all well-known to us, and are attached to our threats: DeleteGroupPolicy (Iam.T8), DeleteGroupPolicy (Iam.T8), DeleteUserPolicy (Iam.T8), PutGroupPolicy (Iam.T8), PutRolePolicy (Iam.T8), PutUserPolicy (Iam.T8), CreatePolicy (Iam.T9), DeletePolicyVersion (Iam.T8), CreatePolicyVersion (Iam.T8), AttachRolePolicy (Iam.T8), DetachRolePolicy (Iam.T8), AttachUserPolicy (Iam.T8), DetachUserPolicy (Iam.T8), AttachGroupPolicy (Iam.T8), DetachGroupPolicy (Iam.T8) |
| 4.5 | Cloudtrail.C22 to monitor for disabling CloudTrail, using GuardDuty. For updating the trail, we have more specific IoC: Cloudtrail.C10 for updating the trail with unauthorized bucket, Cloudtrail.C15 for unauthorized parameters, and Cloudtrail.C26 for updating a trail with unauthorized keys. | |
| 4.7 | Kms.C12 and Kms.C14 to monitor unauthorized key deletions or disabling, Kms.C63 to prevent it | |
| 4.8 | Iam.C4, Iam.C5, and Iam.C64 under Iam.CO1 Iam.C20 under Iam.CO11 Iam.C57 under Iam.CO18 |
This CIS control serves as a catch-all for specific S3 APIs (one call = one alert). In practice, it results in a high number of false positives. We focus our monitoring controls on Indicators of Compromise (IoC) through the controls Iam.C4 (denied calls), Iam.C5 (abnormal calls), Iam.C20 (unauthorized IP source), Iam.C57 (unauthorized service roles), Iam.C64 (unauthorized user agents). The APIs mentioned in (f) are all well-known to us, and are attached to our threats: PutBucketAcl (S3.T4), PutBucketPolicy (S3.T37), PutBucketCors (S3.T29), PutBucketLifecycle (S3.T25), PutBucketReplication (S3.T2), DeleteBucketPolicy (S3.T37), DeleteBucketCors (S3.T29), DeleteBucketLifecycle (S3.T25), DeleteBucketReplication (S3.T2). |
| 4.9 | This CIS control serves as a catch-all for APIs related to cause a DoS of the recorder. Control Config.C5 monitors for unauthorized stop of the recorder,Config.C12 monitors for unauthorized updates to the delivery channel, Config.C87 monitors for recording mode overrides, and all actions are associated to threat Config.T2 | |
| 4.10 | Iam.C4, Iam.C5, and Iam.C64 under Iam.CO1 Iam.C20 under Iam.CO11 Iam.C57 under Iam.CO18 |
There are no specific monitoring controls for these actions, these tend to be very noisy. In practice, it results in a high number of false positives. We focus our monitoring controls on Indicators of Compromise (IoC) through the controls Iam.C4 (denied calls), Iam.C5 (abnormal calls), Iam.C20 (unauthorized IP source), Iam.C57 (unauthorized service roles), Iam.C64 (unauthorized user agents). The APIs mentioned are all well-known to us, and are attached to our threats: AuthorizeSecurityGroupIngress (Vpc.T22), AuthorizeSecurityGroupEgress (Vpc.T22), RevokeSecurityGroupIngress (Vpc.T22), AuthorizeSecurityGroupEgress (Vpc.T22), RevokeSecurityGroupIngress (Vpc.T2), RevokeSecurityGroupEgress (Vpc.T2), DeleteSecurityGroup (Vpc.T3), ModifySecurityGroupRules (Vpc.T22) |
| 4.11 | Iam.C4, Iam.C5, and Iam.C64 under Iam.CO1 Iam.C20 under Iam.CO11 Iam.C57 under Iam.CO18 |
There are no specific monitoring controls for these actions, these tend to be very noisy. In practice, it results in a high number of false positives. We focus our monitoring controls on Indicators of Compromise (IoC) through the controls Iam.C4 (denied calls), Iam.C5 (abnormal calls), Iam.C20 (unauthorized IP source), Iam.C57 (unauthorized service roles), Iam.C64 (unauthorized user agents). The APIs mentioned are all well-known to us, and are attached to our threats: CreateNetworkAcl (Vpc.T2), CreateNetworkAclEntry (Vpc.T2 and Vpc.T20), DeleteNetworkAcl (Vpc.T3), DeleteNetworkAclEntry (Vpc.T2 and Vpc.T20), ReplaceNetworkAclEntry (Vpc.T2 and Vpc.T20), ReplaceNetworkAclAssociation (Vpc.T2 and Vpc.T20) |
| 4.12 | Iam.C4, Iam.C5, and Iam.C64 under Iam.CO1 Iam.C20 under Iam.CO11 Iam.C57 under Iam.CO18 |
There are no specific monitoring controls for these actions, these tend to be very noisy. In practice, it results in a high number of false positives. We focus our monitoring controls on Indicators of Compromise (IoC) through the controls Iam.C4 (denied calls), Iam.C5 (abnormal calls), Iam.C20 (unauthorized IP source), Iam.C57 (unauthorized service roles), Iam.C64 (unauthorized user agents). The APIs mentioned are all well-known to us, and are attached to our threats: CreateCustomerGateway (Vpc.T39), DeleteCustomerGateway (Vpc.T3), AttachInternetGateway (Vpc.T16 and Vpc.T18), CreateInternetGateway (Vpc.T16), DeleteInternetGateway (Vpc.T2), DetachInternetGateway (Vpc.T2) |
| 4.13 | Iam.C4, Iam.C5, and Iam.C64 under Iam.CO1 Iam.C20 under Iam.CO11 Iam.C57 under Iam.CO18 |
There are no specific monitoring controls for these actions, these tend to be very noisy. In practice, it results in a high number of false positives. We focus our monitoring controls on Indicators of Compromise (IoC) through the controls Iam.C4 (denied calls), Iam.C5 (abnormal calls), Iam.C20 (unauthorized IP source), Iam.C57 (unauthorized service roles), Iam.C64 (unauthorized user agents). The APIs mentioned are all well-known to us, and are attached to our threats: CreateRoute (Vpc.T2 and Vpc.T21), CreateRouteTable (Vpc.T21), ReplaceRoute (Vpc.T2 and Vpc.T21), ReplaceRouteTableAssociation (Vpc.T2 and Vpc.T21), DeleteRouteTable (Vpc.T3), DeleteRoute (Vpc.T2 and Vpc.T21), DisassociateRouteTable (Vpc.T2 and Vpc.T21) |
| 4.14 | Iam.C4, Iam.C5, and Iam.C64 under Iam.CO1 Iam.C20 under Iam.CO11 Iam.C57 under Iam.CO18 |
There are no specific monitoring controls for these actions, these tend to be very noisy. In practice, it results in a high number of false positives. We focus our monitoring controls on Indicators of Compromise (IoC) through the controls Iam.C4 (denied calls), Iam.C5 (abnormal calls), Iam.C20 (unauthorized IP source), Iam.C57 (unauthorized service roles), Iam.C64 (unauthorized user agents). The APIs mentioned are all well-known to us, and are attached to our threats: DeleteVpc (Vpc.T3), ModifyVpcAttribute (Vpc.T2), AcceptVpcPeeringConnection (Vpc.T6), CreateVpcPeeringConnection (Vpc.T6), DeleteVpcPeeringConnection (Vpc.T2), AttachClassicLinkVpc (Vpc.T8), DetachClassicLinkVpc (Vpc.T2), DisableVpcClassicLink (Vpc.T2), EnableVpcClassicLink (Vpc.T8) |
| 4.15 | Controls and threats associated to actions: RemoveAccountFromOrganization (Organizations.C11; Organizations.T5), AttachPolicy (Organizations.C5, Organizations.C49; Organizations.T1 and Organizations.T16), InviteAccountToOrganization (Organizations.C12; Organizations.T2), MoveAccount (Organizations.C16; Organizations.T5), DetachPolicy (Organizations.C49, Organizations.C60; Organizations.T1 and Organizations.T16), UpdatePolicy (Organizations.C62; Organizations.T8 and Organizations.T16) The following actions don’t have an specific monitoring control, but are tracked in threats: CreateAccount (Organizations.T2), CreatePolicy (Organizations.T1 and Organizations.T16), DeclineHandshake (Organizations.T3), DeletePolicy (Organizations.T16), DisablePolicyType (Organizations.T1), LeaveOrganization (Organizations.T5), MoveAccount (Organizations.T5) |
|
| 4.16 | Securityhub.C53 under CO15 | |
| 5.1.1 | Ec2.C205 assured by Ec2.C206 under CO27 | The CIS control only asks for default encryption to be enabled, which is covered by our control objective CO27, but we go further to ensure that it’s also encrypted by authorized keys (Ec2.C33 assured by Ec2.C34 and Ec2.C35), and to prevent unencrypted volumes (Ec2.C36 and Ec2.C37). |
| 5.2 | Vpc.C61 under CO9 | |
| 5.5 | Vpc.C132 assured by Vpc.C133 under CO24 | |
| 5.6 | Vpc.C51 assured by Vpc.C52 under CO11 | |
| 5.7 | Ec2.C23 assured by Ec2.C24 and Ec2.C25 under CO6 | Control objective CO6 contains multiple controls to ensure not only that the version is IMDSv2, but if no instance profile is associated it should be disabled (Ec2.C21), and preventative controls to enforce authorized values (Ec2.C27), also controls for ensuring the AMIs are also using v2 (Ec2.C302). |