├── .github └── workflows │ ├── update-major-tag.yml │ ├── verify-ec2-other.yml │ └── verify-ec2.yml ├── .gitignore ├── .rubocop.yml ├── CODE_OF_CONDUCT.md ├── Gemfile ├── LICENSE.md ├── NOTICE.md ├── README.md ├── Rakefile ├── VERSION ├── controls ├── aws-foundations-cis-1.1.rb ├── aws-foundations-cis-1.10.rb ├── aws-foundations-cis-1.11.rb ├── aws-foundations-cis-1.12.rb ├── aws-foundations-cis-1.13.rb ├── aws-foundations-cis-1.14.rb ├── aws-foundations-cis-1.15.rb ├── aws-foundations-cis-1.16.rb ├── aws-foundations-cis-1.17.rb ├── aws-foundations-cis-1.18.rb ├── aws-foundations-cis-1.19.rb ├── aws-foundations-cis-1.2.rb ├── aws-foundations-cis-1.20.rb ├── aws-foundations-cis-1.21.rb ├── aws-foundations-cis-1.22.rb ├── aws-foundations-cis-1.3.rb ├── aws-foundations-cis-1.4.rb ├── aws-foundations-cis-1.5.rb ├── aws-foundations-cis-1.6.rb ├── aws-foundations-cis-1.7.rb ├── aws-foundations-cis-1.8.rb ├── aws-foundations-cis-1.9.rb ├── aws-foundations-cis-2.1.1.rb ├── aws-foundations-cis-2.1.2.rb ├── aws-foundations-cis-2.1.3.rb ├── aws-foundations-cis-2.1.4.rb ├── aws-foundations-cis-2.2.1.rb ├── aws-foundations-cis-2.3.1.rb ├── aws-foundations-cis-2.3.2.rb ├── aws-foundations-cis-2.3.3.rb ├── aws-foundations-cis-2.4.1.rb ├── aws-foundations-cis-3.1.rb ├── aws-foundations-cis-3.10.rb ├── aws-foundations-cis-3.11.rb ├── aws-foundations-cis-3.2.rb ├── aws-foundations-cis-3.3.rb ├── aws-foundations-cis-3.4.rb ├── aws-foundations-cis-3.5.rb ├── aws-foundations-cis-3.6.rb ├── aws-foundations-cis-3.7.rb ├── aws-foundations-cis-3.8.rb ├── aws-foundations-cis-3.9.rb ├── aws-foundations-cis-4.1.rb ├── aws-foundations-cis-4.10.rb ├── aws-foundations-cis-4.11.rb ├── aws-foundations-cis-4.12.rb ├── aws-foundations-cis-4.13.rb ├── aws-foundations-cis-4.14.rb ├── aws-foundations-cis-4.15.rb ├── aws-foundations-cis-4.16.rb ├── aws-foundations-cis-4.2.rb ├── aws-foundations-cis-4.3.rb ├── aws-foundations-cis-4.4.rb ├── aws-foundations-cis-4.5.rb ├── aws-foundations-cis-4.6.rb ├── aws-foundations-cis-4.7.rb ├── aws-foundations-cis-4.8.rb ├── aws-foundations-cis-4.9.rb ├── aws-foundations-cis-5.1.rb ├── aws-foundations-cis-5.2.rb ├── aws-foundations-cis-5.3.rb ├── aws-foundations-cis-5.4.rb ├── aws-foundations-cis-5.5.rb └── aws-foundations-cis-5.6.rb ├── default.inputs.yml ├── default.threshold.yml ├── generate_inputs.rb ├── inspec.yml ├── other.inputs.yml ├── other.threshold.yml └── utils ├── 5.3-aws-cli.sh └── inactive-iam-users.sh /.github/workflows/update-major-tag.yml: -------------------------------------------------------------------------------- 1 | name: Update Major Release Tag 2 | 3 | on: 4 | release: 5 | types: [created] 6 | workflow_dispatch: 7 | 8 | jobs: 9 | movetag: 10 | runs-on: ubuntu-latest 11 | 12 | steps: 13 | - uses: actions/checkout@v4 14 | with: 15 | fetch-depth: 0 16 | 17 | - name: Get major version num and update tag 18 | run: | 19 | VERSION=${GITHUB_REF#refs/tags/} 20 | MAJOR=${VERSION%%.*} 21 | git config --global user.name ${{ vars.SAF_GITHUB_USER_NAME }} 22 | git config --global user.email ${{ vars.SAF_GITHUB_USER_EMAIL }} 23 | git tag -fa ${MAJOR} -m "Update major version tag" 24 | git push origin ${MAJOR} --force 25 | -------------------------------------------------------------------------------- /.github/workflows/verify-ec2-other.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CIS AWS Foundations v2.0.0 - Other 3 | 4 | on: 5 | push: 6 | branches: 7 | - master 8 | - main 9 | pull_request: 10 | 11 | jobs: 12 | my-job: 13 | name: Validate the CIS AWS Benchmark v2.0 14 | runs-on: ubuntu-latest 15 | env: 16 | CHEF_LICENSE: accept-silent 17 | CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} 18 | RESULTS_FILE: other_inspec_results.json 19 | PROFILE_FILE: profile.json 20 | INPUT_FILE: other.inputs.yml 21 | THRESHOLD_FILE: other.threshold.yml 22 | AWS_REGION: ${{ secrets.OTHER_AWS_REGION }} 23 | HEIMDALL_URL: https://heimdall-demo.mitre.org 24 | steps: 25 | - name: add needed packages 26 | run: sudo apt-get install -y jq curl 27 | 28 | - name: Configure AWS credentials 29 | env: 30 | AWS_REGION: ${{ secrets.OTHER_AWS_REGION }} 31 | #AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }} 32 | 33 | uses: aws-actions/configure-aws-credentials@v4 34 | with: 35 | aws-access-key-id: ${{ secrets.OTHER_AWS_ACCESS_KEY }} 36 | aws-secret-access-key: ${{ secrets.OTHER_AWS_SECRET }} 37 | aws-region: ${{ secrets.OTHER_AWS_REGION }} 38 | audience: https://sts.${{ secrets.OTHER_AWS_REGION }}.amazonaws.com 39 | 40 | - name: Check out repository 41 | uses: actions/checkout@v4 42 | 43 | - name: Clone full repository so we can push 44 | run: git fetch --prune --unshallow 45 | 46 | - name: Set short git commit SHA 47 | id: vars 48 | run: | 49 | calculatedSha=$(git rev-parse --short ${{ github.sha }}) 50 | echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV 51 | 52 | - name: Confirm git commit SHA output 53 | run: echo ${{ env.COMMIT_SHORT_SHA }} 54 | 55 | - name: Setup Ruby 56 | uses: ruby/setup-ruby@v1 57 | with: 58 | ruby-version: "3.1" 59 | 60 | - name: Disable ri and rdoc 61 | run: 'echo "gem: --no-document" >> ~/.gemrc' 62 | 63 | - name: Bundle Install 64 | run: bundle install 65 | 66 | - name: Installed Inspec 67 | run: bundle exec inspec version 68 | 69 | - name: Vendor the InSpec Profile 70 | run: bundle exec inspec vendor --overwrite 71 | 72 | - name: Lint the Inspec profile 73 | run: bundle exec inspec check . 74 | 75 | - name: Run the Profile 76 | run: | 77 | bundle exec inspec exec . --target aws:// --input-file=${{ env.INPUT_FILE }} --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true 78 | 79 | - name: Save Test Result JSON 80 | uses: actions/upload-artifact@v4 81 | with: 82 | name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results 83 | path: | 84 | ./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} 85 | 86 | - name: Upload to Heimdall 87 | run: | 88 | curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations" 89 | 90 | - name: Display our ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} results summary 91 | uses: mitre/saf_action@v1 92 | with: 93 | command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}" 94 | 95 | - name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} meets our results threshold 96 | uses: mitre/saf_action@v1 97 | with: 98 | command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}" 99 | 100 | -------------------------------------------------------------------------------- /.github/workflows/verify-ec2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CIS AWS Foundations v2.0.0 3 | 4 | on: 5 | push: 6 | branches: 7 | - master 8 | - main 9 | pull_request: 10 | 11 | jobs: 12 | my-job: 13 | name: Validate my profile 14 | runs-on: ubuntu-latest 15 | env: 16 | CHEF_LICENSE: accept-silent 17 | CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} 18 | RESULTS_FILE: inspec_results.json 19 | PROFILE_FILE: profile.json 20 | INPUT_FILE: default.inputs.yml 21 | THRESHOLD_FILE: default.threshold.yml 22 | HEIMDALL_URL: https://heimdall-demo.mitre.org 23 | steps: 24 | - name: add needed packages 25 | run: sudo apt-get install -y jq curl 26 | 27 | - name: Configure AWS credentials 28 | env: 29 | AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }} 30 | AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }} 31 | 32 | uses: aws-actions/configure-aws-credentials@v2 33 | with: 34 | aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} 35 | aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} 36 | aws-region: us-east-1 37 | 38 | - name: Check out repository 39 | uses: actions/checkout@v4 40 | 41 | - name: Clone full repository so we can push 42 | run: git fetch --prune --unshallow 43 | 44 | - name: Set short git commit SHA 45 | id: vars 46 | run: | 47 | calculatedSha=$(git rev-parse --short ${{ github.sha }}) 48 | echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV 49 | 50 | - name: Confirm git commit SHA output 51 | run: echo ${{ env.COMMIT_SHORT_SHA }} 52 | 53 | - name: Setup Ruby 54 | uses: ruby/setup-ruby@v1 55 | with: 56 | ruby-version: "3.1" 57 | 58 | - name: Disable ri and rdoc 59 | run: 'echo "gem: --no-document" >> ~/.gemrc' 60 | 61 | - name: Bundle Install 62 | run: bundle install 63 | 64 | - name: Installed Inspec 65 | run: bundle exec inspec version 66 | 67 | - name: Vendor the InSpec Profile 68 | run: bundle exec inspec vendor --overwrite 69 | 70 | - name: Lint the Inspec profile 71 | run: bundle exec inspec check . 72 | 73 | - name: Run the Profile 74 | run: | 75 | bundle exec inspec exec . --target aws:// --input-file=${{ env.INPUT_FILE }} --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true 76 | 77 | - name: Save Test Result JSON 78 | uses: actions/upload-artifact@v4 79 | with: 80 | name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results 81 | path: | 82 | ./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} 83 | 84 | - name: Upload to Heimdall 85 | run: | 86 | curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations" 87 | 88 | - name: Display our ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} results summary 89 | uses: mitre/saf_action@v1 90 | with: 91 | command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}" 92 | 93 | - name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} meets our results threshold 94 | uses: mitre/saf_action@v1 95 | with: 96 | command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}" 97 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | aws* 2 | inspec-aws 3 | *.lock 4 | *.gem 5 | *.rbc 6 | *results.json 7 | inputs.yml 8 | 9 | /.config 10 | /coverage/ 11 | /InstalledFiles 12 | /pkg/ 13 | /spec/reports/ 14 | /spec/examples.txt 15 | inspec-azure.plan 16 | inspec-aws-*.plan 17 | 18 | 19 | *.tfstate 20 | *.tfstate.* 21 | .terraform/ 22 | terraform.tfvars 23 | 24 | .kitchen/ 25 | .kitchen.local.yml 26 | kitchen.local.yml 27 | 28 | .vagrant 29 | 30 | inspec-deprecations-in-cfg.txt 31 | inspec-deprecations-in-lib.txt 32 | 33 | # Docker 34 | *.retry 35 | .backup 36 | 37 | 38 | # OSX 39 | # General 40 | .DS_Store 41 | .AppleDouble 42 | .LSOverride 43 | 44 | # Icon must end with two \r 45 | Icon 46 | 47 | # Thumbnails 48 | ._* 49 | 50 | # Files that might appear in the root of a volume 51 | .DocumentRevisions-V100 52 | .fseventsd 53 | .Spotlight-V100 54 | .TemporaryItems 55 | .Trashes 56 | .VolumeIcon.icns 57 | .com.apple.timemachine.donotpresent 58 | 59 | # Directories potentially created on remote AFP share 60 | .AppleDB 61 | .AppleDesktop 62 | Network Trash Folder 63 | Temporary Items 64 | .apdisk 65 | 66 | # Logs 67 | *.log 68 | 69 | 70 | ## Documentation cache and generated files: 71 | /.yardoc/ 72 | /_yardoc/ 73 | /doc/ 74 | /rdoc/ 75 | 76 | # Ignore bundler config 77 | /.bundle/ 78 | /vendor/ 79 | /vendor/bundle 80 | vendor/cookbooks 81 | 82 | # unless supporting rvm < 1.11.0 or doing something fancy, ignore this: 83 | .rvmrc 84 | .packer 85 | 86 | # for a library or gem, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | .ruby-version 89 | .ruby-gemset 90 | 91 | 92 | ## JetBrain 93 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm 94 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 95 | .idea/ 96 | 97 | ## Specific to RubyMotion: 98 | .dat* 99 | .repl_history 100 | *.bridgesupport 101 | 102 | # File-based project format 103 | *.iws 104 | 105 | # IntelliJ 106 | out/ 107 | 108 | # mpeltonen/sbt-idea plugin 109 | .idea_modules/ 110 | 111 | # Crashlytics plugin (for Android Studio and IntelliJ) 112 | com_crashlytics_export_strings.xml 113 | crashlytics.properties 114 | crashlytics-build.properties 115 | fabric.properties 116 | 117 | # JIRA plugin 118 | atlassian-ide-plugin.xml 119 | 120 | 121 | # Build Folder 122 | /build/ 123 | /build-iPhoneOS/ 124 | /build-iPhoneSimulator/ 125 | 126 | 127 | # Ignore rendered files from docs/ 128 | source/docs/reference/ 129 | examples/meta-profile/vendor/ 130 | habitat/VERSION 131 | habitat/results 132 | /lib/bundler/man/ 133 | 134 | 135 | # USER 136 | /.gitignoredir/ 137 | /tmp/ 138 | /test/tmp/ 139 | /test/version_tmp/ 140 | /.emacs.desktop 141 | .gitter 142 | *.elc 143 | nbproject 144 | auto-save-list 145 | tramp 146 | /.direnv 147 | /.envrc 148 | results/ 149 | contrib/* 150 | 151 | # Vim 152 | .*~ 153 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | --- 2 | AllCops: 3 | Exclude: 4 | - Gemfile 5 | - Rakefile 6 | - "test/**/*" 7 | - "examples/**/*" 8 | - "vendor/**/*" 9 | - "lib/bundles/inspec-init/templates/**/*" 10 | - .direnv/**/* 11 | TargetRubyVersion: 2.6.3 12 | 13 | Layout/EmptyLinesAroundBlockBody: 14 | Enabled: false 15 | Layout/HashAlignment: 16 | Enabled: false 17 | Layout/EmptyLineAfterGuardClause: 18 | Enabled: false 19 | Layout/MultilineBlockLayout: 20 | Enabled: false 21 | Layout/EmptyLinesAroundAttributeAccessor: 22 | Enabled: true 23 | Layout/SpaceAroundOperators: 24 | Enabled: false 25 | Layout/ParameterAlignment: 26 | Enabled: true 27 | Layout/LineLength: 28 | Enabled: false 29 | Layout/SpaceAroundMethodCallOperator: 30 | Enabled: true 31 | Lint/DeprecatedOpenSSLConstant: 32 | Enabled: true 33 | Lint/MixedRegexpCaptureTypes: 34 | Enabled: true 35 | Style/RedundantRegexpCharacterClass: 36 | Enabled: false 37 | Style/RedundantRegexpEscape: 38 | Enabled: false 39 | Lint/ParenthesesAsGroupedExpression: 40 | Enabled: false 41 | Lint/ReturnInVoidContext: 42 | Enabled: false 43 | Lint/AmbiguousBlockAssociation: 44 | Exclude: 45 | - "controls/*" 46 | Lint/RaiseException: 47 | Enabled: true 48 | Lint/StructNewOverride: 49 | Enabled: true 50 | 51 | Lint/DuplicateBranch: # (new in 1.3) 52 | Enabled: true 53 | Lint/DuplicateRegexpCharacterClassElement: # (new in 1.1) 54 | Enabled: true 55 | Lint/EmptyBlock: # (new in 1.1) 56 | Enabled: true 57 | Lint/EmptyClass: # (new in 1.3) 58 | Enabled: true 59 | Lint/NoReturnInBeginEndBlocks: # (new in 1.2) 60 | Enabled: true 61 | Lint/ToEnumArguments: # (new in 1.1) 62 | Enabled: true 63 | Lint/UnmodifiedReduceAccumulator: # (new in 1.1) 64 | Enabled: true 65 | 66 | Metrics/ClassLength: 67 | Max: 500 68 | Exclude: 69 | - libraries/aws_ecs_task_definition.rb 70 | Metrics/MethodLength: 71 | Max: 100 72 | Exclude: 73 | - libraries/aws_cloudfront_distribution.rb 74 | Metrics/BlockLength: 75 | Max: 300 76 | Metrics/AbcSize: 77 | Max: 75 78 | Metrics/BlockNesting: 79 | Enabled: false 80 | Metrics/CyclomaticComplexity: 81 | Max: 25 82 | Metrics/PerceivedComplexity: 83 | Max: 25 84 | 85 | Naming/AccessorMethodName: 86 | Enabled: false 87 | Naming/FileName: 88 | Enabled: false 89 | Naming/PredicateName: 90 | Enabled: false 91 | Naming/VariableNumber: 92 | Enabled: false 93 | 94 | Style/BlockDelimiters: 95 | Enabled: false 96 | Style/Documentation: 97 | Enabled: false 98 | Style/Encoding: 99 | Enabled: true 100 | Style/NumericLiterals: 101 | MinDigits: 10 102 | Style/PercentLiteralDelimiters: 103 | PreferredDelimiters: 104 | "%": "{}" 105 | "%i": () 106 | "%q": "{}" 107 | "%Q": () 108 | "%r": "{}" 109 | "%s": () 110 | "%w": "{}" 111 | "%W": () 112 | "%x": () 113 | Style/ClassAndModuleChildren: 114 | Enabled: false 115 | Style/ConditionalAssignment: 116 | Enabled: false 117 | Style/AndOr: 118 | Enabled: false 119 | Style/Not: 120 | Enabled: false 121 | Style/TrailingCommaInArrayLiteral: 122 | EnforcedStyleForMultiline: comma 123 | Style/TrailingCommaInHashLiteral: 124 | EnforcedStyleForMultiline: comma 125 | Style/TrailingCommaInArguments: 126 | EnforcedStyleForMultiline: comma 127 | Style/NegatedIf: 128 | Enabled: false 129 | Style/UnlessElse: 130 | Enabled: false 131 | Style/RedundantBegin: 132 | Enabled: false 133 | Style/IfUnlessModifier: 134 | Enabled: false 135 | Style/RescueStandardError: 136 | Enabled: false 137 | Style/ExponentialNotation: 138 | Enabled: true 139 | Style/HashEachMethods: 140 | Enabled: true 141 | Style/HashTransformKeys: 142 | Enabled: false 143 | Style/HashTransformValues: 144 | Enabled: true 145 | Style/HashSyntax: 146 | Enabled: true 147 | Style/SlicingWithRange: 148 | Enabled: true 149 | Style/ArgumentsForwarding: # (new in 1.1) 150 | Enabled: true 151 | Style/CollectionCompact: # (new in 1.2) 152 | Enabled: true 153 | Style/DocumentDynamicEvalDefinition: # (new in 1.1) 154 | Enabled: true 155 | Style/NegatedIfElseCondition: # (new in 1.2) 156 | Enabled: true 157 | Style/NilLambda: # (new in 1.3) 158 | Enabled: true 159 | Style/SwapValues: # (new in 1.1) 160 | Enabled: true 161 | Style/FrozenStringLiteralComment: 162 | Enabled: false 163 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in our 6 | community a harassment-free experience for everyone, regardless of age, body 7 | size, visible or invisible disability, ethnicity, sex characteristics, gender 8 | identity and expression, level of experience, education, socio-economic status, 9 | nationality, personal appearance, race, religion, or sexual identity 10 | and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at 63 | saf@groups.mitre.org. 64 | All complaints will be reviewed and investigated promptly and fairly. 65 | 66 | All community leaders are obligated to respect the privacy and security of the 67 | reporter of any incident. 68 | 69 | ## Enforcement Guidelines 70 | 71 | Community leaders will follow these Community Impact Guidelines in determining 72 | the consequences for any action they deem in violation of this Code of Conduct: 73 | 74 | ### 1. Correction 75 | 76 | **Community Impact**: Use of inappropriate language or other behavior deemed 77 | unprofessional or unwelcome in the community. 78 | 79 | **Consequence**: A private, written warning from community leaders, providing 80 | clarity around the nature of the violation and an explanation of why the 81 | behavior was inappropriate. A public apology may be requested. 82 | 83 | ### 2. Warning 84 | 85 | **Community Impact**: A violation through a single incident or series 86 | of actions. 87 | 88 | **Consequence**: A warning with consequences for continued behavior. No 89 | interaction with the people involved, including unsolicited interaction with 90 | those enforcing the Code of Conduct, for a specified period of time. This 91 | includes avoiding interactions in community spaces as well as external channels 92 | like social media. Violating these terms may lead to a temporary or 93 | permanent ban. 94 | 95 | ### 3. Temporary Ban 96 | 97 | **Community Impact**: A serious violation of community standards, including 98 | sustained inappropriate behavior. 99 | 100 | **Consequence**: A temporary ban from any sort of interaction or public 101 | communication with the community for a specified period of time. No public or 102 | private interaction with the people involved, including unsolicited interaction 103 | with those enforcing the Code of Conduct, is allowed during this period. 104 | Violating these terms may lead to a permanent ban. 105 | 106 | ### 4. Permanent Ban 107 | 108 | **Community Impact**: Demonstrating a pattern of violation of community 109 | standards, including sustained inappropriate behavior, harassment of an 110 | individual, or aggression toward or disparagement of classes of individuals. 111 | 112 | **Consequence**: A permanent ban from any sort of public interaction within 113 | the community. 114 | 115 | ## Attribution 116 | 117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 118 | version 2.0, available at 119 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 120 | 121 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 122 | enforcement ladder](https://github.com/mozilla/diversity). 123 | 124 | [homepage]: https://www.contributor-covenant.org 125 | 126 | For answers to common questions about this code of conduct, see the FAQ at 127 | https://www.contributor-covenant.org/faq. Translations are available at 128 | https://www.contributor-covenant.org/translations. -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | source 'https://rubygems.org' 4 | 5 | gem 'inspec', '>= 6.6.0' 6 | gem 'inspec-core' 7 | gem 'inspec-bin' 8 | gem 'kitchen-inspec' 9 | gem 'rake' 10 | gem 'rubocop' 11 | gem 'rubocop-rake' 12 | gem "train-aws", git: 'https://github.com/mitre/train-aws.git', branch: 'al/dep-updates' 13 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | 2 | Licensed under the apache-2.0 license, except as noted below. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright/ digital rights 8 | legend, this list of conditions and the following Notice. 9 | 10 | * Redistributions in binary form must reproduce the above copyright copyright/digital 11 | rights legend, this list of conditions and the following Notice in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | * Neither the name of The MITRE Corporation nor the names of its contributors may be 15 | used to endorse or promote products derived from this software without specific prior 16 | written permission. 17 | 18 | MITRE’s licensed products include third-party materials that are subject to open source or free software licenses (“Open Source Materials”). The Open Source Materials are as follows: 19 | 20 | CIS Benchmarks. Please visit www.cisecurity.org for full terms of use. 21 | 22 | The Open Source Materials are licensed under the terms of the applicable third-party licenses that accompany the Open Source Materials. MITRE’s license does not limit a licensee’s rights under the terms of the Open Source Materials license. MITRE’s license also does not grant licensee rights to the Open Source Materials that supersede the terms and conditions of the Open Source Materials license. 23 | -------------------------------------------------------------------------------- /NOTICE.md: -------------------------------------------------------------------------------- 1 | © 2024 The MITRE Corporation. 2 | 3 | Approved for Public Release; Distribution Unlimited. Case Number 18-3678. 4 | 5 | NOTICE 6 | 7 | MITRE grants permission to reproduce, distribute, modify, and otherwise use this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project. 8 | 9 | This software was produced by The MITRE Corporation for the U. S. Government under contract. As such the U.S. Government has certain use and data rights in this software. No use other than those granted to the U. S. Government, or to those acting on behalf of the U. S. Government, under these contract arrangements is authorized without the express written permission of The MITRE Corporation. 10 | 11 | For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000. -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env rake 2 | 3 | require "rake/testtask" 4 | require "rubocop/rake_task" 5 | 6 | begin 7 | RuboCop::RakeTask.new(:lint) do |task| 8 | task.options += %w[--display-cop-names --no-color --parallel] 9 | end 10 | rescue LoadError 11 | puts "rubocop is not available. Install the rubocop gem to run the lint tests." 12 | end -------------------------------------------------------------------------------- /VERSION: -------------------------------------------------------------------------------- 1 | v2.0.5 -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.1.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.1' do 2 | title 'Maintain Primary Contact Details' 3 | desc " 4 | Ensure contact email and telephone details for AWS accounts are current and map to more than 5 | one individual in your organization. 6 | 7 | An AWS account supports a number of contact 8 | details, and AWS will use these to contact the account owner if activity judged to be in breach 9 | of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS 10 | Abuse team. Contact details should not be for a single individual, as circumstances may arise 11 | where that individual is unavailable. Email contact details should point to a mail alias 12 | which forwards email to multiple individuals within the organization; where feasible, 13 | phone contact details should point to a PABX hunt group or other call-forwarding system. " 14 | 15 | desc 'rationale', 16 | "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will 17 | attempt to contact the account owner by email and phone using the contact details listed. If 18 | this is unsuccessful and the account behavior needs urgent mitigation, proactive measures 19 | may be taken, including throttling of traffic between the account exhibiting suspicious 20 | behavior and the AWS API endpoints and the Internet. This will result in impaired service to 21 | and from the account in question, so it is in both the customers' and AWS' best interests that 22 | prompt contact can be established. This is best achieved by setting AWS account contact 23 | details to point to resources which have multiple individuals as recipients, such as email 24 | aliases and PABX hunt groups. " 25 | desc 'check', 26 | ' 27 | This activity can only be performed via the AWS Console, with a user who has permission to read 28 | and write Billing information (aws-portal:\\*Billing ) 29 | 30 | 1. Sign in to the AWS Management 31 | Console and open the `Billing and Cost Management` console at 32 | https://console.aws.amazon.com/billing/home#/. 33 | 2. On the navigation bar, choose your 34 | account name, and then choose `Account`. 35 | 3. On the `Account Settings` page, review and 36 | verify the current details. 37 | 4. Under `Contact Information`, review and verify the current 38 | details.' 39 | desc 'fix', 40 | ' 41 | This activity can only be performed via the AWS Console, with a user who has permission to read 42 | and write Billing information (aws-portal:\\*Billing ). 43 | 44 | 1. Sign in to the AWS Management 45 | Console and open the `Billing and Cost Management` console at 46 | https://console.aws.amazon.com/billing/home#/. 47 | 2. On the navigation bar, choose your 48 | account name, and then choose `Account`. 49 | 3. On the `Account Settings` page, next to 50 | `Account Settings`, choose `Edit`. 51 | 4. Next to the field that you need to update, choose 52 | `Edit`. 53 | 5. After you have entered your changes, choose `Save changes`. 54 | 6. After you have 55 | made your changes, choose `Done`. 56 | 7. To edit your contact information, under `Contact 57 | Information`, choose `Edit`. 58 | 8. For the fields that you want to change, type your updated 59 | information, and then choose `Update`. ' 60 | 61 | impact 0.5 62 | ref 'https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info' 63 | tag nist: ['IR-6'] 64 | tag severity: 'medium ' 65 | tag cis_controls: [{ '8' => ['17.2'] }] 66 | 67 | describe aws_primary_contact, :sensitive do 68 | it { should be_configured } 69 | its('email_address') { should cmp input('primary_contact').email_address } 70 | its('phone_number') { should cmp input('primary_contact').phone_number } 71 | end 72 | end 73 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.10.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.10' do 2 | title "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console 3 | password " 4 | desc "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond 5 | traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will 6 | be prompted for their user name and password as well as for an authentication code from their 7 | physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have 8 | a console password. " 9 | desc 'rationale', 10 | "Enabling MFA provides increased security for console access as it requires the 11 | authenticating principal to possess a device that displays a time-sensitive key and have 12 | knowledge of a credential. " 13 | desc 'check', 14 | "Perform the following to determine if a MFA device is enabled for all IAM users having a console 15 | password: 16 | 17 | **From Console:** 18 | 19 | 1. Open the IAM console at 20 | [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 21 | 2. 22 | In the left pane, select `Users` 23 | 3. If the `MFA` or `Password age` columns are not visible in 24 | the table, click the gear icon at the upper right corner of the table and ensure a checkmark is 25 | next to both, then click `Close`. 26 | 4. Ensure that for each user where the `Password age` 27 | column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or 28 | `Hardware`. 29 | 30 | **From Command Line:** 31 | 32 | 1. Run the following command (OSX/Linux/UNIX) 33 | to generate a list of all IAM users along with their password and MFA status: 34 | ``` 35 | aws iam 36 | generate-credential-report 37 | ``` 38 | ``` 39 | aws iam get-credential-report --query 40 | 'Content' --output text | base64 -d | cut -d, -f1,4,8 41 | ``` 42 | 2. The output of this command will 43 | produce a table similar to the following: 44 | ``` 45 | user,password_enabled,mfa_active 46 | 47 | elise,false,false 48 | brandon,true,true 49 | rakesh,false,false 50 | helene,false,false 51 | 52 | paras,true,true 53 | anitha,false,false 54 | ``` 55 | 3. For any column having 56 | `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.` " 57 | desc 'fix', 58 | "Perform the following to enable MFA: 59 | 60 | **From Console:** 61 | 62 | 1. Sign in to the AWS 63 | Management Console and open the IAM console at 64 | 'https://console.aws.amazon.com/iam/' 65 | 2. In the left pane, select `Users`. 66 | 3. In the 67 | `User Name` list, choose the name of the intended MFA user. 68 | 4. Choose the `Security 69 | Credentials` tab, and then choose `Manage MFA Device`. 70 | 5. In the `Manage MFA Device 71 | wizard`, choose `Virtual MFA` device, and then choose `Continue`. 72 | 73 | IAM generates and 74 | displays configuration information for the virtual MFA device, including a QR code graphic. 75 | The graphic is a representation of the 'secret configuration key' that is available for 76 | manual entry on devices that do not support QR codes. 77 | 78 | 6. Open your virtual MFA 79 | application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual 80 | MFA Applications at 81 | https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual 82 | MFA application supports multiple accounts (multiple virtual MFA devices), choose the 83 | option to create a new account (a new virtual MFA device). 84 | 7. Determine whether the MFA app 85 | supports QR codes, and then do one of the following: 86 | 87 | - Use the app to scan the QR code. For 88 | example, you might choose the camera icon or choose an option similar to Scan code, and then use 89 | the device's camera to scan the code. 90 | - In the Manage MFA Device wizard, choose Show secret 91 | key for manual configuration, and then type the secret configuration key into your MFA 92 | application. 93 | 94 | When you are finished, the virtual MFA device starts generating one-time 95 | passwords. 96 | 97 | 8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the 98 | `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds 99 | for the device to generate a new one-time password. Then type the second `one-time password` 100 | into the `MFA Code 2 box`. 101 | 102 | 9. Click `Assign MFA`. " 103 | desc 'additional_information', 104 | "**Forced IAM User Self-Service Remediation** 105 | 106 | Amazon has published a pattern that 107 | forces users to self-service setup MFA before they have access to their complete permissions 108 | set. Until they complete this step, they cannot access their full permissions. This pattern 109 | can be used on new AWS accounts. It can also be used on existing accounts - it is recommended 110 | users are given instructions and a grace period to accomplish MFA enrollment before active 111 | enforcement on existing AWS accounts. " 112 | desc 'impact', 113 | "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not 114 | allowed to use this feature. We recommend that existing customers switch to one of the 115 | following alternative methods of MFA. " 116 | impact 0.5 117 | ref 'https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users' 118 | tag nist: ['IA-2(1)'] 119 | tag severity: 'medium ' 120 | tag cis_controls: [{ '8' => ['6.5'] }] 121 | 122 | service_account_mfa_exceptions = input('service_account_mfa_exceptions') 123 | 124 | users_without_mfa = 125 | aws_iam_users.where(has_console_password: true).where(has_mfa_enabled: false).usernames 126 | 127 | if service_account_mfa_exceptions.compact.empty? 128 | describe 'The active IAM users that do not have MFA enabled', :sensitive do 129 | subject { users_without_mfa } 130 | it { should be_empty } 131 | end 132 | else 133 | describe "The active IAM users that do not have MFA enabled 134 | (except for the documented service accounts: #{service_account_mfa_exceptions})", 135 | :sensitive do 136 | subject { users_without_mfa - service_account_mfa_exceptions } 137 | it { should be_empty } 138 | end 139 | end 140 | end 141 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.11.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.11' do 2 | title "Do not setup access keys during initial user setup for all IAM users that have a console 3 | password " 4 | desc "AWS console defaults to no check boxes selected when creating a new IAM user. When creating the 5 | IAM User credentials you have to determine what type of access they require. 6 | 7 | 8 | Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the 9 | Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret 10 | access key) for that user. 11 | 12 | AWS Management Console access: If the user needs to access the 13 | AWS Management Console, create a password for the user. " 14 | desc 'rationale', "Requiring the additional steps be taken by the user for programmatic access after their 15 | profile has been created will give a stronger indication of intent that access keys are [a] 16 | necessary for their work and [b] once the access key is established on an account that the keys 17 | may be in use somewhere in the organization. 18 | 19 | **Note**: Even if it is known the user will 20 | need access keys, require them to create the keys themselves or put in a support ticket to have 21 | them created as a separate step from user creation. " 22 | desc 'check', "Perform the following to determine if access keys were created upon user creation and are 23 | being used and rotated as prescribed: 24 | 25 | **From Console:** 26 | 27 | 1. Login to the AWS 28 | Management Console 29 | 2. Click `Services` 30 | 3. Click `IAM` 31 | 4. Click on a User where column 32 | `Password age` and `Access key age` is not set to `None` 33 | 5. Click on `Security credentials` 34 | Tab 35 | 6. Compare the user `Creation time` to the Access Key `Created` date. 36 | 6. For any that 37 | match, the key was created during initial user setup. 38 | 39 | - Keys that were created at the same 40 | time as the user profile and do not have a last used date should be deleted. Refer to the 41 | remediation below. 42 | 43 | **From Command Line:** 44 | 45 | 1. Run the following command 46 | (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys 47 | utilization: 48 | ``` 49 | aws iam generate-credential-report 50 | ``` 51 | ``` 52 | aws iam 53 | get-credential-report --query 'Content' --output text | base64 -d | cut -d, 54 | -f1,4,9,11,14,16 55 | ``` 56 | 2. The output of this command will produce a table similar to the following: 57 | ``` 58 | user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date 59 | 60 | elise,false,true,2015-04-16T15:14:00+00:00,false,N/A 61 | 62 | brandon,true,true,N/A,false,N/A 63 | rakesh,false,false,N/A,false,N/A 64 | 65 | helene,false,true,2015-11-18T17:47:00+00:00,false,N/A 66 | 67 | paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00 68 | 69 | anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A 70 | ``` 71 | 3. For any user having 72 | `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the 73 | remediation below. " 74 | desc 'fix', "Perform the following to delete access keys that do not pass the audit: 75 | 76 | **From 77 | Console:** 78 | 79 | 1. Login to the AWS Management Console: 80 | 2. Click `Services` 81 | 3. Click 82 | `IAM` 83 | 4. Click on `Users` 84 | 5. Click on `Security Credentials` 85 | 6. As an Administrator 86 | - 87 | Click on the X `(Delete)` for keys that were created at the same time as the user profile but have 88 | not been used. 89 | 7. As an IAM User 90 | - Click on the X `(Delete)` for keys that were created at the 91 | same time as the user profile but have not been used. 92 | 93 | **From Command Line:** 94 | ``` 95 | aws 96 | iam delete-access-key --access-key-id --user-name 97 | 98 | ``` " 99 | desc 'additional_information', 'Credential report does not appear to contain "Key Creation Date" ' 100 | impact 0.5 101 | ref 'https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html' 102 | tag nist: ['AC-6'] 103 | tag severity: 'medium ' 104 | tag cis_controls: [ 105 | { '8' => ['3.3'] }, 106 | ] 107 | 108 | if aws_iam_access_keys.where(active: true).entries.empty? 109 | describe 'Control skipped because no iam access keys were found' do 110 | skip 'This control is skipped since the aws_iam_access_keys resource returned an empty access key list' 111 | end 112 | else 113 | aws_iam_access_keys.where(active: true).entries.each do |key| 114 | describe key.username do 115 | context key do 116 | its('last_used_days_ago') { should_not be_nil } 117 | its('created_with_user') { should be false } 118 | end 119 | end 120 | end 121 | end 122 | end 123 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.13.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.13' do 2 | title 'Ensure there is only one active access key available for any single IAM user ' 3 | desc "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can 4 | use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the 5 | AWS SDK) " 6 | desc 'rationale', 7 | "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can 8 | use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to 9 | protect your account is to not allow users to have multiple access keys. " 10 | desc 'check', 11 | "**From Console:** 12 | 13 | 1. Sign in to the AWS Management Console and navigate to IAM dashboard 14 | at `https://console.aws.amazon.com/iam/`. 15 | 2. In the left navigation panel, choose 16 | `Users`. 17 | 3. Click on the IAM user name that you want to examine. 18 | 4. On the IAM user 19 | configuration page, select `Security Credentials` tab. 20 | 5. Under `Access Keys` section, 21 | in the Status column, check the current status for each access key associated with the IAM 22 | user. If the selected IAM user has more than one access key activated then the users access 23 | configuration does not adhere to security best practices and the risk of accidental 24 | exposures increases. 25 | - Repeat steps no. 3 – 5 for each IAM user in your AWS 26 | account. 27 | 28 | **From Command Line:** 29 | 30 | 1. Run `list-users` command to list all IAM users 31 | within your account: 32 | ``` 33 | aws iam list-users --query \"Users[*].UserName\" 34 | ``` 35 | The 36 | command output should return an array that contains all your IAM user names. 37 | 38 | 2. Run 39 | `list-access-keys` command using the IAM user name list to return the current status of each 40 | access key associated with the selected IAM user: 41 | ``` 42 | aws iam list-access-keys 43 | --user-name 44 | ``` 45 | The command output should expose the metadata 46 | `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user 47 | account. 48 | 49 | 3. Check the `Status` property value for each key returned to determine each 50 | keys current state. If the `Status` property value for more than one IAM access key is set to 51 | `Active`, the user access configuration does not adhere to this recommendation, refer to the 52 | remediation below. 53 | 54 | - Repeat steps no. 2 and 3 for each IAM user in your AWS account. " 55 | desc 'fix', 56 | "**From Console:** 57 | 58 | 1. Sign in to the AWS Management Console and navigate to IAM dashboard 59 | at `https://console.aws.amazon.com/iam/`. 60 | 2. In the left navigation panel, choose 61 | `Users`. 62 | 3. Click on the IAM user name that you want to examine. 63 | 4. On the IAM user 64 | configuration page, select `Security Credentials` tab. 65 | 5. In `Access Keys` section, 66 | choose one access key that is less than 90 days old. This should be the only active key used by 67 | this IAM user to access AWS resources programmatically. Test your application(s) to make 68 | sure that the chosen access key is working. 69 | 6. In the same `Access Keys` section, identify 70 | your non-operational access keys (other than the chosen one) and deactivate it by clicking 71 | the `Make Inactive` link. 72 | 7. If you receive the `Change Key Status` confirmation box, click 73 | `Deactivate` to switch off the selected key. 74 | 8. Repeat steps no. 3 – 7 for each IAM user in your 75 | AWS account. 76 | 77 | **From Command Line:** 78 | 79 | 1. Using the IAM user and access key information 80 | provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be 81 | the only active key used by this IAM user to access AWS resources programmatically. Test your 82 | application(s) to make sure that the chosen access key is working. 83 | 84 | 2. Run the 85 | `update-access-key` command below using the IAM user name and the non-operational access 86 | key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the 87 | unnecessary access key ID for the selected IAM user 88 | 89 | **Note** - the command does not return 90 | any output: 91 | ``` 92 | aws iam update-access-key --access-key-id --status 93 | Inactive --user-name 94 | ``` 95 | 3. To confirm that the selected access key pair has 96 | been successfully `deactivated` run the `list-access-keys` audit command again for that 97 | IAM User: 98 | ``` 99 | aws iam list-access-keys --user-name 100 | ``` 101 | - The command 102 | output should expose the metadata for each access key associated with the IAM user. If the 103 | non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully 104 | deactivated and the IAM user access configuration adheres now to this 105 | recommendation. 106 | 107 | 4. Repeat steps no. 1 – 3 for each IAM user in your AWS account. " 108 | impact 0.5 109 | ref 'https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html' 110 | tag nist: ['AC-2'] 111 | tag severity: 'medium ' 112 | tag cis_controls: [{ '8' => ['5'] }] 113 | 114 | failing_users = aws_iam_users.where { access_keys.count > 1 }.usernames 115 | fail_message = "The following IAM users have more than one access key:\t#{failing_users}" 116 | 117 | describe 'AWS IAM users' do 118 | it 'should not have more than one access key' do 119 | expect(failing_users).to be_empty, fail_message 120 | end 121 | end 122 | end 123 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.15.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.15' do 2 | title 'Ensure IAM Users Receive Permissions Only Through Groups ' 3 | desc "IAM users are granted access to services, functions, and data through IAM policies. There are 4 | four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or 5 | user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an 6 | attached policy; 4) add the user to an IAM group that has an inline policy. 7 | 8 | Only the third 9 | implementation is recommended. " 10 | desc 'rationale', "Assigning IAM policy only through groups unifies permissions management to a single, 11 | flexible layer consistent with organizational functional roles. By unifying permissions 12 | management, the likelihood of excessive permissions is reduced. " 13 | desc 'check', "Perform the following to determine if an inline policy is set or a policy is directly attached 14 | to users: 15 | 16 | 1. Run the following to get a list of IAM users: 17 | ``` 18 | aws iam list-users 19 | --query 'Users[*].UserName' --output text 20 | ``` 21 | 2. For each user returned, run the 22 | following command to determine if any policies are attached to them: 23 | ``` 24 | aws iam 25 | list-attached-user-policies --user-name 26 | aws iam list-user-policies 27 | --user-name 28 | ``` 29 | 3. If any policies are returned, the user has an inline policy 30 | or direct policy attachment. " 31 | desc 'fix', "Perform the following to create an IAM group and assign a policy to it: 32 | 33 | 1. Sign in to the AWS 34 | Management Console and open the IAM console at 35 | [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 36 | 2. 37 | In the navigation pane, click `Groups` and then click `Create New Group` . 38 | 3. In the `Group 39 | Name` box, type the name of the group and then click `Next Step` . 40 | 4. In the list of policies, 41 | select the check box for each policy that you want to apply to all members of the group. Then 42 | click `Next Step` . 43 | 5. Click `Create Group` 44 | 45 | Perform the following to add a user to a given 46 | group: 47 | 48 | 1. Sign in to the AWS Management Console and open the IAM console at 49 | [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 50 | 2. 51 | In the navigation pane, click `Groups` 52 | 3. Select the group to add a user to 53 | 4. Click `Add 54 | Users To Group` 55 | 5. Select the users to be added to the group 56 | 6. Click `Add Users` 57 | 58 | 59 | Perform the following to remove a direct association between a user and policy: 60 | 61 | 1. 62 | Sign in to the AWS Management Console and open the IAM console at 63 | [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 64 | 2. 65 | In the left navigation pane, click on Users 66 | 3. For each user: 67 | - Select the user 68 | - Click on 69 | the `Permissions` tab 70 | - Expand `Permissions policies` 71 | - Click `X` for each policy; then 72 | click Detach or Remove (depending on policy type) " 73 | impact 0.5 74 | ref 'http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html' 75 | tag nist: ['AC-6'] 76 | tag severity: 'medium ' 77 | tag cis_controls: [ 78 | { '8' => ['6.8'] }, 79 | ] 80 | 81 | only_if('No IAM Users were found') do 82 | !aws_iam_users.entries.empty? 83 | end 84 | 85 | aws_iam_users.entries.each do |user| 86 | describe aws_iam_user(user_name: user.username) do 87 | its('inline_policy_names') { should be_empty } 88 | its('attached_policy_names') { should be_empty } 89 | end 90 | end 91 | end 92 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.16.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.16' do 2 | title 'Ensure IAM policies that allow full "*:*" administrative privileges are not attached ' 3 | desc "IAM policies are the means by which privileges are granted to users, groups, or roles. It is 4 | recommended and considered a standard security advice to grant _least privilege_ -that is, 5 | granting only the permissions required to perform a task. Determine what users need to do and 6 | then craft policies for them that let the users perform _only_ those tasks, instead of 7 | allowing full administrative privileges. " 8 | desc 'rationale', "It's more secure to start with a minimum set of permissions and grant additional permissions 9 | as necessary, rather than starting with permissions that are too lenient and then trying to 10 | tighten them later. 11 | 12 | Providing full administrative privileges instead of restricting 13 | to the minimum set of permissions that the user is required to do exposes the resources to 14 | potentially unwanted actions. 15 | 16 | IAM policies that have a statement with \"Effect\": 17 | \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed. " 18 | desc 'check', "Perform the following to determine what policies are created: 19 | 20 | **From Command 21 | Line:** 22 | 23 | 1. Run the following to get a list of IAM policies: 24 | ``` 25 | aws iam list-policies 26 | --only-attached --output text 27 | ``` 28 | 2. For each policy returned, run the following 29 | command to determine if any policies is allowing full administrative privileges on the 30 | account: 31 | ``` 32 | aws iam get-policy-version --policy-arn --version-id 33 | 34 | ``` 35 | 3. In output ensure policy should not have any Statement block with 36 | `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"` " 37 | desc 'fix', "**From Console:** 38 | 39 | Perform the following to detach the policy that has full 40 | administrative privileges: 41 | 42 | 1. Sign in to the AWS Management Console and open the IAM 43 | console at 44 | [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 45 | 2. 46 | In the navigation pane, click Policies and then search for the policy name found in the audit 47 | step. 48 | 3. Select the policy that needs to be deleted. 49 | 4. In the policy action menu, select 50 | first `Detach` 51 | 5. Select all Users, Groups, Roles that have this policy attached 52 | 6. Click 53 | `Detach Policy` 54 | 7. In the policy action menu, select `Detach` 55 | 56 | **From Command 57 | Line:** 58 | 59 | Perform the following to detach the policy that has full administrative 60 | privileges as found in the audit step: 61 | 62 | 1. Lists all IAM users, groups, and roles that the 63 | specified managed policy is attached to. 64 | 65 | ``` 66 | aws iam list-entities-for-policy 67 | --policy-arn 68 | ``` 69 | 2. Detach the policy from all IAM Users: 70 | ``` 71 | aws iam 72 | detach-user-policy --user-name --policy-arn 73 | ``` 74 | 3. Detach 75 | the policy from all IAM Groups: 76 | ``` 77 | aws iam detach-group-policy --group-name 78 | --policy-arn 79 | ``` 80 | 4. Detach the policy from all IAM 81 | Roles: 82 | ``` 83 | aws iam detach-role-policy --role-name --policy-arn 84 | 85 | ``` " 86 | impact 0.5 87 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam' 88 | tag nist: ['AC-6'] 89 | tag severity: 'medium ' 90 | tag cis_controls: [ 91 | { '8' => ['3.3'] }, 92 | ] 93 | 94 | attached_policies = aws_iam_policies.where { attachment_count.positive? }.policy_names 95 | 96 | only_if('No IAM policies were detected as attached within this account.', impact: 0.0) do 97 | !attached_policies.empty? 98 | end 99 | 100 | attached_policies.each do |policy| 101 | describe "Attached Policies #{policy} allows full '*:*' privileges?" do 102 | subject { aws_iam_policy(policy_name: policy) } 103 | it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*') } 104 | end 105 | end 106 | end 107 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.17.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.17' do 2 | title 'Ensure a support role has been created to manage incidents with AWS Support ' 3 | desc "AWS provides a support center that can be used for incident notification and response, as well 4 | as technical support and customer services. Create an IAM Role, with the appropriate policy 5 | assigned, to allow authorized users to manage incidents with AWS Support. " 6 | desc 'rationale', "By implementing least privilege for access control, an IAM Role will require an appropriate 7 | IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support. " 8 | desc 'check', "**From Command Line:** 9 | 10 | 1. List IAM policies, filter for the 'AWSSupportAccess' managed 11 | policy, and note the \"Arn\" element value: 12 | ``` 13 | aws iam list-policies --query 14 | \"Policies[?PolicyName == 'AWSSupportAccess']\" 15 | ``` 16 | 2. Check if the 17 | 'AWSSupportAccess' policy is attached to any role: 18 | 19 | ``` 20 | aws iam 21 | list-entities-for-policy --policy-arn 22 | arn:aws:iam::aws:policy/AWSSupportAccess 23 | ``` 24 | 25 | 3. In Output, Ensure `PolicyRoles` 26 | does not return empty. 'Example: Example: PolicyRoles: [ ]' 27 | 28 | If it returns empty refer to 29 | the remediation below. " 30 | desc 'fix', "**From Command Line:** 31 | 32 | 1. Create an IAM role for managing incidents with AWS: 33 | - Create a 34 | trust relationship policy document that allows to manage AWS incidents, and save 35 | it locally as /tmp/TrustPolicy.json: 36 | ``` 37 | { 38 | \"Version\": \"2012-10-17\", 39 | 40 | \"Statement\": [ 41 | { 42 | \"Effect\": \"Allow\", 43 | \"Principal\": { 44 | \"AWS\": \"\" 45 | }, 46 | 47 | \"Action\": \"sts:AssumeRole\" 48 | } 49 | ] 50 | } 51 | ``` 52 | 2. Create the IAM role using the above trust 53 | policy: 54 | ``` 55 | aws iam create-role --role-name 56 | --assume-role-policy-document file:///tmp/TrustPolicy.json 57 | ``` 58 | 3. Attach 59 | 'AWSSupportAccess' managed policy to the created IAM role: 60 | ``` 61 | aws iam 62 | attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess 63 | --role-name 64 | ``` " 65 | desc 'additional_information', "AWSSupportAccess policy is a global AWS resource. It has same ARN as 66 | `arn:aws:iam::aws:policy/AWSSupportAccess` for every account. " 67 | desc 'impact', "All AWS Support plans include an unlimited number of account and billing support cases, with 68 | no long-term contracts. Support billing calculations are performed on a per-account basis 69 | for all plans. Enterprise Support plan customers have the option to include multiple enabled 70 | accounts in an aggregated monthly billing calculation. Monthly charges for the Business and 71 | Enterprise support plans are based on each month's AWS usage charges, subject to a monthly 72 | minimum, billed in advance. 73 | 74 | When assigning rights, keep in mind that other policies may 75 | grant access to Support as well. This may include AdministratorAccess and other policies 76 | including customer managed policies. " 77 | impact 0.5 78 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html' 79 | tag nist: ['IR-7'] 80 | tag severity: 'medium ' 81 | tag cis_controls: [ 82 | { '8' => ['17.1'] }, 83 | ] 84 | 85 | describe aws_iam_policy(policy_name: 'AWSSupportAccess') do 86 | it { should exist } 87 | its('attached_roles') { should_not be_empty } 88 | end 89 | end 90 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.18.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.18' do 2 | title 'Ensure IAM instance roles are used for AWS resource access from instances ' 3 | desc "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls 4 | or by assigning the instance to a role which has an appropriate permissions policy for the 5 | required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources 6 | or manage AWS account resources. " 7 | desc 'rationale', "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be 8 | used outside of AWS itself. If credentials are compromised, they can be used from outside of 9 | the AWS account they give access to. In contrast, in order to leverage role permissions an 10 | attacker would need to gain and maintain access to a specific instance to use the privileges 11 | associated with it. 12 | 13 | Additionally, if credentials are encoded into compiled 14 | applications or other hard to change mechanisms, then they are even more unlikely to be 15 | properly rotated due to service disruption risks. As time goes on, credentials that cannot be 16 | rotated are more likely to be known by an increasing number of individuals who no longer work 17 | for the organization owning the credentials. " 18 | desc 'check', "**From Console:** 19 | 20 | 1. Sign in to the AWS Management Console and navigate to EC2 dashboard 21 | at `https://console.aws.amazon.com/ec2/`. 22 | 2. In the left navigation panel, choose 23 | `Instances`. 24 | 3. Select the EC2 instance you want to examine. 25 | 4. Select `Actions`. 26 | 5. 27 | Select `View details`. 28 | 6. Select `Security` in the lower panel. 29 | - If the value for 30 | **Instance profile arn** is an instance profile ARN, then an instance profile (that contains 31 | an IAM role) is attached. 32 | - If the value for **IAM Role** is blank, no role is attached. 33 | - If 34 | the value for **IAM Role** contains a role 35 | - If the value for **IAM Role** is \"No roles 36 | attached to instance profile: \", then an instance profile is 37 | attached to the instance, but it does not contain an IAM role. 38 | 7. Repeat steps 3 to 6 for each 39 | EC2 instance in your AWS account. 40 | 41 | **From Command Line:** 42 | 43 | 1. Run the 44 | `describe-instances` command to list all EC2 instance IDs, available in the selected AWS 45 | region. The command output will return each instance ID: 46 | ``` 47 | aws ec2 describe-instances 48 | --region --query 'Reservations[*].Instances[*].InstanceId' 49 | ``` 50 | 2. 51 | Run the `describe-instances` command again for each EC2 instance using the 52 | `IamInstanceProfile` identifier in the query filter to check if an IAM role is 53 | attached: 54 | ``` 55 | aws ec2 describe-instances --region --instance-id 56 | --query 'Reservations[*].Instances[*].IamInstanceProfile' 57 | ``` 58 | 3. 59 | If an IAM role is attached, the command output will show the IAM instance profile ARN and ID. 60 | 61 | 4. Repeat steps 1 to 3 for each EC2 instance in your AWS account. " 62 | desc 'fix', "**From Console:** 63 | 64 | 1. Sign in to the AWS Management Console and navigate to EC2 dashboard 65 | at `https://console.aws.amazon.com/ec2/`. 66 | 2. In the left navigation panel, choose 67 | `Instances`. 68 | 3. Select the EC2 instance you want to modify. 69 | 4. Click `Actions`. 70 | 5. 71 | Click `Security`. 72 | 6. Click `Modify IAM role`. 73 | 7. Click `Create new IAM role` if a new IAM 74 | role is required. 75 | 8. Select the IAM role you want to attach to your instance in the `IAM role` 76 | dropdown. 77 | 9. Click `Update IAM role`. 78 | 10. Repeat steps 3 to 9 for each EC2 instance in your 79 | AWS account that requires an IAM role to be attached. 80 | 81 | **From Command Line:** 82 | 83 | 1. Run 84 | the `describe-instances` command to list all EC2 instance IDs, available in the selected AWS 85 | region: 86 | ``` 87 | aws ec2 describe-instances --region --query 88 | 'Reservations[*].Instances[*].InstanceId' 89 | ``` 90 | 2. Run the 91 | `associate-iam-instance-profile` command to attach an instance profile (which is 92 | attached to an IAM role) to the EC2 instance: 93 | ``` 94 | aws ec2 95 | associate-iam-instance-profile --region --instance-id 96 | --iam-instance-profile Name=\"Instance-Profile-Name\" 97 | ``` 98 | 3. Run the 99 | `describe-instances` command again for the recently modified EC2 instance. The command 100 | output should return the instance profile ARN and ID: 101 | ``` 102 | aws ec2 describe-instances 103 | --region --instance-id --query 104 | 'Reservations[*].Instances[*].IamInstanceProfile' 105 | ``` 106 | 4. Repeat steps 1 to 3 for 107 | each EC2 instance in your AWS account that requires an IAM role to be attached. " 108 | impact 0.5 109 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html' 110 | tag nist: ['AC-2'] 111 | tag severity: 'medium ' 112 | tag cis_controls: [ 113 | { '8' => ['6.8'] }, 114 | ] 115 | 116 | only_if('Not Applicable - No EC2s discovered', impact: 0.0) { aws_ec2_instances.exist? } 117 | 118 | ec2_instances_with_no_role = aws_ec2_instances.where { !iam_profile.present? } 119 | 120 | fail_message = "EC2 Instances with no role:\n\t- #{ec2_instances_with_no_role.instance_ids.join("\n\t- ")}" 121 | 122 | describe 'EC2 Instances' do 123 | it 'should all have an attached role' do 124 | expect(ec2_instances_with_no_role.entries).to be_empty, fail_message 125 | end 126 | end 127 | end 128 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.19.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.19' do 2 | title 'Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed ' 3 | desc "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server 4 | certificate. You can use ACM or IAM to store and deploy server certificates. 5 | Use IAM as a 6 | certificate manager only when you must support HTTPS connections in a region that is not 7 | supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in 8 | IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but 9 | you must obtain your certificate from an external provider for use with AWS. You cannot upload 10 | an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM 11 | Console. " 12 | desc 'rationale', 13 | "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will 14 | be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can 15 | damage the credibility of the application/website behind the ELB. As a best practice, it is 16 | recommended to delete expired certificates. " 17 | desc 'check', 18 | "**From Console:** 19 | 20 | Getting the certificates expiration information via AWS Management 21 | Console is not currently supported. 22 | To request information about the SSL/TLS 23 | certificates stored in IAM via the AWS API use the Command Line Interface (CLI). 24 | 25 | **From 26 | Command Line:** 27 | 28 | Run list-server-certificates command to list all the IAM-stored 29 | server certificates: 30 | 31 | ``` 32 | aws iam list-server-certificates 33 | ``` 34 | 35 | The command 36 | output should return an array that contains all the SSL/TLS certificates currently stored in 37 | IAM and their metadata (name, ID, expiration date, etc): 38 | 39 | ``` 40 | { 41 | 42 | \"ServerCertificateMetadataList\": [ 43 | { 44 | \"ServerCertificateId\": 45 | \"EHDGFRW7EJFYTE88D\", 46 | \"ServerCertificateName\": \"MyServerCertificate\", 47 | 48 | \"Expiration\": \"2018-07-10T23:59:59Z\", 49 | \"Path\": \"/\", 50 | \"Arn\": 51 | \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\", 52 | \"UploadDate\": 53 | \"2018-06-10T11:56:08Z\" 54 | } 55 | ] 56 | } 57 | ``` 58 | 59 | Verify the `ServerCertificateName` and 60 | `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by 61 | the list-server-certificates command and determine if there are any expired server 62 | certificates currently stored in AWS IAM. If so, use the AWS API to remove them. 63 | 64 | If this 65 | command returns: 66 | ``` 67 | { { \"ServerCertificateMetadataList\": [] } 68 | ``` 69 | This means that 70 | there are no expired certificates, It DOES NOT mean that no certificates exist. " 71 | desc 'fix', 72 | "**From Console:** 73 | 74 | Removing expired certificates via AWS Management Console is not 75 | currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the 76 | Command Line Interface (CLI). 77 | 78 | **From Command Line:** 79 | 80 | To delete Expired 81 | Certificate run following command by replacing with the name of the 82 | certificate to delete: 83 | 84 | ``` 85 | aws iam delete-server-certificate 86 | --server-certificate-name 87 | ``` 88 | 89 | When the preceding command is 90 | successful, it does not return any output. " 91 | desc 'impact', 92 | "Deleting the certificate could have implications for your application if you are using an 93 | expired server certificate with Elastic Load Balancing, CloudFront, etc. 94 | One has to make 95 | configurations at respective services to ensure there is no interruption in application 96 | functionality. " 97 | desc 'default_value', "By default, expired certificates won't get deleted. " 98 | impact 0.5 99 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html' 100 | tag nist: ['SI-12'] 101 | tag severity: 'medium ' 102 | tag cis_controls: [{ '8' => ['3.1'] }] 103 | 104 | expired_certificates = aws_iam_server_certificates.where { expiration_date < DateTime.now } 105 | 106 | describe 'The list of all IAM server certificates' do 107 | it 'should not include expired certificates' do 108 | expect(expired_certificates.entries).to be_empty, "Expired certificates:\t#{expired_certificates.server_certificate_names}" 109 | end 110 | end 111 | end 112 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.2.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.2' do 2 | title 'Ensure Current Security Contact is registered and up to date' 3 | desc " 4 | AWS provides customers with the option of specifying the contact information for account's 5 | security team. It is recommended that this information be provided. 6 | " 7 | desc 'rationale', 8 | "Specifying security-specific contact information will help ensure that security 9 | advisories sent by AWS reach the team in your organization that is best equipped to respond to 10 | them. 11 | " 12 | desc 'check', 13 | "Perform the following to determine if security contact information is present: 14 | 15 | **From 16 | Console:** 17 | 18 | 1. Click on your account name at the top right corner of the console 19 | 2. From 20 | the drop-down menu Click `My Account` 21 | 3. Scroll down to the `Alternate Contacts` 22 | section 23 | 4. Ensure contact information is specified in the `Security` section 24 | 25 | **From 26 | Command Line:** 27 | 28 | 1. Run the following command: 29 | 30 | ``` 31 | aws account 32 | get-alternate-contact --alternate-contact-type SECURITY 33 | ``` 34 | 2. Ensure proper 35 | contact information is specified for the `Security` contact. " 36 | desc 'fix', 37 | "Perform the following to establish security contact information: 38 | 39 | **From 40 | Console:** 41 | 42 | 1. Click on your account name at the top right corner of the console. 43 | 2. From 44 | the drop-down menu Click `My Account` 45 | 3. Scroll down to the `Alternate Contacts` 46 | section 47 | 4. Enter contact information in the `Security` section 48 | 49 | **From Command 50 | Line:** 51 | Run the following command with the following input 52 | parameters: 53 | --email-address, --name, and --phone-number. 54 | 55 | ``` 56 | aws account 57 | put-alternate-contact --alternate-contact-type SECURITY 58 | ``` 59 | 60 | **Note:** Consider 61 | specifying an internal email distribution list to ensure emails are regularly monitored by 62 | more than one individual. " 63 | 64 | impact 0.5 65 | tag nist: ['IR-6'] 66 | tag severity: 'medium ' 67 | tag cis_controls: [{ '8' => ['17.2'] }] 68 | 69 | describe aws_security_contact, :sensitive do 70 | it { should be_configured } 71 | its('email_address') { should cmp input('security_contact').email_address } 72 | its('phone_number') { should cmp input('security_contact').phone_number } 73 | end 74 | end 75 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.20.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.20' do 2 | title 'Ensure that IAM Access analyzer is enabled for all regions ' 3 | desc "Enable IAM Access analyzer for IAM policies about all resources in each active AWS region. 4 | 5 | 6 | IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer 7 | is enabled in IAM, scan results are displayed on the console showing the accessible 8 | resources. Scans show resources that other accounts and federated users can access, such as 9 | KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, 10 | making it easier for administrators to monitor least privileges access. 11 | Access Analyzer 12 | analyzes only policies that are applied to resources in the same AWS Region. " 13 | desc 'rationale', 14 | "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, 15 | such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you 16 | identify unintended access to your resources and data. Access Analyzer identifies 17 | resources that are shared with external principals by using logic-based reasoning to 18 | analyze the resource-based policies in your AWS environment. IAM Access Analyzer 19 | continuously monitors all policies for S3 bucket, IAM roles, KMS (Key Management Service) 20 | keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues. " 21 | desc 'check', 22 | "**From Console:** 23 | 24 | 1. Open the IAM console at 25 | `https://console.aws.amazon.com/iam/` 26 | 2. Choose `Access analyzer` 27 | 3. Click 28 | 'Analyzers' 29 | 4. Ensure that at least one analyzer is present 30 | 5. Ensure that the `STATUS` is 31 | set to `Active` 32 | 6. Repeat these step for each active region 33 | 34 | **From Command 35 | Line:** 36 | 37 | 1. Run the following command: 38 | ``` 39 | aws accessanalyzer list-analyzers | grep 40 | status 41 | ``` 42 | 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE` 43 | 44 | 3. 45 | Repeat the steps above for each active region. 46 | 47 | If an Access analyzer is not listed for each 48 | region or the status is not set to active refer to the remediation procedure below. " 49 | desc 'fix', 50 | "**From Console:** 51 | 52 | Perform the following to enable IAM Access analyzer for IAM 53 | policies: 54 | 55 | 1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 56 | 2. 57 | Choose `Access analyzer`. 58 | 3. Choose `Create analyzer`. 59 | 4. On the `Create analyzer` 60 | page, confirm that the `Region` displayed is the Region where you want to enable Access 61 | Analyzer. 62 | 5. Enter a name for the analyzer. `Optional as it will generate a name for you 63 | automatically`. 64 | 6. Add any tags that you want to apply to the analyzer. `Optional`. 65 | 7. 66 | Choose `Create Analyzer`. 67 | 8. Repeat these step for each active region 68 | 69 | **From Command 70 | Line:** 71 | 72 | Run the following command: 73 | ``` 74 | aws accessanalyzer create-analyzer 75 | --analyzer-name --type 76 | ``` 77 | Repeat this command above 78 | for each active region. 79 | 80 | **Note:** The IAM Access Analyzer is successfully configured 81 | only when the account you use has the necessary permissions. " 82 | desc 'additional_information', 83 | "Some regions in AWS are enabled by default and some are disabled by default. Regions 84 | introduced prior to March 20, 2019 are enabled by default and cannot be disabled. Regions 85 | introduced after can be disabled by default. For more information on managing AWS Regions, 86 | please see AWS's [documentation on managing AWS 87 | Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html). " 88 | 89 | impact 0.5 90 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html' 91 | tag nist: ['AC-6'] 92 | tag severity: 'medium ' 93 | tag cis_controls: [{ '8' => ['3.3'] }] 94 | 95 | all_regions = aws_regions.region_names 96 | exempt_regions = input('exempt_regions') 97 | in_scope_regions = all_regions - exempt_regions 98 | 99 | only_if("This control is Not Applicable since no 'non-exempt' regions were found") { not in_scope_regions.presence.nil? } 100 | 101 | in_scope_regions.each do |region| 102 | describe aws_iam_access_analyzers(aws_region: region) do 103 | it { should exist } 104 | end 105 | end 106 | only_if { not input('exempt_regions').empty? } 107 | describe 'Warning: Skipped Regions' do 108 | exempt_regions.each { |skipped| skip "Exempt Region: #{skipped} was Not Reviewed" } 109 | end 110 | end 111 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.21.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.21' do 2 | title "Ensure IAM users are managed centrally via identity federation or AWS Organizations for 3 | multi-account environments " 4 | desc "In multi-account environments, IAM user centralization facilitates greater user control. 5 | User access beyond the initial account is then provided via role assumption. Centralization 6 | of users can be accomplished through federation with an external identity provider or 7 | through the use of AWS Organizations. " 8 | desc 'rationale', 9 | "Centralizing IAM user management to a single identity store reduces complexity and thus the 10 | likelihood of access management errors. " 11 | desc 'check', 12 | "For multi-account AWS environments with an external identity provider... 13 | 14 | 1. Determine 15 | the master account for identity federation or IAM user management 16 | 2. Login to that account 17 | through the AWS Management Console 18 | 3. Click `Services` 19 | 4. Click `IAM` 20 | 5. Click 21 | `Identity providers` 22 | 6. Verify the configuration 23 | 24 | Then..., determine all accounts 25 | that should not have local users present. For each account... 26 | 27 | 1. Determine all accounts 28 | that should not have local users present 29 | 2. Log into the AWS Management Console 30 | 3. Switch 31 | role into each identified account 32 | 4. Click `Services` 33 | 5. Click `IAM` 34 | 6. Click 35 | `Users` 36 | 7. Confirm that no IAM users representing individuals are present 37 | 38 | For 39 | multi-account AWS environments implementing AWS Organizations without an external 40 | identity provider... 41 | 42 | 1. Determine all accounts that should not have local users 43 | present 44 | 2. Log into the AWS Management Console 45 | 3. Switch role into each identified 46 | account 47 | 4. Click `Services` 48 | 5. Click `IAM` 49 | 6. Click `Users` 50 | 7. Confirm that no IAM 51 | users representing individuals are present " 52 | desc 'fix', 53 | "The remediation procedure will vary based on the individual organization's implementation 54 | of identity federation and/or AWS Organizations with the acceptance criteria that no 55 | non-service IAM users, and non-root accounts, are present outside the account providing 56 | centralized IAM user management. " 57 | impact 0.5 58 | tag nist: ['AC-2(1)'] 59 | tag severity: 'medium ' 60 | tag cis_controls: [{ '8' => ['5.6'] }] 61 | 62 | describe 'Manual Review' do 63 | skip 'Manual review - Examine all IAM roles on all accounts to determine if any of them represent individual people' 64 | end 65 | end 66 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.22.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.22' do 2 | title 'Ensure access to AWSCloudShellFullAccess is restricted ' 3 | desc "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM 4 | policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file 5 | upload and download capability between a user's local system and the CloudShell 6 | environment. Within the CloudShell environment a user has sudo permissions, and can access 7 | the internet. So it is feasible to install file transfer software (for example) and move data 8 | from CloudShell to external internet servers. " 9 | desc 'rationale', 10 | "Access to this policy should be restricted as it presents a potential channel for data 11 | exfiltration by malicious cloud admins that are given full permissions to the service. AWS 12 | documentation describes how to create a more restrictive IAM policy which denies file 13 | transfer permissions. " 14 | desc 'check', 15 | "**From Console** 16 | 1. Open the IAM console at https://console.aws.amazon.com/iam/ 17 | 2. In 18 | the left pane, select Policies 19 | 3. Search for and select AWSCloudShellFullAccess 20 | 4. On 21 | the Entities attached tab, ensure that there are no entities using this policy 22 | 23 | **From 24 | Command Line** 25 | 1. List IAM policies, filter for the 'AWSCloudShellFullAccess' managed 26 | policy, and note the \"Arn\" element value: 27 | ``` 28 | aws iam list-policies --query 29 | \"Policies[?PolicyName == 'AWSCloudShellFullAccess']\" 30 | ``` 31 | 2. Check if the 32 | 'AWSCloudShellFullAccess' policy is attached to any role: 33 | ``` 34 | aws iam 35 | list-entities-for-policy --policy-arn 36 | arn:aws:iam::aws:policy/AWSCloudShellFullAccess 37 | ``` 38 | 3. In Output, Ensure 39 | PolicyRoles returns empty. 'Example: Example: PolicyRoles: [ ]' 40 | 41 | If it does not return 42 | empty refer to the remediation below. 43 | 44 | Note: Keep in mind that other policies may grant 45 | access. " 46 | desc 'fix', 47 | "**From Console** 48 | 1. Open the IAM console at https://console.aws.amazon.com/iam/ 49 | 2. In 50 | the left pane, select Policies 51 | 3. Search for and select AWSCloudShellFullAccess 52 | 4. On 53 | the Entities attached tab, for each item, check the box and select Detach " 54 | impact 0.5 55 | ref 'https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html' 56 | tag nist: ['AC-6'] 57 | tag severity: 'medium ' 58 | 59 | describe aws_iam_policy(policy_name: 'AWSCloudShellFullAccess') do 60 | its('attached_roles') { should be_empty } 61 | end 62 | end 63 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.3.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.3' do 2 | title 'Ensure security questions are registered in the AWS account ' 3 | desc " 4 | The AWS support portal allows account owners to establish security questions that can be used 5 | to authenticate individuals calling AWS customer service for support. It is recommended 6 | that security questions be established. 7 | " 8 | desc 'rationale', 9 | "When creating a new AWS account, a default super user is automatically created. This account 10 | is referred to as the 'root user' or 'root' account. It is recommended that the use of this 11 | account be limited and highly controlled. During events in which the 'root' password is no 12 | longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, 13 | through authentication using secret questions and associated answers, to recover 'root' 14 | user login access. 15 | " 16 | desc 'check', 17 | "**From Console:** 18 | 19 | 1. Login to the AWS account as the 'root' user 20 | 2. On the top right you 21 | will see the __ 22 | 3. Click on the __ 23 | 4. From 24 | the drop-down menu Click `My Account` 25 | 5. In the `Configure Security Challenge Questions` 26 | section on the `Personal Information` page, configure three security challenge 27 | questions. 28 | 6. Click `Save questions` . " 29 | 30 | desc 'fix', 31 | "**From Console:** 32 | 33 | 1. Login to the AWS Account as the 'root' user 34 | 2. Click on the 35 | __ from the top right of the console 36 | 3. From the drop-down menu Click 37 | _My Account_ 38 | 4. Scroll down to the `Configure Security Questions` section 39 | 5. Click on 40 | `Edit` 41 | 6. Click on each `Question` 42 | - From the drop-down select an appropriate question 43 | 44 | - Click on the `Answer` section 45 | - Enter an appropriate answer 46 | - Follow process for all 3 47 | questions 48 | 7. Click `Update` when complete 49 | 8. Save Questions and Answers and place in a 50 | secure physical location." 51 | 52 | impact 0.5 53 | tag nist: ['IR-6'] 54 | tag severity: 'medium ' 55 | tag cis_controls: [{ '8' => ['17.2'] }] 56 | 57 | only_if('AWS GovCloud only allows you to Manually view Account information, please review this requirement in the AWS GovCloud Console.') { 58 | !aws_sts_caller_identity.govcloud? 59 | } 60 | 61 | describe 'Requirement must be tested manually' do 62 | skip " 63 | This control must be manually reviewed, AWS does not support validation of the 64 | Security Challenge Questions in the AWS CLI or by an API. 65 | Examine the root account's security challenge questions in the AWS Managment Console." 66 | end 67 | end 68 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.4.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.4' do 2 | title "Ensure no 'root' user account access key exists " 3 | desc "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide 4 | programmatic access to a given AWS account. It is recommended that all access keys associated 5 | with the 'root' user account be deleted. " 6 | desc 'rationale', "Deleting access keys associated with the 'root' user account limits vectors by which the 7 | account can be compromised. Additionally, deleting the 'root' access keys encourages the 8 | creation and use of role based accounts that are least privileged. " 9 | desc 'check', "Perform the following to determine if the 'root' user account has access keys: 10 | 11 | **From Console:** 12 | 13 | 1. Login to the AWS Management Console. 14 | 2. Click `Services`. 15 | 3. Click 16 | `IAM`. 17 | 4. Click on `Credential Report`. 18 | 5. This will download a `.csv` file which 19 | contains credential usage for all IAM users within an AWS Account - open this file. 20 | 6. For the 21 | `` user, ensure the `access_key_1_active` and `access_key_2_active` 22 | fields are set to `FALSE`. 23 | 24 | **From Command Line:** 25 | 26 | Run the following 27 | command: 28 | ``` 29 | aws iam get-account-summary | grep \"AccountAccessKeysPresent\" 30 | 31 | ``` 32 | If no 'root' access keys exist the output will show `\"AccountAccessKeysPresent\": 33 | 0,`. 34 | 35 | If the output shows a \"1\", then 'root' keys exist and should be deleted. " 36 | desc 'fix', "Perform the following to delete active 'root' user access keys. 37 | 38 | **From 39 | Console:** 40 | 41 | 1. Sign in to the AWS Management Console as 'root' and open the IAM console at 42 | [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 43 | 2. 44 | Click on `` at the top right and select `My Security Credentials` from the drop 45 | down list. 46 | 3. On the pop out screen Click on `Continue to Security Credentials`. 47 | 4. Click 48 | on `Access Keys` (Access Key ID and Secret Access Key). 49 | 5. Under the `Status` column (if 50 | there are any Keys which are active). 51 | 6. Click `Delete` (Note: Deleted keys cannot be 52 | recovered). 53 | 54 | Note: While a key can be made inactive, this inactive key will still show up in 55 | the CLI command from the audit procedure, and may lead to a key being falsely flagged as being 56 | non-compliant. " 57 | desc 'additional_information', "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on 58 | request to AWS support enables 'root' access only through access-keys (CLI, API methods) for 59 | us-gov cloud region. " 60 | impact 0.5 61 | ref 'http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/' 62 | tag nist: ['AC-6'] 63 | tag severity: 'medium ' 64 | tag cis_controls: [ 65 | { '8' => ['3.3'] }, 66 | ] 67 | 68 | only_if('The IAM Credential report takes a long time to generate.') do 69 | !input('disable_slow_controls') 70 | end 71 | 72 | describe 'The root account should not have active access keys.' do 73 | subject { aws_iam_credential_report.where(user: '').entries.first } 74 | its('access_key_1_active') { should eq false } 75 | its('access_key_2_active') { should eq false } 76 | end 77 | end 78 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.5.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.5' do 2 | title "Ensure MFA is enabled for the 'root' user account " 3 | desc "The 'root' user account is the most privileged user in an AWS account. Multi-factor 4 | Authentication (MFA) adds an extra layer of protection on top of a username and password. With 5 | MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and 6 | password as well as for an authentication code from their AWS MFA device. 7 | 8 | **Note:** When 9 | virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a 10 | personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be 11 | kept charged and secured independent of any individual personal devices. (\"non-personal 12 | virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device 13 | trade-in or if the individual owning the device is no longer employed at the company. " 14 | desc 'rationale', 15 | "Enabling MFA provides increased security for console access as it requires the 16 | authenticating principal to possess a device that emits a time-sensitive key and have 17 | knowledge of a credential. " 18 | desc 'check', 19 | "Perform the following to determine if the 'root' user account has MFA setup: 20 | 21 | **From 22 | Console:** 23 | 24 | 1. Login to the AWS Management Console 25 | 2. Click `Services` 26 | 3. Click `IAM` 27 | 28 | 4. Click on `Credential Report` 29 | 5. This will download a `.csv` file which contains 30 | credential usage for all IAM users within an AWS Account - open this file 31 | 6. For the 32 | `` user, ensure the `mfa_active` field is set to `TRUE` . 33 | 34 | **From Command 35 | Line:** 36 | 37 | 1. Run the following command: 38 | ``` 39 | aws iam get-account-summary | grep 40 | \"AccountMFAEnabled\" 41 | ``` 42 | 2. Ensure the AccountMFAEnabled property is set to 1 " 43 | desc 'fix', 44 | "Perform the following to establish MFA for the 'root' user account: 45 | 46 | 1. Sign in to the AWS 47 | Management Console and open the IAM console at 48 | [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 49 | 50 | 51 | Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account 52 | credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other 53 | credentials. 54 | 55 | 2. Choose `Dashboard` , and under `Security Status` , expand `Activate 56 | MFA` on your root account. 57 | 3. Choose `Activate MFA` 58 | 4. In the wizard, choose `A virtual 59 | MFA` device and then choose `Next Step` . 60 | 5. IAM generates and displays configuration 61 | information for the virtual MFA device, including a QR code graphic. The graphic is a 62 | representation of the 'secret configuration key' that is available for manual entry on 63 | devices that do not support QR codes. 64 | 6. Open your virtual MFA application. (For a list of 65 | apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) 66 | If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), 67 | choose the option to create a new account (a new virtual MFA device). 68 | 7. Determine whether 69 | the MFA app supports QR codes, and then do one of the following: 70 | 71 | - Use the app to scan the QR 72 | code. For example, you might choose the camera icon or choose an option similar to Scan code, 73 | and then use the device's camera to scan the code. 74 | - In the Manage MFA Device wizard, choose 75 | Show secret key for manual configuration, and then type the secret configuration key into 76 | your MFA application. 77 | 78 | When you are finished, the virtual MFA device starts generating 79 | one-time passwords. 80 | 81 | In the Manage MFA Device wizard, in the Authentication Code 1 box, 82 | type the one-time password that currently appears in the virtual MFA device. Wait up to 30 83 | seconds for the device to generate a new one-time password. Then type the second one-time 84 | password into the Authentication Code 2 box. Choose Assign Virtual MFA. " 85 | desc 'additional_information', 86 | "IAM User account \"root\" for us-gov cloud regions does not have console access. This 87 | recommendation is not applicable for us-gov cloud regions. " 88 | impact 0.5 89 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root' 90 | tag nist: ['IA-2(1)'] 91 | tag severity: 'medium ' 92 | tag cis_controls: [{ '8' => ['6.5'] }] 93 | 94 | only_if('The IAM Credential report takes a long time to generate.') do 95 | !input('disable_slow_controls') 96 | end 97 | 98 | describe aws_iam_credential_report 99 | .where(user: '') 100 | .entries 101 | .first do 102 | its('mfa_active') { should eq true } 103 | end 104 | end 105 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.6.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.6' do 2 | title "Ensure hardware MFA is enabled for the 'root' user account " 3 | desc "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of 4 | protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS 5 | website, they will be prompted for their user name and password as well as for an 6 | authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' 7 | user account be protected with a hardware MFA. " 8 | desc 'rationale', 9 | "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does 10 | not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA 11 | resides. 12 | 13 | **Note**: Using hardware MFA for many, many AWS accounts may create a 14 | logistical device management issue. If this is the case, consider implementing this Level 2 15 | recommendation selectively to the highest security AWS accounts and the Level 1 16 | recommendation applied to the remaining accounts. " 17 | desc 'check', 18 | "Perform the following to determine if the 'root' user account has a hardware MFA setup: 19 | 20 | 1. 21 | Run the following command to determine if the 'root' account has MFA setup: 22 | ``` 23 | aws iam 24 | get-account-summary | grep \"AccountMFAEnabled\" 25 | ``` 26 | 27 | The `AccountMFAEnabled` 28 | property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) 29 | Enabled. 30 | If `AccountMFAEnabled` property is set to `0` the account is not compliant with 31 | this recommendation. 32 | 33 | 2. If `AccountMFAEnabled` property is set to `1`, determine 34 | 'root' account has Hardware MFA enabled. 35 | Run the following command to list all virtual MFA 36 | devices: 37 | ``` 38 | aws iam list-virtual-mfa-devices 39 | ``` 40 | If the output contains one MFA 41 | with the following Serial Number, it means the MFA is virtual, not hardware and the account is 42 | not compliant with this recommendation: 43 | 44 | `\"SerialNumber\": 45 | \"arn:aws:iam::__:mfa/root-account-mfa-device\"` " 46 | desc 'fix', 47 | "Perform the following to establish a hardware MFA for the 'root' user account: 48 | 49 | 1. Sign in 50 | to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 51 | Note: 52 | to manage MFA devices for the AWS 'root' user account, you must use your 'root' account 53 | credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other 54 | credentials. 55 | 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` 56 | on your root account. 57 | 3. Choose `Activate MFA` 58 | 4. In the wizard, choose `A hardware MFA` 59 | device and then choose `Next Step` . 60 | 5. In the `Serial Number` box, enter the serial number 61 | that is found on the back of the MFA device. 62 | 6. In the `Authentication Code 1` box, enter the 63 | six-digit number displayed by the MFA device. You might need to press the button on the front of 64 | the device to display the number. 65 | 7. Wait 30 seconds while the device refreshes the code, and 66 | then enter the next six-digit number into the `Authentication Code 2` box. You might need to 67 | press the button on the front of the device again to display the second number. 68 | 8. Choose 69 | `Next Step` . The MFA device is now associated with the AWS account. The next time you use your 70 | AWS account credentials to sign in, you must type a code from the hardware MFA 71 | device. 72 | 73 | Remediation for this recommendation is not available through AWS CLI. " 74 | desc 'additional_information', 75 | "IAM User account 'root' for us-gov cloud regions does not have console access. This control is 76 | not applicable for us-gov cloud regions. " 77 | impact 0.5 78 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root' 79 | tag nist: ['IA-2(1)'] 80 | tag severity: 'medium ' 81 | tag cis_controls: [{ '8' => ['6.5'] }] 82 | 83 | only_if('The IAM Credential report takes a long time to generate.') do 84 | !input('disable_slow_controls') 85 | end 86 | 87 | describe aws_iam_credential_report.where(user: '').entries.first do 88 | its('mfa_active') { should eq true } 89 | end 90 | 91 | hardware_mfa_devices = aws_iam_virtual_mfa_devices.where { 92 | serial_number !~ /root-account-mfa-device$/ 93 | } 94 | 95 | describe 'MFA devices' do 96 | it "should include at least one hardware device (a device other than ARN 'arn:aws:iam::__:mfa/root-account-mfa-device')" do 97 | expect(hardware_mfa_devices.count).to be >= 1, 'No hardware MFA devices discovered' 98 | end 99 | end 100 | end 101 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.7.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.7' do 2 | title "Eliminate use of the 'root' user for administrative and daily tasks " 3 | desc "With the creation of an AWS account, a 'root user' is created that cannot be disabled or 4 | deleted. That user has unrestricted access to and control over all resources in the AWS 5 | account. It is highly recommended that the use of this account be avoided for everyday tasks. " 6 | desc 'rationale', 7 | "The 'root user' has unrestricted access to and control over all account resources. Use of it is 8 | inconsistent with the principles of least privilege and separation of duties, and can lead to 9 | unnecessary harm due to error or account compromise. " 10 | desc 'check', 11 | "**From Console:** 12 | 13 | 1. Login to the AWS Management Console at 14 | `https://console.aws.amazon.com/iam/` 15 | 2. In the left pane, click `Credential 16 | Report` 17 | 3. Click on `Download Report` 18 | 4. Open of Save the file locally 19 | 5. Locate the 20 | `` under the user column 21 | 6. Review `password_last_used, 22 | access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root 23 | user' was last used. 24 | 25 | **From Command Line:** 26 | 27 | Run the following CLI commands to 28 | provide a credential report for determining the last time the 'root user' was 29 | used: 30 | ``` 31 | aws iam generate-credential-report 32 | ``` 33 | ``` 34 | aws iam 35 | get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | 36 | grep -B1 '' 37 | ``` 38 | 39 | Review `password_last_used`, 40 | `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the 41 | _root user_ was last used. 42 | 43 | **Note:** There are a few conditions under which the use of the 44 | 'root' user account is required. Please see the reference links for all of the tasks that 45 | require use of the 'root' user. " 46 | desc 'fix', 47 | "If you find that the 'root' user account is being used for daily activity to include 48 | administrative tasks that do not require the 'root' user: 49 | 50 | 1. Change the 'root' user 51 | password. 52 | 2. Deactivate or delete any access keys associate with the 'root' 53 | user. 54 | 55 | **Remember, anyone who has 'root' user credentials for your AWS account has 56 | unrestricted access to and control of all the resources in your account, including billing 57 | information. " 58 | desc 'additional_information', 59 | "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS 60 | support, they can enable the 'root' user and grant access only through access-keys (CLI, API 61 | methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this 62 | recommendation is applicable. 63 | 64 | Monitoring usage of the 'root' user can be accomplished 65 | by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 66 | 'root' user. " 67 | impact 0.5 68 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html' 69 | tag nist: %w{AC-6(2) AC-6(5)} 70 | tag severity: 'medium ' 71 | tag cis_controls: [{ '8' => ['5.4'] }] 72 | 73 | # TODO: get last used key and last used date 74 | 75 | only_if('The IAM Credential report takes a long time to generate.') do 76 | !input('disable_slow_controls') 77 | end 78 | 79 | credential_report = aws_iam_credential_report.where(user: '') 80 | 81 | if input('last_root_login_date').zero? 82 | describe 'Manual review required' do 83 | skip "Last use date of root password:\t'#{credential_report.password_last_used.first}'\nLast use date of root access key 1:\t'#{credential_report.access_key_1_last_used_date.first}'\nLast use date of root access key 2:\t'#{credential_report.access_key_2_last_used_date.first}'\n\nReview to ensure this usage meets security requirements for your organization." 84 | end 85 | else 86 | last_root_login_date = 87 | DateTime.strptime(input('last_root_login_date').to_s, '%Y%m%d') 88 | describe 'The root user' do 89 | it "should not have logged in via password since #{last_root_login_date.strftime('%Y%m%d')}" do 90 | expect(credential_report.password_last_used.first).to eq('N/A').or eq('no_information').or be <= last_root_login_date 91 | end 92 | it "should not have logged in via an access key (key 1) since #{last_root_login_date.strftime('%Y%m%d')}" do 93 | expect(credential_report.access_key_1_last_used_date.first).to eq( 94 | 'N/A', 95 | ).or be <= last_root_login_date 96 | end 97 | it "should not have logged in via an access key (key 2) since #{last_root_login_date.strftime('%Y%m%d')}" do 98 | expect(credential_report.access_key_2_last_used_date.first).to eq( 99 | 'N/A', 100 | ).or be <= last_root_login_date 101 | end 102 | end 103 | end 104 | end 105 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.8.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.8' do 2 | title 'Ensure IAM password policy requires minimum length of 14 or greater ' 3 | desc "Password policies are, in part, used to enforce password complexity requirements. IAM 4 | password policies can be used to ensure password are at least a given length. It is recommended 5 | that the password policy require a minimum password length 14. " 6 | desc 'rationale', "Setting a password complexity policy increases account resiliency against brute force 7 | login attempts. " 8 | desc 'check', "Perform the following to ensure the password policy is configured as prescribed: 9 | 10 | **From 11 | Console:** 12 | 13 | 1. Login to AWS Console (with appropriate permissions to View Identity 14 | Access Management Account Settings) 15 | 2. Go to IAM Service on the AWS Console 16 | 3. Click on 17 | Account Settings on the Left Pane 18 | 4. Ensure \"Minimum password length\" is set to 14 or 19 | greater. 20 | 21 | **From Command Line:** 22 | ``` 23 | aws iam 24 | get-account-password-policy 25 | ``` 26 | Ensure the output of the above command includes 27 | \"MinimumPasswordLength\": 14 (or higher) " 28 | desc 'fix', "Perform the following to set the password policy as prescribed: 29 | 30 | **From 31 | Console:** 32 | 33 | 1. Login to AWS Console (with appropriate permissions to View Identity 34 | Access Management Account Settings) 35 | 2. Go to IAM Service on the AWS Console 36 | 3. Click on 37 | Account Settings on the Left Pane 38 | 4. Set \"Minimum password length\" to `14` or greater. 39 | 5. 40 | Click \"Apply password policy\" 41 | 42 | **From Command Line:** 43 | ``` 44 | aws iam 45 | update-account-password-policy --minimum-password-length 14 46 | ``` 47 | Note: All 48 | commands starting with \"aws iam update-account-password-policy\" can be combined into a 49 | single command. " 50 | impact 0.5 51 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy' 52 | tag nist: ['IA-5(1)'] 53 | tag severity: 'medium ' 54 | tag cis_controls: [ 55 | { '8' => ['5'] }, 56 | ] 57 | 58 | describe aws_iam_password_policy do 59 | it { should exist } 60 | its('minimum_password_length') { should cmp >= input('pwd_length') } 61 | end 62 | end 63 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-1.9.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-1.9' do 2 | title 'Ensure IAM password policy prevents password reuse ' 3 | desc "IAM password policies can prevent the reuse of a given password by the same user. It is 4 | recommended that the password policy prevent the reuse of passwords. " 5 | desc 'rationale', "Preventing password reuse increases account resiliency against brute force login 6 | attempts. " 7 | desc 'check', "Perform the following to ensure the password policy is configured as prescribed: 8 | 9 | **From 10 | Console:** 11 | 12 | 1. Login to AWS Console (with appropriate permissions to View Identity 13 | Access Management Account Settings) 14 | 2. Go to IAM Service on the AWS Console 15 | 3. Click on 16 | Account Settings on the Left Pane 17 | 4. Ensure \"Prevent password reuse\" is checked 18 | 5. Ensure 19 | \"Number of passwords to remember\" is set to 24 20 | 21 | **From Command Line:** 22 | ``` 23 | aws iam 24 | get-account-password-policy 25 | ``` 26 | Ensure the output of the above command includes 27 | \"PasswordReusePrevention\": 24 " 28 | desc 'fix', "Perform the following to set the password policy as prescribed: 29 | 30 | **From 31 | Console:** 32 | 33 | 1. Login to AWS Console (with appropriate permissions to View Identity 34 | Access Management Account Settings) 35 | 2. Go to IAM Service on the AWS Console 36 | 3. Click on 37 | Account Settings on the Left Pane 38 | 4. Check \"Prevent password reuse\" 39 | 5. Set \"Number of 40 | passwords to remember\" is set to `24` 41 | 42 | **From Command Line:** 43 | ``` 44 | aws iam 45 | update-account-password-policy --password-reuse-prevention 24 46 | ``` 47 | Note: All 48 | commands starting with \"aws iam update-account-password-policy\" can be combined into a 49 | single command. " 50 | impact 0.5 51 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy' 52 | tag nist: ['IA-5(1)'] 53 | tag severity: 'medium ' 54 | tag cis_controls: [ 55 | { '8' => ['5.2'] }, 56 | ] 57 | 58 | describe aws_iam_password_policy do 59 | it { should exist } 60 | it { should prevent_password_reuse } 61 | its('number_of_passwords_to_remember') { should cmp == 24 } 62 | end 63 | end 64 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-2.1.1.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-2.1.1' do 2 | title 'Ensure S3 Bucket Policy is set to deny HTTP requests ' 3 | desc "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making 4 | the objects accessible only through HTTPS. " 5 | desc 'rationale', 6 | "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to 7 | Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. 8 | Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not 9 | comply with this recommendation. " 10 | desc 'check', 11 | "To allow access to HTTPS you can use a condition that checks for the key 12 | `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that 13 | HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket 14 | policy that explicitly denies access for HTTP requests and that it contains the key 15 | \"aws:SecureTransport\": \"false\". 16 | 17 | **From Console:** 18 | 19 | 1. Login to AWS Management 20 | Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 21 | 2. 22 | Select the Check box next to the Bucket. 23 | 3. Click on 'Permissions', then Click on `Bucket 24 | Policy`. 25 | 4. Ensure that a policy is listed that matches: 26 | ``` 27 | '{ 28 | \"Sid\": , 29 | 30 | \"Effect\": \"Deny\", 31 | \"Principal\": \"*\", 32 | \"Action\": \"s3:*\", 33 | \"Resource\": 34 | \"arn:aws:s3:::/*\", 35 | \"Condition\": { 36 | \"Bool\": { 37 | 38 | \"aws:SecureTransport\": \"false\" 39 | }' 40 | ``` 41 | `` and `` will be 42 | specific to your account 43 | 44 | 5. Repeat for all the buckets in your AWS account. 45 | 46 | **From 47 | Command Line:** 48 | 49 | 1. List all of the S3 Buckets 50 | ``` 51 | aws s3 ls 52 | ``` 53 | 2. Using the list of 54 | buckets run this command on each of them: 55 | ``` 56 | aws s3api get-bucket-policy --bucket | grep aws:SecureTransport 57 | ``` 58 | 3. Confirm that `aws:SecureTransport` 59 | is set to false `aws:SecureTransport:false` 60 | 4. Confirm that the policy line has Effect set 61 | to Deny 'Effect:Deny' " 62 | desc 'fix', 63 | "**From Console:** 64 | 65 | 1. Login to AWS Management Console and open the Amazon S3 console using 66 | https://console.aws.amazon.com/s3/ 67 | 2. Select the Check box next to the Bucket. 68 | 3. 69 | Click on 'Permissions'. 70 | 4. Click 'Bucket Policy' 71 | 5. Add this to the existing policy 72 | filling in the required information 73 | ``` 74 | { 75 | \"Sid\": \", 76 | \"Effect\": \"Deny\", 77 | 78 | \"Principal\": \"*\", 79 | \"Action\": \"s3:*\", 80 | \"Resource\": 81 | \"arn:aws:s3:::/*\", 82 | \"Condition\": { 83 | \"Bool\": { 84 | 85 | \"aws:SecureTransport\": \"false\" 86 | } 87 | } 88 | } 89 | ``` 90 | 6. Save 91 | 7. Repeat for all the buckets in 92 | your AWS account that contain sensitive data. 93 | 94 | **From Console** 95 | 96 | using AWS Policy 97 | Generator: 98 | 99 | 1. Repeat steps 1-4 above. 100 | 2. Click on `Policy Generator` at the bottom of 101 | the Bucket Policy Editor 102 | 3. Select Policy Type 103 | `S3 Bucket Policy` 104 | 4. Add Statements 105 | - 106 | `Effect` = Deny 107 | - `Principal` = * 108 | - `AWS Service` = Amazon S3 109 | - `Actions` = * 110 | - `Amazon 111 | Resource Name` = 112 | 5. Generate Policy 113 | 6. Copy the text and add it to the 114 | Bucket Policy. 115 | 116 | **From Command Line:** 117 | 118 | 1. Export the bucket policy to a json 119 | file. 120 | ``` 121 | aws s3api get-bucket-policy --bucket --query Policy --output 122 | text > policy.json 123 | ``` 124 | 125 | 2. Modify the policy.json file by adding in this 126 | statement: 127 | ``` 128 | { 129 | \"Sid\": \", 130 | \"Effect\": \"Deny\", 131 | \"Principal\": \"*\", 132 | 133 | \"Action\": \"s3:*\", 134 | \"Resource\": \"arn:aws:s3:::/*\", 135 | \"Condition\": { 136 | 137 | \"Bool\": { 138 | \"aws:SecureTransport\": \"false\" 139 | } 140 | } 141 | } 142 | ``` 143 | 3. Apply this modified 144 | policy back to the S3 bucket: 145 | ``` 146 | aws s3api put-bucket-policy --bucket 147 | --policy file://policy.json 148 | ``` " 149 | impact 0.5 150 | ref 'https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html' 151 | tag nist: %w{SC-8 SC-8(1)} 152 | tag severity: 'medium ' 153 | tag cis_controls: [{ '8' => ['3.10'] }] 154 | 155 | exempt_buckets = input('exempt_buckets') 156 | s3_buckets = aws_s3_buckets.bucket_names 157 | failing_buckets = [] 158 | 159 | only_if('This control is Non Applicable since no unexempt S3 buckets were found.', impact: 0.0) { !s3_buckets.empty? or !(exempt_buckets - s3_buckets).empty? } 160 | 161 | if input('single_bucket').present? 162 | failing_buckets << input('single_bucket').to_s unless aws_s3_bucket(bucket_name: input('single_bucket')).has_secure_transport_enabled? 163 | describe "The #{input('single_bucket')}" do 164 | it 'explicitly disallows insecure (HTTP) requests by bucket policy' do 165 | expect(failing_buckets).to be_empty, "Failing buckets:\t#{failing_buckets}" 166 | end 167 | end 168 | else 169 | failing_buckets = s3_buckets.select { |bucket| 170 | next if exempt_buckets.include?(bucket) 171 | !aws_s3_bucket(bucket_name: bucket).has_secure_transport_enabled? 172 | } 173 | describe 'S3 buckets' do 174 | it 'should all explicitly disallow insecure (HTTP) requests by bucket policy' do 175 | failure_messsage = "Failing buckets:\n#{failing_buckets.join(", \n")}" 176 | failure_messsage += "\nExempt buckets:\n\n#{exempt_buckets.join(", \n")}" if exempt_buckets.present? 177 | expect(failing_buckets).to be_empty, failure_messsage 178 | end 179 | end 180 | end 181 | end 182 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-2.1.2.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-2.1.2' do 2 | title 'Ensure MFA Delete is enabled on all S3 buckets ' 3 | desc "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to 4 | have two forms of authentication. " 5 | desc 'rationale', 6 | "Adding MFA delete to an S3 bucket, requires additional authentication when you change the 7 | version state of your bucket or you delete and object version adding another layer of security 8 | in the event your security credentials are compromised or unauthorized access is granted. " 9 | desc 'check', 10 | "Perform the steps below to confirm MFA delete is configured on an S3 Bucket 11 | 12 | **From 13 | Console:** 14 | 15 | 1. Login to the S3 console at `https://console.aws.amazon.com/s3/` 16 | 17 | 2. 18 | Click the `Check` box next to the Bucket name you want to confirm 19 | 20 | 3. In the window under 21 | `Properties` 22 | 23 | 4. Confirm that Versioning is `Enabled` 24 | 25 | 5. Confirm that MFA Delete is 26 | `Enabled` 27 | 28 | **From Command Line:** 29 | 30 | 1. Run the `get-bucket-versioning` 31 | ``` 32 | aws 33 | s3api get-bucket-versioning --bucket my-bucket 34 | ``` 35 | 36 | Output 37 | example: 38 | ``` 39 | 41 | Enabled 42 | 43 | Enabled 44 | 45 | ``` 46 | 47 | If the Console 48 | or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation 49 | below. " 50 | desc 'fix', 51 | "Perform the steps below to enable MFA delete on an S3 bucket. 52 | 53 | Note: 54 | -You cannot enable 55 | MFA Delete using the AWS Management Console. You must use the AWS CLI or API. 56 | -You must use 57 | your 'root' account to enable MFA Delete on S3 buckets. 58 | 59 | **From Command line:** 60 | 61 | 1. Run 62 | the s3api put-bucket-versioning command 63 | 64 | ``` 65 | aws s3api put-bucket-versioning 66 | --profile my-root-profile --bucket Bucket_Name --versioning-configuration 67 | Status=Enabled,MFADelete=Enabled --mfa 68 | “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” 69 | ``` " 70 | desc 'impact', 71 | "Enabling MFA delete on an S3 bucket could required additional administrator oversight. 72 | Enabling MFA delete may impact other services that automate the creation and/or deletion of 73 | S3 buckets. " 74 | impact 0.5 75 | ref 'https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html' 76 | tag nist: ['AC-3'] 77 | tag severity: 'medium ' 78 | tag cis_controls: [{ '8' => ['3.3'] }] 79 | 80 | exempt_buckets = input('exempt_buckets') 81 | s3_buckets = aws_s3_buckets.bucket_names 82 | failing_buckets = [] 83 | 84 | only_if('This control is Non Applicable since no unexempt S3 buckets were found.', impact: 0.0) { !s3_buckets.empty? or !(exempt_buckets - s3_buckets).empty? } 85 | 86 | if input('single_bucket').present? 87 | failing_buckets << input('single_bucket').to_s unless aws_s3_bucket(bucket_name: input('single_bucket')).versioning.mfa_delete == 'Enabled' 88 | describe "The #{input('single_bucket')}" do 89 | it 'explicitly requires MFA to delete' do 90 | expect(failing_buckets).to be_empty, "Failing buckets:\t#{failing_buckets}" 91 | end 92 | end 93 | else 94 | failing_buckets = s3_buckets.select { |bucket| 95 | next if exempt_buckets.include?(bucket) 96 | !aws_s3_bucket(bucket_name: bucket).versioning.exist? 97 | } 98 | describe 'S3 buckets' do 99 | it 'should all explicitly require MFA to delete' do 100 | failure_messsage = "Failing buckets:\n#{failing_buckets.join(", \n")}" 101 | failure_messsage += "\nExempt buckets:\n\n#{exempt_buckets.join(", \n")}" if exempt_buckets.present? 102 | expect(failing_buckets).to be_empty, failure_messsage 103 | end 104 | end 105 | end 106 | end 107 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-2.1.3.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-2.1.3' do 2 | title 'Ensure all data in Amazon S3 has been discovered, classified and secured when required. ' 3 | desc "Amazon S3 buckets can contain sensitive data, that for security purposes should be 4 | discovered, monitored, classified and protected. Macie along with other 3rd party tools can 5 | automatically provide an inventory of Amazon S3 buckets. " 6 | desc 'rationale', 7 | "Using a Cloud service or 3rd Party software to continuously monitor and automate the process 8 | of data discovery and classification for S3 buckets using machine learning and pattern 9 | matching is a strong defense in protecting that information. 10 | 11 | Amazon Macie is a fully 12 | managed data security and data privacy service that uses machine learning and pattern 13 | matching to discover and protect your sensitive data in AWS. " 14 | desc 'check', 15 | "Perform the following steps to determine if Macie is running: 16 | 17 | **From Console:** 18 | 19 | 1. 20 | Login to the Macie console at https://console.aws.amazon.com/macie/ 21 | 22 | 2. In the left 23 | hand pane click on By job under findings. 24 | 25 | 3. Confirm that you have a Job setup for your S3 26 | Buckets 27 | 28 | When you log into the Macie console if you aren't taken to the summary page and you 29 | don't have a job setup and running then refer to the remediation procedure below. 30 | 31 | If you 32 | are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation. " 33 | desc 'fix', 34 | "Perform the steps below to enable and configure Amazon Macie 35 | 36 | **From Console:** 37 | 38 | 1. 39 | Log on to the Macie console at `https://console.aws.amazon.com/macie/` 40 | 41 | 2. Click `Get 42 | started`. 43 | 44 | 3. Click `Enable Macie`. 45 | 46 | Setup a repository for sensitive data discovery 47 | results 48 | 49 | 1. In the Left pane, under Settings, click `Discovery results`. 50 | 51 | 2. Make sure 52 | `Create bucket` is selected. 53 | 54 | 3. Create a bucket, enter a name for the bucket. The name must 55 | be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a 56 | number. 57 | 58 | 4. Click on `Advanced`. 59 | 60 | 5. Block all public access, make sure `Yes` is 61 | selected. 62 | 63 | 6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the 64 | results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the 65 | S3 bucket. 66 | 67 | 7. Click on `Save` 68 | 69 | Create a job to discover sensitive data 70 | 71 | 1. In the 72 | left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your 73 | account. 74 | 75 | 2. Select the `check box` for each bucket that you want Macie to analyze as part of 76 | the job 77 | 78 | 3. Click `Create job`. 79 | 80 | 3. Click `Quick create`. 81 | 82 | 4. For the Name and 83 | description step, enter a name and, optionally, a description of the job. 84 | 85 | 5. Then click 86 | `Next`. 87 | 88 | 6. For the Review and create step, click `Submit`. 89 | 90 | Review your 91 | findings 92 | 93 | 1. In the left pane, click `Findings`. 94 | 95 | 2. To view the details of a specific 96 | finding, choose any field other than the check box for the finding. 97 | 98 | If you are using a 3rd 99 | Party tool to manage and protect your s3 data, follow the Vendor documentation for 100 | implementing and configuring that tool. " 101 | desc 'impact', 102 | "There is a cost associated with using Amazon Macie. There is also typically a cost associated 103 | with 3rd Party tools that perform similar processes and protection. " 104 | impact 0.5 105 | ref 'https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html' 106 | tag nist: %w{CM-12 SI-12} 107 | tag severity: 'medium ' 108 | tag cis_controls: [{ '8' => ['3.1'] }] 109 | 110 | only_if("Manual review necessary: third-party tool #{input('third_party_data_management_tool')} is expected to meet this recommendation; check its configuration according to vendor documentation") { 111 | !input('third_party_data_management_tool').present? 112 | } 113 | 114 | only_if('Amazon Macie unavailable in GovCloud; please manually review AWS account to determine if a third party data management tool is present') { !aws_sts_caller_identity.govcloud? } 115 | 116 | describe 'Manual Review' do 117 | skip 'Manual review of Amazon Macie configuration in the AWS console is required' 118 | end 119 | end 120 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-2.2.1.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-2.2.1' do 2 | title 'Ensure EBS Volume Encryption is Enabled in all Regions ' 3 | desc "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store 4 | (EBS) service. While disabled by default, forcing encryption at EBS volume creation is 5 | supported. " 6 | desc 'rationale', 7 | "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can 8 | nullify the impact of disclosure if the encryption remains unbroken. " 9 | desc 'check', 10 | "**From Console:** 11 | 12 | 1. Login to AWS Management Console and open the Amazon EC2 console 13 | using https://console.aws.amazon.com/ec2/ 14 | 2. Under `Account attributes`, click `EBS 15 | encryption`. 16 | 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 17 | 4. Review 18 | every region in-use. 19 | 20 | **Note:** EBS volume encryption is configured per 21 | region. 22 | 23 | **From Command Line:** 24 | 25 | 1. Run 26 | ``` 27 | aws --region ec2 28 | get-ebs-encryption-by-default 29 | ``` 30 | 2. Verify that `\"EbsEncryptionByDefault\": true` 31 | is displayed. 32 | 3. Review every region in-use. 33 | 34 | **Note:** EBS volume encryption is 35 | configured per region. " 36 | desc 'fix', 37 | "**From Console:** 38 | 39 | 1. Login to AWS Management Console and open the Amazon EC2 console 40 | using https://console.aws.amazon.com/ec2/ 41 | 2. Under `Account attributes`, click `EBS 42 | encryption`. 43 | 3. Click `Manage`. 44 | 4. Click the `Enable` checkbox. 45 | 5. Click `Update EBS 46 | encryption` 47 | 6. Repeat for every region requiring the change. 48 | 49 | **Note:** EBS volume 50 | encryption is configured per region. 51 | 52 | **From Command Line:** 53 | 54 | 1. Run 55 | ``` 56 | aws 57 | --region ec2 enable-ebs-encryption-by-default 58 | ``` 59 | 2. Verify that 60 | `\"EbsEncryptionByDefault\": true` is displayed. 61 | 3. Repeat every region requiring the 62 | change. 63 | 64 | **Note:** EBS volume encryption is configured per region. " 65 | desc 'additional_information', 66 | "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS 67 | volumes are **not** converted automatically. " 68 | desc 'impact', 69 | "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being 70 | able to access the volumes. " 71 | impact 0.5 72 | ref 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html' 73 | ref 'https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/' 74 | 75 | tag nist: %w{SC-28 SC-28(1)} 76 | tag severity: 'medium ' 77 | tag cis_controls: [{ '8' => ['3.11'] }] 78 | 79 | ec2_instances_with_no_role = aws_ec2_instances.where { !iam_profile.present? } 80 | 81 | fail_message = "EC2 Instances with no role:\n\t- #{ec2_instances_with_no_role.instance_ids.join("\n\t- ")}" 82 | 83 | describe 'EC2 Instances' do 84 | it 'should all have an attached role' do 85 | expect(ec2_instances_with_no_role.entries).to be_empty, fail_message 86 | end 87 | end 88 | 89 | aws_regions.region_names.each do |name| 90 | describe aws_region(name) do 91 | it { should have_ebs_encryption_enabled } 92 | end 93 | end 94 | end 95 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-2.3.2.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-2.3.2' do 2 | title 'Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances ' 3 | desc "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order 4 | to receive automatically minor engine upgrades during the specified maintenance window. 5 | So, RDS instances can get the new features, bug fixes, and security patches for their database 6 | engines. " 7 | desc 'rationale', 8 | "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an 9 | upgrade. When the last version number within the release is replaced, the version changed is 10 | considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades 11 | will occur automatically during the specified maintenance window so your RDS instances can 12 | get the new features, bug fixes, and security patches for their database engines. " 13 | desc 'check', 14 | "**From Console:** 15 | 16 | 1. Log in to the AWS management console and navigate to the RDS 17 | dashboard at https://console.aws.amazon.com/rds/. 18 | 2. In the left navigation panel, 19 | click on `Databases`. 20 | 3. Select the RDS instance that wants to examine. 21 | 4. Click on the 22 | `Maintenance and backups` panel. 23 | 5. Under the `Maintenance` section, search for the Auto 24 | Minor Version Upgrade status. 25 | - If the current status is set to `Disabled`, means the 26 | feature is not set and the minor engine upgrades released will not be applied to the selected 27 | RDS instance 28 | 29 | **From Command Line:** 30 | 31 | 1. Run `describe-db-instances` command to 32 | list all RDS database names, available in the selected AWS region: 33 | ``` 34 | aws rds 35 | describe-db-instances --region --query 36 | 'DBInstances[*].DBInstanceIdentifier' 37 | ``` 38 | 2. The command output should return each 39 | database instance identifier. 40 | 3. Run again `describe-db-instances` command using the 41 | RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status 42 | for the selected instance: 43 | ``` 44 | aws rds describe-db-instances --region 45 | --db-instance-identifier --query 46 | 'DBInstances[*].AutoMinorVersionUpgrade' 47 | ``` 48 | 4. The command output should return 49 | the feature current status. If the current status is set to `true`, the feature is enabled and 50 | the minor engine upgrades will be applied to the selected RDS instance. " 51 | desc 'fix', 52 | "**From Console:** 53 | 54 | 1. Log in to the AWS management console and navigate to the RDS 55 | dashboard at https://console.aws.amazon.com/rds/. 56 | 2. In the left navigation panel, 57 | click on `Databases`. 58 | 3. Select the RDS instance that wants to update. 59 | 4. Click on the 60 | `Modify` button placed on the top right side. 61 | 5. On the `Modify DB Instance: ` page, In the `Maintenance` section, select `Auto minor version upgrade` click 63 | on the `Yes` radio button. 64 | 6. At the bottom of the page click on `Continue`, check to Apply 65 | Immediately to apply the changes immediately, or select `Apply during the next scheduled 66 | maintenance window` to avoid any downtime. 67 | 7. Review the changes and click on `Modify DB 68 | Instance`. The instance status should change from available to modifying and back to 69 | available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should 70 | change to `Yes`. 71 | 72 | **From Command Line:** 73 | 74 | 1. Run `describe-db-instances` command to 75 | list all RDS database instance names, available in the selected AWS region: 76 | ``` 77 | aws rds 78 | describe-db-instances --region --query 79 | 'DBInstances[*].DBInstanceIdentifier' 80 | ``` 81 | 2. The command output should return each 82 | database instance identifier. 83 | 3. Run the `modify-db-instance` command to modify the 84 | selected RDS instance configuration this command will apply the changes immediately, 85 | Remove `--apply-immediately` to apply changes during the next scheduled maintenance 86 | window and avoid any downtime: 87 | ``` 88 | aws rds modify-db-instance --region 89 | --db-instance-identifier --auto-minor-version-upgrade 90 | --apply-immediately 91 | ``` 92 | 4. The command output should reveal the new configuration 93 | metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 94 | 5. 95 | Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has 96 | been successfully enable: 97 | ``` 98 | aws rds describe-db-instances --region 99 | --db-instance-identifier --query 100 | 'DBInstances[*].AutoMinorVersionUpgrade' 101 | ``` 102 | 6. The command output should return 103 | the feature current status set to `true`, the feature is `enabled` and the minor engine 104 | upgrades will be applied to the selected RDS instance. " 105 | impact 0.5 106 | ref 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/' 107 | tag nist: ['SI-2(2)'] 108 | tag severity: 'medium ' 109 | tag cis_controls: [{ '8' => ['7.4'] }] 110 | 111 | exempt_rds = input('exempt_rds') 112 | active_rds = aws_rds_instances.db_instance_identifiers.nil? ? [] : aws_rds_instances.db_instance_identifiers 113 | failing_rds = [] 114 | 115 | only_if("This control is Non Applicable. No 'non-exempt' RDS instances were found.", impact: 0.0) { aws_rds_instances.exist? or !(exempt_rds - active_rds).empty? } 116 | 117 | if input('single_rds').present? 118 | failing_rds << input('single_rds').to_s unless aws_rds_instance(input('single_rds')).auto_minor_version_upgrade 119 | describe "The #{input('single_rds')}" do 120 | it 'should automatically upgrade minor versions' do 121 | expect(failing_rds).to be_empty, "Failing RDS:\t#{failing_rds}" 122 | end 123 | end 124 | else 125 | failing_rds = aws_rds_instances.where { auto_minor_version_upgrade != true }.db_instance_identifiers - exempt_rds 126 | describe 'RDS instances' do 127 | it 'should all automatically upgrade minor versions' do 128 | failure_messsage = "Failing RDS:\n#{failing_rds.join(", \n")}" 129 | failure_messsage += "\nExempt RDS:\n\n#{exempt_rds.join(", \n")}" if exempt_rds.present? 130 | expect(failing_rds).to be_empty, failure_messsage 131 | end 132 | end 133 | end 134 | end 135 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.1.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.1' do 2 | title 'Ensure CloudTrail is enabled in all regions ' 3 | desc "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log 4 | files to you. The recorded information includes the identity of the API caller, the time of the 5 | API call, the source IP address of the API caller, the request parameters, and the response 6 | elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an 7 | account, including API calls made via the Management Console, SDKs, command line tools, and 8 | higher-level AWS services (such as CloudFormation). " 9 | desc 'rationale', "The AWS API call history produced by CloudTrail enables security analysis, resource change 10 | tracking, and compliance auditing. Additionally, 11 | 12 | - ensuring that a multi-regions 13 | trail exists will ensure that unexpected activity occurring in otherwise unused regions is 14 | detected 15 | 16 | - ensuring that a multi-regions trail exists will ensure that `Global Service 17 | Logging` is enabled for a trail by default to capture recording of events generated on 18 | AWS 19 | global services 20 | 21 | - for a multi-regions trail, ensuring that management events 22 | configured for all type of Read/Writes ensures recording of management operations that are 23 | performed on all resources in an AWS account " 24 | desc 'check', "Perform the following to determine if CloudTrail is enabled for all regions: 25 | 26 | **From 27 | Console:** 28 | 29 | 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 30 | 2. 31 | Click on `Trails` on the left navigation pane 32 | - You will be presented with a list of trails 33 | across all regions 34 | 3. Ensure at least one Trail has `All` specified in the `Region` 35 | column 36 | 4. Click on a trail via the link in the _Name_ column 37 | 5. Ensure `Logging` is set to 38 | `ON` 39 | 6. Ensure `Apply trail to all regions` is set to `Yes` 40 | 7. In section `Management 41 | Events` ensure `Read/Write Events` set to `ALL` 42 | 43 | **From Command Line:** 44 | ``` 45 | aws 46 | cloudtrail describe-trails 47 | ``` 48 | Ensure `IsMultiRegionTrail` is set to `true` 49 | 50 | ``` 51 | aws cloudtrail get-trail-status --name 53 | ``` 54 | Ensure `IsLogging` is set to `true` 55 | ``` 56 | aws cloudtrail 57 | get-event-selectors --trail-name 58 | ``` 59 | Ensure 60 | there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` 61 | and `ReadWriteType` set to `All` " 62 | desc 'fix', "Perform the following to enable global (Multi-region) CloudTrail logging: 63 | 64 | **From 65 | Console:** 66 | 67 | 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 68 | 2. 69 | Click on _Trails_ on the left navigation pane 70 | 3. Click `Get Started Now` , if presented 71 | - 72 | Click `Add new trail` 73 | - Enter a trail name in the `Trail name` box 74 | - Set the `Apply trail to 75 | all regions` option to `Yes` 76 | - Specify an S3 bucket name in the `S3 bucket` box 77 | - Click 78 | `Create` 79 | 4. If 1 or more trails already exist, select the target trail to enable for global 80 | logging 81 | 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and 82 | Click `Save`. 83 | 6. Click the edit icon (pencil) next to `Management Events` click `All` for 84 | setting `Read/Write Events` and Click `Save`. 85 | 86 | **From Command Line:** 87 | ``` 88 | aws 89 | cloudtrail create-trail --name --bucket-name 90 | --is-multi-region-trail 91 | aws cloudtrail update-trail --name 92 | --is-multi-region-trail 93 | ``` 94 | 95 | Note: Creating CloudTrail via CLI without providing 96 | any overriding options configures `Management Events` to set `All` type of `Read/Writes` by 97 | default. " 98 | desc 'impact', "S3 lifecycle features can be used to manage the accumulation and management of logs over time. 99 | See the following AWS resource for more information on these features: 100 | 101 | 1. 102 | https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html " 103 | desc 'default_value', 'Not Enabled ' 104 | impact 0.5 105 | ref 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events' 106 | tag nist: ['AU-12'] 107 | tag severity: 'medium ' 108 | tag cis_controls: [ 109 | { '8' => ['8.5'] }, 110 | ] 111 | 112 | describe aws_cloudtrail_trails do 113 | it { should exist } 114 | end 115 | 116 | if aws_cloudtrail_trails.exist? 117 | aws_cloudtrail_trails.trail_arns.each do |trail_arn| 118 | describe aws_cloudtrail_trail(trail_arn) do 119 | it { should be_multi_region_trail } 120 | it { should be_logging } 121 | it { should have_event_selector_mgmt_events_rw_type_all } 122 | end 123 | end 124 | end 125 | end 126 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.10.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.10' do 2 | title 'Ensure that Object-level logging for write events is enabled for S3 bucket ' 3 | desc "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called 4 | data events. By default, CloudTrail trails don't log data events and so it is recommended to 5 | enable Object-level logging for S3 buckets. " 6 | desc 'rationale', 7 | "Enabling object-level logging will help you meet data compliance requirements within your 8 | organization, perform comprehensive security analysis, monitor specific patterns of user 9 | behavior in your AWS account or take immediate actions on any object-level API activity 10 | within your S3 Buckets using Amazon CloudWatch Events. " 11 | desc 'check', 12 | "**From Console:** 13 | 14 | 1. Login to the AWS Management Console and navigate to CloudTrail 15 | dashboard at `https://console.aws.amazon.com/cloudtrail/` 16 | 2. In the left panel, click 17 | `Trails` and then click on the CloudTrail Name that you want to examine. 18 | 3. Review `General 19 | details` 20 | 4. Confirm that `Multi-region trail` is set to `Yes` 21 | 5. Scroll down to `Data 22 | events` 23 | 6. Confirm that it reads: 24 | Data events: S3 25 | Bucket Name: All current and future S3 26 | buckets 27 | Read: Enabled 28 | Write: Enabled 29 | 7. Repeat steps 2 to 6 to verify that Multi-region 30 | trail and Data events logging of S3 buckets in CloudTrail. 31 | If the CloudTrails do not have 32 | multi-region and data events configured for S3 refer to the remediation below. 33 | 34 | **From 35 | Command Line:** 36 | 37 | 1. Run `list-trails` command to list the names of all Amazon CloudTrail 38 | trails currently available in all AWS regions: 39 | ``` 40 | aws cloudtrail 41 | list-trails 42 | ``` 43 | 2. The command output will be a list of all the trail names to 44 | include. 45 | \"TrailARN\": 46 | \"arn:aws:cloudtrail:::trail/\", 47 | \"Name\": 48 | \"\", 49 | \"HomeRegion\": \"\" 50 | 3. Next run 'get-trail- command to determine 51 | Multi-region. 52 | ``` 53 | aws cloudtrail get-trail --name --region 54 | 55 | ``` 56 | 4. The command output should include: 57 | \"IsMultiRegionTrail\": 58 | true, 59 | 5. Next run `get-event-selectors` command using the `Name` of the trail and the 60 | `region` returned in step 2 to determine if Data events logging feature is enabled within the 61 | selected CloudTrail trail for all S3 buckets: 62 | ``` 63 | aws cloudtrail get-event-selectors 64 | --region --trail-name --query 65 | EventSelectors[*].DataResources[] 66 | ``` 67 | 6. The command output should be an array that 68 | contains the configuration of the AWS resource(S3 bucket) defined for the Data events 69 | selector. 70 | \"Type\": \"AWS::S3::Object\", 71 | \"Values\": [ 72 | \"arn:aws:s3\" 73 | 7. If the 74 | `get-event-selectors` command returns an empty array '[]', the Data events are not included 75 | in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level 76 | API operations performed within your AWS account are not recorded. 77 | 8. Repeat steps 1 to 5 for 78 | auditing each CloudTrail to determine if Data events for S3 are covered. 79 | If Multi-region is 80 | not set to true and the Data events does not show S3 defined as shown refer to the remediation 81 | procedure below. " 82 | desc 'fix', 83 | "**From Console:** 84 | 85 | 1. Login to the AWS Management Console and navigate to S3 dashboard at 86 | `https://console.aws.amazon.com/s3/` 87 | 2. In the left navigation panel, click `buckets` 88 | and then click on the S3 Bucket Name that you want to examine. 89 | 3. Click `Properties` tab to see 90 | in detail bucket configuration. 91 | 4. Click on the `Object-level` logging setting, enter the 92 | CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a 93 | new one by navigating to the Cloudtrail console link 94 | `https://console.aws.amazon.com/cloudtrail/` 95 | 5. Once the Cloudtrail is selected, 96 | check the `Write` event checkbox, so that `object-level` logging for Write events is 97 | enabled. 98 | 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 99 | buckets. 100 | 101 | **From Command Line:** 102 | 103 | 1. To enable `object-level` data events logging 104 | for S3 buckets within your AWS account, run `put-event-selectors` command using the name of 105 | the trail that you want to reconfigure as identifier: 106 | ``` 107 | aws cloudtrail 108 | put-event-selectors --region --trail-name 109 | --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, 110 | \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": 111 | [\"arn:aws:s3:::/\"] }] }]' 112 | ``` 113 | 2. The command output will be 114 | `object-level` event trail configuration. 115 | 3. If you want to enable it for all buckets at 116 | once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 117 | 4. Repeat 118 | step 1 for each s3 bucket to update `object-level` logging of write events. 119 | 5. Change the AWS 120 | region by updating the `--region` command parameter and perform the process for other 121 | regions. " 122 | impact 0.5 123 | ref 'https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html' 124 | tag nist: %w{AU-3 AU-3(1) AU-12} 125 | tag severity: 'medium ' 126 | tag cis_controls: [{ '8' => ['8.5'] }] 127 | 128 | if input('single_trail').present? 129 | describe aws_cloudtrail_trail(input('single_trail')) do 130 | it { should be_multi_region_trail } 131 | it { should be monitoring_write('AWS::S3::Object') } 132 | end 133 | else 134 | trails_monitoring_all_s3 = aws_cloudtrail_trails.trail_arns.select { |trail_arn| 135 | aws_cloudtrail_trail(trail_arn).is_multi_region_trail && 136 | aws_cloudtrail_trail(trail_arn).monitoring_write?('AWS::S3::Object') 137 | } 138 | describe 'CloudTrail trails' do 139 | it 'should include at least one multi-region trail monitoring all S3 writes' do 140 | expect(trails_monitoring_all_s3).to_not be_empty, 'No multi-region trails monitoring all S3 bucket writes were discovered' 141 | end 142 | end 143 | end 144 | end 145 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.11.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.11' do 2 | title 'Ensure that Object-level logging for read events is enabled for S3 bucket ' 3 | desc "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called 4 | data events. By default, CloudTrail trails don't log data events and so it is recommended to 5 | enable Object-level logging for S3 buckets. " 6 | desc 'rationale', 7 | "Enabling object-level logging will help you meet data compliance requirements within your 8 | organization, perform comprehensive security analysis, monitor specific patterns of user 9 | behavior in your AWS account or take immediate actions on any object-level API activity using 10 | Amazon CloudWatch Events. " 11 | desc 'check', 12 | "**From Console:** 13 | 14 | 1. Login to the AWS Management Console and navigate to S3 dashboard at 15 | `https://console.aws.amazon.com/s3/` 16 | 2. In the left navigation panel, click `buckets` 17 | and then click on the S3 Bucket Name that you want to examine. 18 | 3. Click `Properties` tab to see 19 | in detail bucket configuration. 20 | 4. If the current status for `Object-level` logging is set 21 | to `Disabled`, then object-level logging of read events for the selected s3 bucket is not 22 | set. 23 | 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read 24 | event check-box is unchecked, then object-level logging of read events for the selected s3 25 | bucket is not set. 26 | 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events 27 | of your other S3 buckets. 28 | 29 | **From Command Line:** 30 | 1. Run `describe-trails` command to 31 | list the names of all Amazon CloudTrail trails currently available in the selected AWS 32 | region: 33 | ``` 34 | aws cloudtrail describe-trails --region --output table 35 | --query trailList[*].Name 36 | ``` 37 | 2. The command output will be table of the requested trail 38 | names. 39 | 3. Run `get-event-selectors` command using the name of the trail returned at the 40 | previous step and custom query filters to determine if Data events logging feature is enabled 41 | within the selected CloudTrail trail configuration for s3 bucket resources: 42 | ``` 43 | aws 44 | cloudtrail get-event-selectors --region --trail-name 45 | --query EventSelectors[*].DataResources[] 46 | ``` 47 | 4. The command output should be an 48 | array that contains the configuration of the AWS resource(S3 bucket) defined for the Data 49 | events selector. 50 | 5. If the `get-event-selectors` command returns an empty array, the Data 51 | events are not included into the selected AWS Cloudtrail trail logging configuration, 52 | therefore the S3 object-level API operations performed within your AWS account are not 53 | recorded. 54 | 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are 55 | missing the capability to log Data events. 56 | 7. Change the AWS region by updating the 57 | `--region` command parameter and perform the audit process for other regions. " 58 | desc 'fix', 59 | "**From Console:** 60 | 61 | 1. Login to the AWS Management Console and navigate to S3 dashboard at 62 | `https://console.aws.amazon.com/s3/` 63 | 2. In the left navigation panel, click `buckets` 64 | and then click on the S3 Bucket Name that you want to examine. 65 | 3. Click `Properties` tab to see 66 | in detail bucket configuration. 67 | 4. Click on the `Object-level` logging setting, enter the 68 | CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a 69 | new one by navigating to the Cloudtrail console link 70 | `https://console.aws.amazon.com/cloudtrail/` 71 | 5. Once the Cloudtrail is selected, 72 | check the Read event checkbox, so that `object-level` logging for `Read` events is 73 | enabled. 74 | 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 75 | buckets. 76 | 77 | **From Command Line:** 78 | 1. To enable `object-level` data events logging for 79 | S3 buckets within your AWS account, run `put-event-selectors` command using the name of the 80 | trail that you want to reconfigure as identifier: 81 | ``` 82 | aws cloudtrail 83 | put-event-selectors --region --trail-name 84 | --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, 85 | \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": 86 | [\"arn:aws:s3:::/\"] }] }]' 87 | ``` 88 | 2. The command output will be 89 | `object-level` event trail configuration. 90 | 3. If you want to enable it for all buckets at 91 | once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 92 | 4. Repeat 93 | step 1 for each s3 bucket to update `object-level` logging of read events. 94 | 5. Change the AWS 95 | region by updating the `--region` command parameter and perform the process for other 96 | regions. " 97 | impact 0.5 98 | ref 'https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html' 99 | tag nist: %w{AU-3 AU-3(1) AU-12} 100 | tag severity: 'medium ' 101 | tag cis_controls: [{ '8' => ['8.5'] }] 102 | 103 | if input('single_trail').present? 104 | describe aws_cloudtrail_trail(input('single_trail')) do 105 | it { should be_multi_region_trail } 106 | it { should be monitoring_read('AWS::S3::Object') } 107 | end 108 | else 109 | trails_monitoring_all_s3 = aws_cloudtrail_trails.trail_arns.select { |trail_arn| 110 | aws_cloudtrail_trail(trail_arn).is_multi_region_trail && 111 | aws_cloudtrail_trail(trail_arn).monitoring_read?('AWS::S3::Object') 112 | } 113 | describe 'CloudTrail trails' do 114 | it 'should include at least one multi-region trail monitoring all S3 reads' do 115 | expect(trails_monitoring_all_s3).to_not be_empty, 'No multi-region trails monitoring all S3 bucket reads were discovered' 116 | end 117 | end 118 | end 119 | end 120 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.2.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.2' do 2 | title 'Ensure CloudTrail log file validation is enabled ' 3 | desc "CloudTrail log file validation creates a digitally signed digest file containing a hash of 4 | each log that CloudTrail writes to S3. These digest files can be used to determine whether a log 5 | file was changed, deleted, or unchanged after CloudTrail delivered the log. It is 6 | recommended that file validation be enabled on all CloudTrails. " 7 | desc 'rationale', "Enabling log file validation will provide additional integrity checking of CloudTrail 8 | logs. " 9 | desc 'check', "Perform the following on each trail to determine if log file validation is 10 | enabled: 11 | 12 | **From Console:** 13 | 14 | 1. Sign in to the AWS Management Console and open the IAM 15 | console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 16 | 2. 17 | Click on `Trails` on the left navigation pane 18 | 3. For Every Trail: 19 | - Click on a trail via the 20 | link in the _Name_ column 21 | - Under the `General details` section, ensure `Log file 22 | validation` is set to `Enabled` 23 | 24 | **From Command Line:** 25 | ``` 26 | aws cloudtrail 27 | describe-trails 28 | ``` 29 | Ensure `LogFileValidationEnabled` is set to `true` for each trail " 30 | desc 'fix', "Perform the following to enable log file validation on a given trail: 31 | 32 | **From 33 | Console:** 34 | 35 | 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 36 | 2. 37 | Click on `Trails` on the left navigation pane 38 | 3. Click on target trail 39 | 4. Within the 40 | `General details` section click `edit` 41 | 5. Under the `Advanced settings` section 42 | 6. 43 | Check the enable box under `Log file validation` 44 | 7. Click `Save changes` 45 | 46 | **From 47 | Command Line:** 48 | ``` 49 | aws cloudtrail update-trail --name 50 | --enable-log-file-validation 51 | ``` 52 | Note that periodic validation of logs using these 53 | digests can be performed by running the following command: 54 | ``` 55 | aws cloudtrail 56 | validate-logs --trail-arn --start-time --end-time 57 | 58 | ``` " 59 | desc 'default_value', 'Not Enabled ' 60 | impact 0.5 61 | ref 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html' 62 | tag nist: ['AU-6'] 63 | tag severity: 'medium ' 64 | tag cis_controls: [ 65 | { '8' => ['8.11'] }, 66 | ] 67 | 68 | describe aws_cloudtrail_trails do 69 | it { should exist } 70 | end 71 | 72 | if aws_cloudtrail_trails.exist? 73 | aws_cloudtrail_trails.trail_arns.each do |trail| 74 | describe aws_cloudtrail_trail(trail) do 75 | it { should be_log_file_validation_enabled } 76 | end 77 | end 78 | end 79 | end 80 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.3.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.3' do 2 | title 'Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible ' 3 | desc "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored 4 | in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied 5 | to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. " 6 | desc 'rationale', 7 | "Allowing public access to CloudTrail log content may aid an adversary in identifying 8 | weaknesses in the affected account's use or configuration. " 9 | desc 'check', 10 | "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or 11 | S3 bucket policy: 12 | 13 | **From Console:** 14 | 15 | 1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home). 16 | 2. 17 | In the `API activity history` pane on the left, click `Trails`. 18 | 3. In the `Trails` pane, note 19 | the bucket names in the `S3 bucket` column 20 | 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home). 21 | 5. 22 | For each bucket noted in step 3, right-click on the bucket and click `Properties`. 23 | 6. In the 24 | `Properties` pane, click the `Permissions` tab. 25 | 7. The tab shows a list of grants, one row 26 | per grant, in the bucket ACL. Each row identifies the grantee and the permissions 27 | granted. 28 | 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` 29 | set to `Any Authenticated User.` 30 | 9. If the `Edit bucket policy` button is present, click it 31 | to review the bucket policy. 32 | 10. Ensure the policy does not contain a `Statement` having an 33 | `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\": \"\\*\"}, or if it does, ensure 34 | that it has a condition in place to restrict access, such as 35 | `aws:PrincipalOrgID`. 36 | 37 | **From Command Line:** 38 | 39 | 1. Get the name of the S3 bucket that 40 | CloudTrail is logging to: 41 | ``` 42 | aws cloudtrail describe-trails --query 43 | 'trailList[*].S3BucketName' 44 | ``` 45 | 2. Ensure the `AllUsers` principal is not granted 46 | privileges to that `` : 47 | ``` 48 | aws s3api get-bucket-acl --bucket 49 | --query 'Grants[?Grantee.URI== 50 | `https://acs.amazonaws.com/groups/global/AllUsers` ]' 51 | ``` 52 | 3. Ensure the 53 | `AuthenticatedUsers` principal is not granted privileges to that ``: 54 | ``` 55 | aws 56 | s3api get-bucket-acl --bucket --query 57 | 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated 58 | Users`]' 59 | ``` 60 | 4. Get the S3 Bucket Policy 61 | ``` 62 | aws s3api get-bucket-policy --bucket 63 | 64 | ``` 65 | 5. Ensure the policy does not contain a `Statement` 66 | having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\": \"\\*\"}. 67 | Additionally, check to see whether a condition has been added to the bucket policy covering 68 | `aws:PrincipalOrgID`, as having this (in the StringEquals or StringEqualsIgnoreCase) 69 | would restrict access to only the named Org ID. 70 | 71 | **Note:** Principal set to \"\\*\" or {\"AWS\": 72 | \"\\*\"}, without any conditions, allows anonymous access. " 73 | desc 'fix', 74 | "Perform the following to remove any public access that has been granted to the bucket via an ACL 75 | or S3 bucket policy: 76 | 77 | 1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home). 78 | 2. 79 | Right-click on the bucket and click Properties 80 | 3. In the `Properties` pane, click the 81 | `Permissions` tab. 82 | 4. The tab shows a list of grants, one row per grant, in the bucket ACL. 83 | Each row identifies the grantee and the permissions granted. 84 | 5. Select the row that grants 85 | permission to `Everyone` or `Any Authenticated User`. 86 | 6. Uncheck all the permissions 87 | granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 88 | 7. Click 89 | `Save` to save the ACL. 90 | 8. If the `Edit bucket policy` button is present, click it. 91 | 9. 92 | Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or 93 | {\"AWS\": \"\\*\"}, that doesn't also have a condition to restrict access, such as 94 | `aws:PrincipalOrgID`. " 95 | desc 'default_value', 'By default, S3 buckets are not publicly accessible. ' 96 | impact 0.5 97 | ref 'https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html' 98 | tag nist: ['AC-3'] 99 | tag severity: 'medium ' 100 | tag cis_controls: [{ '8' => ['3.3'] }] 101 | 102 | describe aws_cloudtrail_trails do 103 | it { should exist } 104 | end 105 | 106 | if aws_cloudtrail_trails.exist? 107 | aws_cloudtrail_trails.trail_arns.each do |trail| 108 | bucket_name = aws_cloudtrail_trail(trail).s3_bucket_name 109 | if input('exempt_buckets').include?(bucket_name) 110 | describe 'Bucket not inspected because it is defined as an exception' do 111 | skip "Bucket: #{bucket_name} not inspected because it is defined in exempt_buckets." 112 | end 113 | else 114 | describe aws_s3_bucket(bucket_name) do 115 | it { should_not be_public } 116 | end 117 | end 118 | end 119 | end 120 | end 121 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.4.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.4' do 2 | title 'Ensure CloudTrail trails are integrated with CloudWatch Logs ' 3 | desc "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The 4 | recorded information includes the identity of the API caller, the time of the API call, the 5 | source IP address of the API caller, the request parameters, and the response elements 6 | returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so 7 | log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 8 | bucket for long term analysis, real time analysis can be performed by configuring CloudTrail 9 | to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, 10 | CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is 11 | recommended that CloudTrail logs be sent to CloudWatch Logs. 12 | 13 | Note: The intent of this 14 | recommendation is to ensure AWS account activity is being captured, monitored, and 15 | appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS 16 | services but does not preclude the use of an alternate solution. " 17 | desc 'rationale', "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity 18 | logging based on user, API, resource, and IP address, and provides opportunity to establish 19 | alarms and notifications for anomalous or sensitivity account activity. " 20 | desc 'check', "Perform the following to ensure CloudTrail is configured as prescribed: 21 | 22 | **From 23 | Console:** 24 | 25 | 1. Login to the CloudTrail console at 26 | `https://console.aws.amazon.com/cloudtrail/` 27 | 2. Under `Trails` , click on the 28 | CloudTrail you wish to evaluate 29 | 3. Under the `CloudWatch Logs` section. 30 | 4. Ensure a 31 | `CloudWatch Logs` log group is configured and listed. 32 | 5. Under `General details` confirm 33 | `Last log file delivered` has a recent (~one day old) timestamp. 34 | 35 | **From Command 36 | Line:** 37 | 38 | 1. Run the following command to get a listing of existing trails: 39 | ``` 40 | aws 41 | cloudtrail describe-trails 42 | ``` 43 | 2. Ensure `CloudWatchLogsLogGroupArn` is not empty 44 | and note the value of the `Name` property. 45 | 3. Using the noted value of the `Name` property, 46 | run the following command: 47 | ``` 48 | aws cloudtrail get-trail-status --name 49 | 50 | ``` 51 | 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to 52 | a recent (~one day old) timestamp. 53 | 54 | If the `CloudWatch Logs` log group is not setup and the 55 | delivery time is not recent refer to the remediation below. " 56 | desc 'fix', "Perform the following to establish the prescribed state: 57 | 58 | **From Console:** 59 | 60 | 1. 61 | Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 62 | 2. 63 | Select the `Trail` the needs to be updated. 64 | 3. Scroll down to `CloudWatch Logs` 65 | 4. Click 66 | `Edit` 67 | 5. Under `CloudWatch Logs` click the box `Enabled` 68 | 6. Under `Log Group` pick new or 69 | select an existing log group 70 | 7. Edit the `Log group name` to match the CloudTrail or pick the 71 | existing CloudWatch Group. 72 | 8. Under `IAM Role` pick new or select an existing. 73 | 9. Edit the 74 | `Role name` to match the CloudTrail or pick the existing IAM Role. 75 | 10. Click `Save 76 | changes. 77 | 78 | **From Command Line:** 79 | ``` 80 | aws cloudtrail update-trail --name 81 | --cloudwatch-logs-log-group-arn 82 | --cloudwatch-logs-role-arn 83 | ``` " 84 | desc 'impact', "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention 85 | period is defined for the log group. When choosing the number of days to retain, keep in mind the 86 | average days it takes an organization to realize they have been breached is 210 days (at the 87 | time of this writing). Since additional time is required to research a breach, a minimum 365 88 | day retention policy allows time for detection and research. You may also wish to archive the 89 | logs to a cheaper storage service rather than simply deleting them. See the following AWS 90 | resource to manage CloudWatch Logs retention periods: 91 | 92 | 1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html " 93 | impact 0.5 94 | ref 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html' 95 | tag nist: ['AU-12'] 96 | tag severity: 'medium ' 97 | tag cis_controls: [ 98 | { '8' => ['8.5'] }, 99 | ] 100 | 101 | describe aws_cloudtrail_trails do 102 | it { should exist } 103 | end 104 | 105 | if aws_cloudtrail_trails.exist? 106 | aws_cloudtrail_trails.trail_arns.each do |trail| 107 | describe aws_cloudtrail_trail(trail) do 108 | its('cloud_watch_logs_log_group_arn') { should_not be_nil } 109 | its('delivered_logs_days_ago') { should cmp <= 1 } 110 | end 111 | end 112 | end 113 | end 114 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.5.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.5' do 2 | title 'Ensure AWS Config is enabled in all regions ' 3 | desc "AWS Config is a web service that performs configuration management of supported AWS 4 | resources within your account and delivers log files to you. The recorded information 5 | includes the configuration item (AWS resource), relationships between configuration 6 | items (AWS resources), any configuration changes between resources. It is recommended AWS 7 | Config be enabled in all regions. " 8 | desc 'rationale', "The AWS configuration item history captured by AWS Config enables security analysis, 9 | resource change tracking, and compliance auditing. " 10 | desc 'check', "Process to evaluate AWS Config configuration per region 11 | 12 | **From Console:** 13 | 14 | 1. Sign 15 | in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 16 | 1. 17 | On the top right of the console select target Region. 18 | 1. If a Config recorder is enabled in 19 | this region, you should navigate to the Settings page from the navigation menu on the left hand 20 | side. If a Config recorder is not yet enabled in this region then you should select \"Get 21 | Started\". 22 | 1. Ensure \"Record all resources supported in this region\" is checked. 23 | 1. 24 | Ensure \"Include global resources (e.g., AWS IAM resources)\" is checked, unless it is enabled 25 | in another region (this is only required in one region) 26 | 1. Ensure the correct S3 bucket has 27 | been defined. 28 | 1. Ensure the correct SNS topic has been defined. 29 | 1. Repeat steps 2 to 7 for 30 | each region. 31 | 32 | **From Command Line:** 33 | 34 | 1. Run this command to show all AWS Config 35 | recorders and their properties: 36 | ``` 37 | aws configservice 38 | describe-configuration-recorders 39 | ``` 40 | 2. Evaluate the output to ensure that all 41 | recorders have a `recordingGroup` object which includes `\"allSupported\": true`. 42 | Additionally, ensure that at least one recorder has `\"includeGlobalResourceTypes\": 43 | true` 44 | 45 | Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We 46 | don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource 47 | types to be empty (\"ResourceTypes\":[]) 48 | 49 | Sample Output: 50 | 51 | ``` 52 | { 53 | 54 | \"ConfigurationRecorders\": [ 55 | { 56 | \"recordingGroup\": { 57 | \"allSupported\": true, 58 | 59 | \"resourceTypes\": [], 60 | \"includeGlobalResourceTypes\": true 61 | }, 62 | \"roleARN\": 63 | \"arn:aws:iam:::role/service-role/\", 64 | \"name\": 65 | \"default\" 66 | } 67 | ] 68 | } 69 | ``` 70 | 71 | 3. Run this command to show the status for all AWS Config 72 | recorders: 73 | ``` 74 | aws configservice 75 | describe-configuration-recorder-status 76 | ``` 77 | 4. In the output, find recorders with 78 | `name` key matching the recorders that were evaluated in step 2. Ensure that they include 79 | `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"` " 80 | desc 'fix', "To implement AWS Config configuration: 81 | 82 | **From Console:** 83 | 84 | 1. Select the region you 85 | want to focus on in the top right of the console 86 | 2. Click Services 87 | 3. Click Config 88 | 4. If a 89 | Config recorder is enabled in this region, you should navigate to the Settings page from the 90 | navigation menu on the left hand side. If a Config recorder is not yet enabled in this region 91 | then you should select \"Get Started\". 92 | 5. Select \"Record all resources supported in this 93 | region\" 94 | 6. Choose to include global resources (IAM resources) 95 | 7. Specify an S3 bucket in 96 | the same account or in another managed AWS account 97 | 8. Create an SNS Topic from the same AWS 98 | account or another managed AWS account 99 | 100 | **From Command Line:** 101 | 102 | 1. Ensure there is an 103 | appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 104 | 2. 105 | Run this command to create a new configuration recorder: 106 | ``` 107 | aws configservice 108 | put-configuration-recorder --configuration-recorder 109 | name=default,roleARN=arn:aws:iam::012345678912:role/myConfigRole 110 | --recording-group allSupported=true,includeGlobalResourceTypes=true 111 | ``` 112 | 3. 113 | Create a delivery channel configuration file locally which specifies the channel 114 | attributes, populated from the prerequisites set up previously: 115 | ``` 116 | { 117 | \"name\": 118 | \"default\", 119 | \"s3BucketName\": \"my-config-bucket\", 120 | \"snsTopicARN\": 121 | \"arn:aws:sns:us-east-1:012345678912:my-config-notice\", 122 | 123 | \"configSnapshotDeliveryProperties\": { 124 | \"deliveryFrequency\": \"Twelve_Hours\" 125 | 126 | } 127 | } 128 | ``` 129 | 4. Run this command to create a new delivery channel, referencing the json 130 | configuration file made in the previous step: 131 | ``` 132 | aws configservice 133 | put-delivery-channel --delivery-channel file://deliveryChannel.json 134 | ``` 135 | 5. Start 136 | the configuration recorder by running the following command: 137 | ``` 138 | aws configservice 139 | start-configuration-recorder --configuration-recorder-name default 140 | ``` " 141 | desc 'impact', 'It is recommended AWS Config be enabled in all regions. ' 142 | impact 0.5 143 | ref 'https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html:https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorders.html:https://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html' 144 | tag nist: ['CM-8'] 145 | tag severity: 'medium ' 146 | tag cis_controls: [ 147 | { '8' => ['1.1'] }, 148 | ] 149 | 150 | config_delivery_channels = input('config_delivery_channels') 151 | 152 | describe aws_config_recorder do 153 | it { should exist } 154 | it { should be_recording } 155 | it { should be_recording_all_resource_types } 156 | it { should be_recording_all_global_types } 157 | end 158 | 159 | describe aws_config_delivery_channel do 160 | it { should exist } 161 | end 162 | 163 | if aws_config_delivery_channel.exists? 164 | describe aws_config_delivery_channel do 165 | its('s3_bucket_name') { should cmp config_delivery_channels[:"#{input('default_aws_region')}"][:s3_bucket_name] } 166 | its('sns_topic_arn') { should cmp config_delivery_channels[:"#{input('default_aws_region')}"][:sns_topic_arn] } 167 | end 168 | end 169 | end 170 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.6.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.6' do 2 | title 'Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket ' 3 | desc "S3 Bucket Access Logging generates a log that contains access records for each request made to 4 | your S3 bucket. An access log record contains details about the request, such as the request 5 | type, the resources specified in the request worked, and the time and date the request was 6 | processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 7 | bucket. " 8 | desc 'rationale', 9 | "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which 10 | may affect objects within any target buckets. Configuring logs to be placed in a separate 11 | bucket allows access to log information which can be useful in security and incident response 12 | workflows. " 13 | desc 'check', 14 | "Perform the following ensure the CloudTrail S3 bucket has access logging is 15 | enabled: 16 | 17 | **From Console:** 18 | 19 | 1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 20 | 2. 21 | In the API activity history pane on the left, click Trails 22 | 3. In the Trails pane, note the 23 | bucket names in the S3 bucket column 24 | 4. Sign in to the AWS Management Console and open the S3 25 | console at 26 | [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 27 | 5. 28 | Under `All Buckets` click on a target S3 bucket 29 | 6. Click on `Properties` in the top right of 30 | the console 31 | 7. Under `Bucket:` _ `` _ click on `Logging` 32 | 8. Ensure 33 | `Enabled` is checked. 34 | 35 | **From Command Line:** 36 | 37 | 1. Get the name of the S3 bucket that 38 | CloudTrail is logging to: 39 | ``` 40 | aws cloudtrail describe-trails --query 41 | 'trailList[*].S3BucketName' 42 | ``` 43 | 2. Ensure Bucket Logging is enabled: 44 | ``` 45 | aws 46 | s3api get-bucket-logging --bucket 47 | ``` 48 | Ensure command 49 | does not returns empty output. 50 | 51 | Sample Output for a bucket with logging 52 | enabled: 53 | 54 | ``` 55 | { 56 | \"LoggingEnabled\": { 57 | \"TargetPrefix\": \"\", 58 | 59 | \"TargetBucket\": \"\" 60 | } 61 | } 62 | ``` " 63 | desc 'fix', 64 | "Perform the following to enable S3 bucket logging: 65 | 66 | **From Console:** 67 | 68 | 1. Sign in to 69 | the AWS Management Console and open the S3 console at 70 | [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 71 | 2. 72 | Under `All Buckets` click on the target S3 bucket 73 | 3. Click on `Properties` in the top right of 74 | the console 75 | 4. Under `Bucket:` click on `Logging` 76 | 5. 77 | Configure bucket logging 78 | - Click on the `Enabled` checkbox 79 | - Select Target Bucket from 80 | list 81 | - Enter a Target Prefix 82 | 6. Click `Save`. 83 | 84 | **From Command Line:** 85 | 86 | 1. Get the 87 | name of the S3 bucket that CloudTrail is logging to: 88 | ``` 89 | aws cloudtrail describe-trails 90 | --region --query trailList[*].S3BucketName 91 | ``` 92 | 2. Copy and add target 93 | bucket name at ``, Prefix for logfile at `` and 94 | optionally add an email address in the following template and save it as 95 | ``: 96 | ``` 97 | { 98 | \"LoggingEnabled\": { 99 | \"TargetBucket\": 100 | \"\", 101 | \"TargetPrefix\": \"\", 102 | \"TargetGrants\": [ 103 | 104 | { 105 | \"Grantee\": { 106 | \"Type\": \"AmazonCustomerByEmail\", 107 | \"EmailAddress\": \"\" 108 | 109 | }, 110 | \"Permission\": \"FULL_CONTROL\" 111 | } 112 | ] 113 | } 114 | } 115 | ``` 116 | 3. Run the `put-bucket-logging` 117 | command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): 118 | ``` 119 | aws 120 | s3api put-bucket-logging --bucket --bucket-logging-status 121 | file:// 122 | ``` " 123 | desc 'default_value', 'Logging is disabled. ' 124 | impact 0.5 125 | ref 'https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html' 126 | tag nist: %w{AU-12 AU-2} 127 | tag severity: 'medium ' 128 | tag cis_controls: [{ '8' => ['3.14'] }] 129 | 130 | describe aws_cloudtrail_trails do 131 | it { should exist } 132 | end 133 | 134 | aws_cloudtrail_trails.trail_arns.each do |trail| 135 | bucket_name = aws_cloudtrail_trail(trail).s3_bucket_name 136 | if aws_cloudtrail_trails.exist? 137 | if input('exempt_buckets').include?(bucket_name) 138 | describe 'Bucket not inspected because it is defined as an exception' do 139 | skip "Bucket: #{bucket_name} not inspected because it is defined in exempt_buckets." 140 | end 141 | else 142 | describe aws_s3_bucket(bucket_name) do 143 | it { should have_access_logging_enabled } 144 | end 145 | end 146 | end 147 | end 148 | end 149 | -------------------------------------------------------------------------------- /controls/aws-foundations-cis-3.7.rb: -------------------------------------------------------------------------------- 1 | control 'aws-foundations-cis-3.7' do 2 | title 'Ensure CloudTrail logs are encrypted at rest using KMS CMKs ' 3 | desc "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs 4 | available to users and resources in accordance with IAM policies. AWS Key Management Service 5 | (KMS) is a managed service that helps create and control the encryption keys used to encrypt 6 | account data, and uses Hardware Security Modules (HSMs) to protect the security of 7 | encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) 8 | and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is 9 | recommended that CloudTrail be configured to use SSE-KMS. " 10 | desc 'rationale', "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log 11 | data as a given user must have S3 read permission on the corresponding log bucket and must be 12 | granted decrypt permission by the CMK policy. " 13 | desc 'check', "Perform the following to determine if CloudTrail is configured to use SSE-KMS: 14 | 15 | **From 16 | Console:** 17 | 18 | 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 19 | 2. 20 | In the left navigation pane, choose `Trails` . 21 | 3. Select a Trail 22 | 4. Under the `S3` section, 23 | ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` 24 | field. 25 | 26 | **From Command Line:** 27 | 28 | 1. Run the following command: 29 | ``` 30 | aws cloudtrail 31 | describe-trails 32 | ``` 33 | 2. For each trail listed, SSE-KMS is enabled if the trail has a 34 | `KmsKeyId` property defined. " 35 | desc 'fix', "Perform the following to configure CloudTrail to use SSE-KMS: 36 | 37 | **From Console:** 38 | 39 | 1. 40 | Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 41 | 2. 42 | In the left navigation pane, choose `Trails` . 43 | 3. Click on a Trail 44 | 4. Under the `S3` section 45 | click on the edit button (pencil icon) 46 | 5. Click `Advanced` 47 | 6. Select an existing CMK from 48 | the `KMS key Id` drop-down menu 49 | - Note: Ensure the CMK is located in the same region as the S3 50 | bucket 51 | - Note: You will need to apply a KMS Key policy on the selected CMK in order for 52 | CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are 53 | provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) 54 | for editing the selected CMK Key policy 55 | 7. Click `Save` 56 | 8. You will see a notification 57 | message stating that you need to have decrypt permissions on the specified KMS key to decrypt 58 | log files. 59 | 9. Click `Yes` 60 | 61 | **From Command Line:** 62 | ``` 63 | aws cloudtrail update-trail 64 | --name --kms-id 65 | aws kms put-key-policy --key-id 66 | --policy 67 | ``` " 68 | desc 'additional_information', "3 statements which need to be added to the CMK policy: 69 | 70 | 1\\. Enable Cloudtrail to describe 71 | CMK properties 72 | ``` 73 | 
{
 74 | 
 75 | \"Sid\": \"Allow CloudTrail access\",
 76 |  \"Effect\": \"Allow\",
 77 |  \"Principal\": {
 78 |  \"Service\":
 79 | \"cloudtrail.amazonaws.com\"
 80 |  },
 81 |  \"Action\": \"kms:DescribeKey\",
 82 |  \"Resource\":
 83 | \"*\"
 84 | }
 85 | ```
 86 | 2\\. Granting encrypt permissions
 87 | ```
 88 | 
{
 90 |  \"Sid\": \"Allow CloudTrail to encrypt logs\",
 91 |  \"Effect\":
 92 | \"Allow\",
 93 |  \"Principal\": {
 94 |  \"Service\": \"cloudtrail.amazonaws.com\"
 95 |  },
 96 |  \"Action\":
 97 | \"kms:GenerateDataKey*\",
 98 |  \"Resource\": \"*\",
 99 |  \"Condition\": {
100 |  \"StringLike\": {
101 | 
102 | \"kms:EncryptionContext:aws:cloudtrail:arn\": [
103 | 
104 | \"arn:aws:cloudtrail:*:aws-account-id:trail/*\"
105 |  ]
106 |  }
107 |  }
108 | }
109 | ```
110 | 3\\. Granting
111 | decrypt permissions
112 | ```
113 | 
{
115 |  \"Sid\": \"Enable CloudTrail log decrypt permissions\",
116 |  \"Effect\": \"Allow\",
117 | 
118 | \"Principal\": {
119 |  \"AWS\": \"arn:aws:iam::aws-account-id:user/username\"
120 |  },
121 |  \"Action\":
122 | \"kms:Decrypt\",
123 |  \"Resource\": \"*\",
124 |  \"Condition\": {
125 |  \"Null\": {
126 | 
127 | \"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"
128 |  }
129 |  }
130 | }
131 | ``` "
132 |   desc 'impact', "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/
133 | for more information. "
134 |   impact 0.5
135 |   ref 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html'
136 |   tag nist: ['IA-5(1)', 'SC-28', 'SC-28(1)']
137 |   tag severity: 'medium '
138 |   tag cis_controls: [
139 |     { '8' => ['3.11'] },
140 |   ]
141 | 
142 |   describe aws_cloudtrail_trails do
143 |     it { should exist }
144 |   end
145 | 
146 |   if aws_cloudtrail_trails.exist?
147 |     aws_cloudtrail_trails.trail_arns.each do |trail|
148 |       describe aws_cloudtrail_trail(trail) do
149 |         it { should be_encrypted }
150 |       end
151 |     end
152 |   end
153 | end
154 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-3.8.rb:
--------------------------------------------------------------------------------
 1 | control 'aws-foundations-cis-3.8' do
 2 |   title 'Ensure rotation for customer created symmetric CMKs is enabled '
 3 |   desc "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key
 4 | material stored within the KMS which is tied to the key ID of the Customer Created customer
 5 | master key (CMK). It is the backing key that is used to perform cryptographic operations such
 6 | as encryption and decryption. Automated key rotation currently retains all prior backing
 7 | keys so that decryption of encrypted data can take place transparently. It is recommended
 8 | that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any
 9 | asymmetric CMK. "
10 |   desc 'rationale', "Rotating encryption keys helps reduce the potential impact of a compromised key as data
11 | encrypted with a new key cannot be accessed with a previous key that may have been
12 | exposed.
13 | Keys should be rotated every year, or upon event that would result in the
14 | compromise of that key. "
15 |   desc 'check', "**From Console:**
16 | 
17 | 1. Sign in to the AWS Management Console and open the IAM console at
18 | [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).
19 | 2. In
20 | the left navigation pane, choose `Customer managed keys`
21 | 3. Select a customer managed CMK
22 | where `Key spec = SYMMETRIC_DEFAULT`
23 | 4. Underneath the `General configuration` panel
24 | open the tab `Key rotation`
25 | 5. Ensure that the checkbox `Automatically rotate this KMS key
26 | every year.` is activated
27 | 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec =
28 | SYMMETRIC_DEFAULT\"
29 | 
30 | **From Command Line:**
31 | 
32 | 1. Run the following command to get a
33 | list of all keys and their associated `KeyIds`
34 | ```
35 |  aws kms list-keys
36 | ```
37 | 2. For each
38 | key, note the KeyId and run the following command
39 | ```
40 | describe-key --key-id
41 | 
42 | ```
43 | 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the
44 | following command
45 | ```
46 |  aws kms get-key-rotation-status --key-id
47 | 
48 | ```
49 | 4. Ensure `KeyRotationEnabled` is set to `true`
50 | 5. Repeat steps 2 - 4
51 | for all remaining CMKs "
52 |   desc 'fix', "**From Console:**
53 | 
54 | 1. Sign in to the AWS Management Console and open the IAM console at
55 | [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).
56 | 2. In
57 | the left navigation pane, choose `Customer managed keys` .
58 | 3. Select a customer managed CMK
59 | where `Key spec = SYMMETRIC_DEFAULT`
60 | 4. Underneath the \"General configuration\" panel
61 | open the tab \"Key rotation\"
62 | 5. Check the \"Automatically rotate this KMS key every year.\"
63 | checkbox
64 | 
65 | **From Command Line:**
66 | 
67 | 1. Run the following command to enable key
68 | rotation:
69 | ```
70 |  aws kms enable-key-rotation --key-id 
71 | ``` "
72 |   desc 'impact', "Creation, management, and storage of CMKs may require additional time from and
73 | administrator. "
74 |   impact 0.5
75 |   ref 'https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final'
76 |   tag nist: ['IA-5(1)', 'SC-28', 'SC-28(1)']
77 |   tag severity: 'medium '
78 |   tag cis_controls: [
79 |     { '8' => ['3.11'] },
80 |   ]
81 | 
82 |   customer_created_symmetric_cmk = (aws_kms_keys.key_arns - input('exempt_kms_keys')).select { |key|
83 |     aws_kms_key(key).enabled? && !aws_kms_key(key).managed_by_aws?
84 |   }
85 | 
86 |   only_if('No non-exempt customer managed KMS keys were discovered', impact: 0.0) { !customer_created_symmetric_cmk.empty? }
87 | 
88 |   failing_keys = customer_created_symmetric_cmk.map { |key_id|
89 |     aws_kms_key(key_id).has_rotation_enabled? ? nil : aws_kms_key(key_id).display_name
90 |   }.compact
91 | 
92 |   describe 'All customer-managed KMS keys' do
93 |     it 'should have rotation enabled' do
94 |       expect(failing_keys).to be_empty, "Customer-managed KMS keys without rotation enabled:\n\t- #{failing_keys.join("\n\t- ")}"
95 |     end
96 |   end
97 | end
98 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-3.9.rb:
--------------------------------------------------------------------------------
  1 | control 'aws-foundations-cis-3.9' do
  2 |   title 'Ensure VPC flow logging is enabled in all VPCs '
  3 |   desc "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to
  4 | and from network interfaces in your VPC. After you've created a flow log, you can view and
  5 | retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled
  6 | for packet \"Rejects\" for VPCs. "
  7 |   desc 'rationale', "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to
  8 | detect anomalous traffic or insight during security workflows. "
  9 |   desc 'check', "Perform the following to determine if VPC Flow logs are enabled:
 10 | 
 11 | **From
 12 | Console:**
 13 | 
 14 | 1. Sign into the management console
 15 | 2. Select `Services` then `VPC`
 16 | 3. In
 17 | the left navigation pane, select `Your VPCs`
 18 | 4. Select a VPC
 19 | 5. In the right pane, select
 20 | the `Flow Logs` tab.
 21 | 6. Ensure a Log Flow exists that has `Active` in the `Status`
 22 | column.
 23 | 
 24 | **From Command Line:**
 25 | 
 26 | 1. Run `describe-vpcs` command (OSX/Linux/UNIX)
 27 | to list the VPC networks available in the current AWS region:
 28 | ```
 29 | aws ec2 describe-vpcs
 30 | --region  --query Vpcs[].VpcId
 31 | ```
 32 | 2. The command output returns the `VpcId`
 33 | available in the selected region.
 34 | 3. Run `describe-flow-logs` command (OSX/Linux/UNIX)
 35 | using the VPC ID to determine if the selected virtual network has the Flow Logs feature
 36 | enabled:
 37 | ```
 38 | aws ec2 describe-flow-logs --filter
 39 | \"Name=resource-id,Values=\"
 40 | ```
 41 | 4. If there are no Flow Logs created for the
 42 | selected VPC, the command output will return an `empty list []`.
 43 | 5. Repeat step 3 for other
 44 | VPCs available in the same region.
 45 | 6. Change the region by updating `--region` and repeat
 46 | steps 1 - 5 for all the VPCs. "
 47 |   desc 'fix', "Perform the following to determine if VPC Flow logs is enabled:
 48 | 
 49 | **From Console:**
 50 | 
 51 | 1.
 52 | Sign into the management console
 53 | 2. Select `Services` then `VPC`
 54 | 3. In the left
 55 | navigation pane, select `Your VPCs`
 56 | 4. Select a VPC
 57 | 5. In the right pane, select the `Flow
 58 | Logs` tab.
 59 | 6. If no Flow Log exists, click `Create Flow Log`
 60 | 7. For Filter, select
 61 | `Reject`
 62 | 8. Enter in a `Role` and `Destination Log Group`
 63 | 9. Click `Create Log Flow`
 64 | 10.
 65 | Click on `CloudWatch Logs Group`
 66 | 
 67 | **Note:** Setting the filter to \"Reject\" will
 68 | dramatically reduce the logging data accumulation for this recommendation and provide
 69 | sufficient information for the purposes of breach detection, research and remediation.
 70 | However, during periods of least privilege security group engineering, setting this the
 71 | filter to \"All\" can be very helpful in discovering existing traffic flows required for proper
 72 | operation of an already running environment.
 73 | 
 74 | **From Command Line:**
 75 | 
 76 | 1. Create a
 77 | policy document and name it as `role_policy_document.json` and paste the following
 78 | content:
 79 | ```
 80 | {
 81 |  \"Version\": \"2012-10-17\",
 82 |  \"Statement\": [
 83 |  {
 84 |  \"Sid\": \"test\",
 85 | 
 86 | \"Effect\": \"Allow\",
 87 |  \"Principal\": {
 88 |  \"Service\": \"ec2.amazonaws.com\"
 89 |  },
 90 |  \"Action\":
 91 | \"sts:AssumeRole\"
 92 |  }
 93 |  ]
 94 | }
 95 | ```
 96 | 2. Create another policy document and name it as
 97 | `iam_policy.json` and paste the following content:
 98 | ```
 99 | {
100 |  \"Version\":
101 | \"2012-10-17\",
102 |  \"Statement\": [
103 |  {
104 |  \"Effect\": \"Allow\",
105 |  \"Action\":[
106 | 
107 | \"logs:CreateLogGroup\",
108 |  \"logs:CreateLogStream\",
109 |  \"logs:DescribeLogGroups\",
110 | 
111 | \"logs:DescribeLogStreams\",
112 |  \"logs:PutLogEvents\",
113 |  \"logs:GetLogEvents\",
114 | 
115 | \"logs:FilterLogEvents\"
116 |  ],
117 |  \"Resource\": \"*\"
118 |  }
119 |  ]
120 | }
121 | ```
122 | 3. Run the below command
123 | to create an IAM role:
124 | ```
125 | aws iam create-role --role-name 
126 | --assume-role-policy-document file://role_policy_document.json
127 | 
128 | ```
129 | 4. Run the below command to create an IAM policy:
130 | ```
131 | aws iam create-policy
132 | --policy-name  --policy-document
133 | file://iam-policy.json
134 | ```
135 | 5. Run `attach-group-policy` command using
136 | the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the
137 | command succeeds, no output is returned):
138 | ```
139 | aws iam attach-group-policy
140 | --policy-arn arn:aws:iam:::policy/ --group-name
141 | 
142 | ```
143 | 6. Run `describe-vpcs` to get the VpcId available in the selected
144 | region:
145 | ```
146 | aws ec2 describe-vpcs --region 
147 | ```
148 | 7. The command output
149 | should return the VPC Id available in the selected region.
150 | 8. Run `create-flow-logs` to
151 | create a flow log for the vpc:
152 | ```
153 | aws ec2 create-flow-logs --resource-type VPC
154 | --resource-ids  --traffic-type REJECT --log-group-name 
155 | --deliver-logs-permission-arn 
156 | ```
157 | 9. Repeat step 8 for other vpcs
158 | available in the selected region.
159 | 10. Change the region by updating --region and repeat
160 | remediation procedure for other vpcs. "
161 |   desc 'impact', "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period
162 | is defined for the log group. When choosing the number of days to retain, keep in mind the
163 | average days it takes an organization to realize they have been breached is 210 days (at the
164 | time of this writing). Since additional time is required to research a breach, a minimum 365
165 | day retention policy allows time for detection and research. You may also wish to archive the
166 | logs to a cheaper storage service rather than simply deleting them. See the following AWS
167 | resource to manage CloudWatch Logs retention periods:
168 | 
169 | 1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html "
170 |   impact 0.5
171 |   ref 'https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html'
172 |   tag nist: %w{AU-2 AU-7 AU-12}
173 |   tag severity: 'medium '
174 |   tag cis_controls: [
175 |     { '8' => ['8.2'] },
176 |   ]
177 | 
178 |   only_if('No VPCs discovered', impact: 0.0) { !aws_vpcs.vpc_ids.empty? }
179 | 
180 |   aws_vpcs.vpc_ids.each do |vpc_id|
181 |     describe aws_flow_log(vpc_id: vpc_id) do
182 |       it { should exist }
183 |     end
184 |   end
185 | end
186 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-4.16.rb:
--------------------------------------------------------------------------------
  1 | control 'aws-foundations-cis-4.16' do
  2 |   title 'Ensure AWS Security Hub is enabled for each active region'
  3 |   desc "Security Hub collects security data from across AWS accounts, services, and supported
  4 | third-party partner products and helps you analyze your security trends and identify the
  5 | highest priority security issues. When you enable Security Hub, it begins to consume,
  6 | aggregate, organize, and prioritize findings from AWS services that you have enabled, such
  7 | as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations
  8 | with AWS partner security products. "
  9 |   desc 'rationale',
 10 |        "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps
 11 | you check your environment against security industry standards and best practices -
 12 | enabling you to quickly assess the security posture across your AWS accounts. "
 13 |   desc 'check',
 14 |        "The process to evaluate AWS Security Hub configuration per region
 15 | 
 16 | **From
 17 | Console:**
 18 | 
 19 | 1. Sign in to the AWS Management Console and open the AWS Security Hub console
 20 | at https://console.aws.amazon.com/securityhub/.
 21 | 2. On the top right of the console,
 22 | select the target Region.
 23 | 3. If presented with the Security Hub > Summary page then Security
 24 | Hub is set-up for the selected region.
 25 | 4. If presented with Setup Security Hub or Get Started
 26 | With Security Hub - follow the online instructions.
 27 | 5. Repeat steps 2 to 4 for each
 28 | region.
 29 | 
 30 | **From Command Line:**
 31 | 
 32 | Run the following to list the Securityhub
 33 | status:
 34 | ```
 35 | aws securityhub describe-hub
 36 | ```
 37 | This will list the Securityhub status
 38 | by region. Audit for the presence of a 'SubscribedAt' value
 39 | 
 40 | Example output:
 41 | ```
 42 | {
 43 | 
 44 | \"HubArn\": \"\",
 45 |  \"SubscribedAt\": \"2022-08-19T17:06:42.398Z\",
 46 | 
 47 | \"AutoEnableControls\": true
 48 | }
 49 | ```
 50 | An error will be returned if Securityhub is not
 51 | enabled.
 52 | 
 53 | Example error:
 54 | ```
 55 | An error occurred (InvalidAccessException) when
 56 | calling the DescribeHub operation: Account  is not subscribed to AWS Security
 57 | Hub
 58 | ``` "
 59 |   desc 'fix',
 60 |        "To grant the permissions required to enable Security Hub, attach the Security Hub managed
 61 | policy AWSSecurityHubFullAccess to an IAM user, group, or role.
 62 | 
 63 | Enabling Security
 64 | Hub
 65 | 
 66 | **From Console:**
 67 | 
 68 | 1. Use the credentials of the IAM identity to sign in to the
 69 | Security Hub console.
 70 | 2. When you open the Security Hub console for the first time, choose
 71 | Enable AWS Security Hub.
 72 | 3. On the welcome page, Security standards list the security
 73 | standards that Security Hub supports.
 74 | 4. Choose Enable Security Hub.
 75 | 
 76 | **From Command
 77 | Line:**
 78 | 
 79 | 1. Run the enable-security-hub command. To enable the default standards,
 80 | include `--enable-default-standards`.
 81 | ```
 82 | aws securityhub enable-security-hub
 83 | --enable-default-standards
 84 | ```
 85 | 
 86 | 2. To enable the security hub without the default
 87 | standards, include `--no-enable-default-standards`.
 88 | ```
 89 | aws securityhub
 90 | enable-security-hub --no-enable-default-standards
 91 | ``` "
 92 |   desc 'impact',
 93 |        "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS
 94 | Config to be enabled. "
 95 |   impact 0.5
 96 | 
 97 |   ref 'https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html'
 98 |   ref 'https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api'
 99 |   ref 'https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html'
100 | 
101 |   tag nist: ['CM-6(1)']
102 |   tag severity: 'medium'
103 |   tag cis_controls: [{ '7' => ['11.3'] }]
104 | 
105 |   all_regions = aws_regions.region_names
106 |   exempt_regions = input('exempt_regions')
107 |   in_scope_regions = all_regions - exempt_regions
108 | 
109 |   only_if("This control is Not Applicable since no 'non-exempt' regions were found", impact: 0.0) { not in_scope_regions.presence.nil? }
110 | 
111 |   unsubscribed_regions = in_scope_regions.reject { |region| aws_securityhub(aws_region: region).subscribed? }
112 | 
113 |   describe 'All non-exempt AWS Regions' do
114 |     it 'are subscribed to Security Hub' do
115 |       failure_message = "The following regions should subscribed to Security Hub: #{unsubscribed_regions.join(', ')}"
116 |       expect(unsubscribed_regions).to be_empty, failure_message
117 |     end
118 |   end
119 |   only_if { not input('exempt_regions').empty? }
120 |   describe 'Warning: Skipped Regions' do
121 |     exempt_regions.each { |skipped| skip "Exempt Region: #{skipped} was Not Reviewed" }
122 |   end
123 | end
124 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-5.1.rb:
--------------------------------------------------------------------------------
 1 | control 'aws-foundations-cis-5.1' do
 2 |   title 'Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports '
 3 |   desc "The Network Access Control List (NACL) function provide stateless filtering of ingress and
 4 | egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted
 5 | ingress access to remote server administration ports, such as SSH to port `22` and RDP to port
 6 | `3389`, using either the TDP (6), UDP (17) or ALL (-1) protocols "
 7 |   desc 'rationale',
 8 |        "Public access to remote server administration ports, such as 22 and 3389, increases resource
 9 | attack surface and unnecessarily raises the risk of resource compromise. "
10 |   desc 'check',
11 |        "**From Console:**
12 | 
13 | Perform the following to determine if the account is configured as
14 | prescribed:
15 | 1. Login to the AWS Management Console at
16 | https://console.aws.amazon.com/vpc/home
17 | 2. In the left pane, click `Network ACLs`
18 | 3.
19 | For each network ACL, perform the following:
20 |  - Select the network ACL
21 |  - Click the `Inbound
22 | Rules` tab
23 |  - Ensure no rule exists that has a port range that includes port `22`, `3389`,
24 | using the protocols TDP (6), UDP (17) or ALL (-1) or other remote server administration ports
25 | for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`
26 | 
27 | **Note:** A Port
28 | value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other
29 | remote server administration ports "
30 |   desc 'fix',
31 |        "**From Console:**
32 | 
33 | Perform the following:
34 | 1. Login to the AWS Management Console at
35 | https://console.aws.amazon.com/vpc/home
36 | 2. In the left pane, click `Network ACLs`
37 | 3.
38 | For each network ACL to remediate, perform the following:
39 |  - Select the network ACL
40 |  - Click
41 | the `Inbound Rules` tab
42 |  - Click `Edit inbound rules`
43 |  - Either A) update the Source field to
44 | a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule
45 |  -
46 | Click `Save` "
47 |   impact 0.5
48 |   ref 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison'
49 |   tag nist: ['CM-7(1)']
50 |   tag severity: 'medium '
51 |   tag cis_controls: [{ '7' => ['9.2'] }]
52 | 
53 |   only_if('This control takes a long time to run, excluding due to "disable_slow_controls"') { !input('disable_slow_controls') }
54 | 
55 |   active_ports = input('remote_management_port_ranges') - input('exempt_ports')
56 |   active_protocols = input('remote_management_protocols') - input('exempt_protocols')
57 |   acls = aws_network_acls.where { entries_cidr_blocks.include?('0.0.0.0/0') }.network_acl_ids - input('exempt_acl_ids')
58 | 
59 |   only_if('No non-exempt network ACLs with a 0.0.0.0/0 CIDR block entry were discovered', impact: 0.0) { !acls.empty? }
60 | 
61 |   acls.each do |network_acl_id|
62 |     acl = aws_network_acl(network_acl_id: network_acl_id).acls
63 |     active_ports.each do |pr|
64 |       describe acl.where { cidr_block == '0.0.0.0/0' && rule_action == 'allow' && port_range == pr } do
65 |         it { should_not exist }
66 |       end
67 |     end
68 |     active_protocols.each do |p|
69 |       describe acl.where { cidr_block == '0.0.0.0/0' && rule_action == 'allow' && protocol == p } do
70 |         it { should_not exist }
71 |       end
72 |     end
73 |   end
74 | end
75 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-5.2.rb:
--------------------------------------------------------------------------------
 1 | control 'aws-foundations-cis-5.2' do
 2 |   title "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration
 3 | ports "
 4 |   desc "Security groups provide stateful filtering of ingress and egress network traffic to AWS
 5 | resources. It is recommended that no security group allows unrestricted ingress access to
 6 | remote server administration ports, such as SSH to port `22` and RDP to port `3389`, using
 7 | either the TDP (6), UDP (17) or ALL (-1) protocols "
 8 |   desc 'rationale',
 9 |        "Public access to remote server administration ports, such as 22 and 3389, increases resource
10 | attack surface and unnecessarily raises the risk of resource compromise. "
11 |   desc 'check',
12 |        "Perform the following to determine if the account is configured as prescribed:
13 | 
14 | 1. Login
15 | to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)
16 | 2.
17 | In the left pane, click `Security Groups`
18 | 3. For each security group, perform the
19 | following:
20 | 1. Select the security group
21 | 2. Click the `Inbound Rules` tab
22 | 3. Ensure no
23 | rule exists that has a port range that includes port `22`, `3389`, using the protocols TDP (6),
24 | UDP (17) or ALL (-1) or other remote server administration ports for your environment and has a
25 | `Source` of `0.0.0.0/0`
26 | 
27 | **Note:** A Port value of `ALL` or a port range such as `0-1024`
28 | are inclusive of port `22`, `3389`, and other remote server administration ports. "
29 |   desc 'fix',
30 |        "Perform the following to implement the prescribed state:
31 | 
32 | 1. Login to the AWS Management
33 | Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)
34 | 2.
35 | In the left pane, click `Security Groups`
36 | 3. For each security group, perform the
37 | following:
38 | 1. Select the security group
39 | 2. Click the `Inbound Rules` tab
40 | 3. Click the
41 | `Edit inbound rules` button
42 | 4. Identify the rules to be edited or removed
43 | 5. Either A)
44 | update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the
45 | offending inbound rule
46 | 6. Click `Save rules` "
47 |   desc 'impact',
48 |        "When updating an existing environment, ensure that administrators have access to remote
49 | server administration ports through another mechanism before removing access by deleting
50 | the 0.0.0.0/0 inbound rule. "
51 |   impact 0.5
52 |   ref 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule'
53 |   tag nist: ['CM-7(1)']
54 |   tag severity: 'medium '
55 |   tag cis_controls: [{ '7' => ['9.2'] }]
56 | 
57 |   only_if('This control takes a long time to run, excluding due to "disable_slow_controls"') { !input('disable_slow_controls') }
58 | 
59 |   active_ports = input('remote_management_port_ranges') - input('exempt_ports')
60 |   active_protocols = input('remote_management_protocols') - input('exempt_protocols')
61 |   active_regions = aws_regions.region_names - input('exempt_regions')
62 |   active_regions = [input('default_aws_region')] if input('ignore_other_regions')
63 |   active_sgs = aws_security_groups.group_names - input('exempt_security_groups')
64 |   regexs = input('exempt_sg_patterns')
65 | 
66 |   only_if('No non-exempt security groups discovered', impact: 0.0) { !active_sgs.empty? }
67 | 
68 |   active_regions.each do |region_name|
69 |     active_sgs.each do |sg_name|
70 |       active_ports.each do |port|
71 |         describe aws_security_group(group_name: sg_name, aws_region: region_name) do
72 |           next if regexs.map(&:to_regexp).any? { |pattern| pattern.match?(sg_name) }
73 |           it { should_not allow_in(port: port, ipv4_range: '0.0.0.0/0') }
74 |         end
75 |       end
76 |       active_protocols.each do |protocol|
77 |         describe aws_security_group(group_name: sg_name, aws_region: region_name) do
78 |           next if regexs.map(&:to_regexp).any? { |pattern| pattern.match?(sg_name) }
79 |           it { should_not allow_in(protocol: protocol.to_s, ipv4_range: '0.0.0.0/0') }
80 |         end
81 |       end
82 |     end
83 |   end
84 | end
85 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-5.3.rb:
--------------------------------------------------------------------------------
 1 | control 'aws-foundations-cis-5.3' do
 2 |   title 'Ensure no security groups allow ingress from ::/0 to remote server administration ports '
 3 |   desc "Security groups provide stateful filtering of ingress and egress network traffic to AWS
 4 | resources. It is recommended that no security group allows unrestricted ingress access to
 5 | remote server administration ports, such as SSH to port `22` and RDP to port `3389`. "
 6 |   desc 'rationale',
 7 |        "Public access to remote server administration ports, such as 22 and 3389, increases resource
 8 | attack surface and unnecessarily raises the risk of resource compromise. "
 9 |   desc 'check',
10 |        "Perform the following to determine if the account is configured as prescribed:
11 | 
12 | 1. Login
13 | to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)
14 | 2.
15 | In the left pane, click `Security Groups`
16 | 3. For each security group, perform the
17 | following:
18 | 1. Select the security group
19 | 2. Click the `Inbound Rules` tab
20 | 3. Ensure no
21 | rule exists that has a port range that includes port `22`, `3389`, or other remote server
22 | administration ports for your environment and has a `Source` of `::/0`
23 | 
24 | **Note:** A Port
25 | value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other
26 | remote server administration ports. "
27 |   desc 'fix',
28 |        "Perform the following to implement the prescribed state:
29 | 
30 | 1. Login to the AWS Management
31 | Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)
32 | 2.
33 | In the left pane, click `Security Groups`
34 | 3. For each security group, perform the
35 | following:
36 | 1. Select the security group
37 | 2. Click the `Inbound Rules` tab
38 | 3. Click the
39 | `Edit inbound rules` button
40 | 4. Identify the rules to be edited or removed
41 | 5. Either A)
42 | update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the
43 | offending inbound rule
44 | 6. Click `Save rules` "
45 |   desc 'impact',
46 |        "When updating an existing environment, ensure that administrators have access to remote
47 | server administration ports through another mechanism before removing access by deleting
48 | the ::/0 inbound rule. "
49 |   impact 0.5
50 |   ref 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule'
51 |   tag nist: ['CM-7(1)']
52 |   tag severity: 'medium '
53 |   tag cis_controls: [{ '7' => ['9.2'] }]
54 | 
55 |   only_if('This control takes a long time to run, excluding due to "disable_slow_controls"') { !input('disable_slow_controls') }
56 | 
57 |   active_ports = input('remote_management_port_ranges') - input('exempt_ports')
58 |   active_regions = aws_regions.region_names - input('exempt_regions')
59 |   active_regions = [input('default_aws_region')] if input('ignore_other_regions')
60 |   active_sgs = aws_security_groups.group_names - input('exempt_security_groups')
61 |   regexs = input('exempt_sg_patterns')
62 | 
63 |   only_if('No non-exempt security groups discovered', impact: 0.0) { !active_sgs.empty? }
64 | 
65 |   active_ports.each do |port|
66 |     active_regions.each do |region_name|
67 |       active_sgs.each do |sg_name|
68 |         describe aws_security_group(group_name: sg_name, aws_region: region_name) do
69 |           next if regexs.map(&:to_regexp).any? { |pattern| pattern.match?(sg_name) }
70 |           it { should_not allow_in(port: port, ipv6_range: '::/0') }
71 |         end
72 |       end
73 |     end
74 |   end
75 | end
76 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-5.4.rb:
--------------------------------------------------------------------------------
  1 | control 'aws-foundations-cis-5.4' do
  2 |   title 'Ensure the default security group of every VPC restricts all traffic '
  3 |   desc "A VPC comes with a default security group whose initial settings deny all inbound traffic,
  4 | allow all outbound traffic, and allow all traffic between instances assigned to the security
  5 | group. If you don't specify a security group when you launch an instance, the instance is
  6 | automatically assigned to this default security group. Security groups provide stateful
  7 | filtering of ingress/egress network traffic to AWS resources. It is recommended that the
  8 | default security group restrict all traffic.
  9 | 
 10 | The default VPC in every region should have
 11 | its default security group updated to comply. Any newly created VPCs will automatically
 12 | contain a default security group that will need remediation to comply with this
 13 | recommendation.
 14 | 
 15 | **NOTE:** When implementing this recommendation, VPC flow logging is
 16 | invaluable in determining the least privilege port access required by systems to work
 17 | properly because it can log all packet acceptances and rejections occurring under the
 18 | current security groups. This dramatically reduces the primary barrier to least privilege
 19 | engineering - discovering the minimum ports required by systems in the environment. Even if
 20 | the VPC flow logging recommendation in this benchmark is not adopted as a permanent security
 21 | measure, it should be used during any period of discovery and engineering for least
 22 | privileged security groups. "
 23 |   desc 'rationale',
 24 |        "Configuring all VPC default security groups to restrict all traffic will encourage least
 25 | privilege security group development and mindful placement of AWS resources into security
 26 | groups which will in-turn reduce the exposure of those resources. "
 27 |   desc 'check',
 28 |        "Perform the following to determine if the account is configured as prescribed:
 29 | 
 30 | Security
 31 | Group State
 32 | 
 33 | 1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)
 34 | 2.
 35 | Repeat the next steps for all VPCs - including the default VPC in each AWS region:
 36 | 3. In the
 37 | left pane, click `Security Groups`
 38 | 4. For each default security group, perform the
 39 | following:
 40 | 1. Select the `default` security group
 41 | 2. Click the `Inbound Rules` tab
 42 | 3.
 43 | Ensure no rule exist
 44 | 4. Click the `Outbound Rules` tab
 45 | 5. Ensure no rules
 46 | exist
 47 | 
 48 | Security Group Members
 49 | 
 50 | 1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)
 51 | 2.
 52 | Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS
 53 | region:
 54 | 3. In the left pane, click `Security Groups`
 55 | 4. Copy the id of the default security
 56 | group.
 57 | 5. Change to the EC2 Management Console at
 58 | https://console.aws.amazon.com/ec2/v2/home
 59 | 6. In the filter column type 'Security
 60 | Group ID : < security group id from #4 >' "
 61 |   desc 'fix',
 62 |        "Security Group Members
 63 | 
 64 | Perform the following to implement the prescribed state:
 65 | 
 66 | 1.
 67 | Identify AWS resources that exist within the default security group
 68 | 2. Create a set of least
 69 | privilege security groups for those resources
 70 | 3. Place the resources in those security
 71 | groups
 72 | 4. Remove the resources noted in #1 from the default security group
 73 | 
 74 | Security
 75 | Group State
 76 | 
 77 | 1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)
 78 | 2.
 79 | Repeat the next steps for all VPCs - including the default VPC in each AWS region:
 80 | 3. In the
 81 | left pane, click `Security Groups`
 82 | 4. For each default security group, perform the
 83 | following:
 84 | 1. Select the `default` security group
 85 | 2. Click the `Inbound Rules` tab
 86 | 3.
 87 | Remove any inbound rules
 88 | 4. Click the `Outbound Rules` tab
 89 | 5. Remove any Outbound
 90 | rules
 91 | 
 92 | Recommended:
 93 | 
 94 | IAM groups allow you to edit the \"name\" field. After remediating
 95 | default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT
 96 | USE. DO NOT ADD RULES\" "
 97 |   desc 'impact',
 98 |        "Implementing this recommendation in an existing VPC containing operating resources
 99 | requires extremely careful migration planning as the default security groups are likely to
100 | be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing
101 | environment that is known to be breach free will reveal the current pattern of ports being used
102 | for each instance to communicate successfully. "
103 |   impact 0.5
104 |   ref 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group'
105 |   tag nist: ['AC-3']
106 |   tag severity: 'medium '
107 |   tag cis_controls: [{ '8' => ['3.3'] }]
108 | 
109 |   only_if('The requirement is Not Applicable since no VPCs were Found.', impact: 0.0) do
110 |     aws_vpcs.exist?
111 |   end
112 | 
113 |   in_scope_vpcs = aws_vpcs.vpc_ids - input('exempt_vpcs')
114 |   in_scope_vpcs.each do |vpc_id|
115 |     describe aws_security_group(group_name: 'default', vpc_id: vpc_id) do
116 |       its('inbound_rules') { should be_empty }
117 |       its('outbound_rules') { should be_empty }
118 |     end
119 |   end
120 | end
121 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-5.5.rb:
--------------------------------------------------------------------------------
 1 | control 'aws-foundations-cis-5.5' do
 2 |   title 'Ensure routing tables for VPC peering are "least access" '
 3 |   desc "Once a VPC peering connection is established, routing tables must be updated to establish any
 4 | connections between the peered VPCs. These routes can be as specific as desired - even peering
 5 | a VPC to only a single host on the other side of the connection. "
 6 |   desc 'rationale', "Being highly selective in peering routing tables is a very effective way of minimizing the
 7 | impact of breach as resources outside of these routes are inaccessible to the peered VPC. "
 8 |   desc 'check', "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether
 9 | that is necessary to accomplish the intended purposes for peering the VPCs.
10 | 
11 | **From
12 | Command Line:**
13 | 
14 | 1. List all the route tables from a VPC and check if \"GatewayId\" is
15 | pointing to a __ (e.g. pcx-1a2b3c4d) and if
16 | \"DestinationCidrBlock\" is as specific as desired.
17 | ```
18 | aws ec2 describe-route-tables
19 | --filter \"Name=vpc-id,Values=\" --query
20 | \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes,
21 | AssociatedSubnets:Associations[*].SubnetId}\"
22 | ``` "
23 |   desc 'fix', "Remove and add route table entries to ensure that the least number of subnets or hosts as is
24 | required to accomplish the purpose for peering are routable.
25 | 
26 | **From Command
27 | Line:**
28 | 
29 | 1. For each __ containing routes non compliant with your
30 | routing policy (which grants more than desired \"least access\"), delete the non compliant
31 | route:
32 | ```
33 | aws ec2 delete-route --route-table-id 
34 | --destination-cidr-block 
35 | ```
36 |  2. Create a new
37 | compliant route:
38 | ```
39 | aws ec2 create-route --route-table-id 
40 | --destination-cidr-block  --vpc-peering-connection-id
41 | 
42 | ``` "
43 |   desc 'additional_information', "If an organization has AWS transit gateway implemented in their VPC architecture they should
44 | look to apply the recommendation above for \"least access\" routing architecture at the AWS
45 | transit gateway level in combination with what must be implemented at the standard VPC route
46 | table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs
47 | must have an attachment to a transit gateway route table as well as a route, therefore to avoid
48 | routing traffic between VPCs an attachment to the transit gateway route table should only be
49 | added where there is an intention to route traffic between the VPCs. As transit gateways are
50 | able to host multiple route tables it is possible to group VPCs by attaching them to a common
51 | route table. "
52 |   impact 0.5
53 |   ref 'https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html'
54 |   tag nist: ['AC-6']
55 |   tag severity: 'medium '
56 |   tag cis_controls: [
57 |     { '8' => ['3.3'] },
58 |   ]
59 | 
60 |   routes = aws_route_tables.route_table_ids - input('exempt_routes')
61 | 
62 |   only_if('No non-exempt route tables were discovered', impact: 0.0) { !routes.empty? }
63 | 
64 |   routes.each do |route_table_id|
65 |     aws_route_table(route_table_id).routes.each do |route|
66 |       next unless route.key?(:vpc_peering_connection_id)
67 |       describe route do
68 |         its([:destination_cidr_block]) { should_not be nil }
69 |       end
70 |     end
71 |     next unless aws_route_table(route_table_id).routes.none? { |route| route.key?(:vpc_peering_connection_id) }
72 |     describe 'No routes with peering connection were found for the route table' do
73 |       skip "No routes with peering connection were found for the route_table #{route_table_id}"
74 |     end
75 |   end
76 | end
77 | 


--------------------------------------------------------------------------------
/controls/aws-foundations-cis-5.6.rb:
--------------------------------------------------------------------------------
 1 | control 'aws-foundations-cis-5.6' do
 2 |   title 'Ensure that EC2 Metadata Service only allows IMDSv2'
 3 |   desc "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either
 4 |         Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance
 5 |         Metadata Service Version 2 (IMDSv2; a session-oriented method)."
 6 |   desc 'rationale',
 7 |        "Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery
 8 | (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security. "
 9 |   desc 'check',
10 |        "From Console:
11 | 1. Login to AWS Management Console and open the Amazon EC2 console using
12 | https://console.aws.amazon.com/ec2/
13 | 2. Under the Instances menu, select
14 | Instances.
15 | 3. For each Instance, select the instance, then choose Actions > Modify
16 | instance metadata options.
17 | 4. If the Instance metadata service is enabled, verify whether
18 | IMDSv2 is set to required.
19 | 
20 | From Command Line:
21 | 1. Use the describe-instances CLI
22 | command
23 | 2. Ensure for all ec2 instances that the metadata-options.http-tokens setting is
24 | set to required.
25 | 3. Repeat for all active regions.
26 | ```
27 | aws ec2 describe-instances
28 | --filters \"Name=metadata-options.http-tokens\",\"Values=optional\"
29 | \"Name=metadata-options.state\",\"Values=applied\" --query
30 | \"Reservations[*].Instances[*].\"
31 | ``` "
32 |   desc 'fix',
33 |        "From Console:
34 |     1. Login to AWS Management Console and open the Amazon EC2 console using
35 |     https://console.aws.amazon.com/ec2/
36 |     2. Under the Instances menu, select
37 |     Instances.
38 |     3. For each Instance, select the instance, then choose Actions > Modify
39 |     instance metadata options.
40 |     4. If the Instance metadata service is enabled, set IMDSv2 to
41 |     Required.
42 | 
43 |     From Command Line:
44 |     ```
45 |     aws ec2 modify-instance-metadata-options
46 |     --instance-id  --http-tokens required
47 |     ``` "
48 |   impact 0.5
49 |   ref 'https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/:https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html'
50 |   tag nist: %w{SI-10 SC-8}
51 |   tag severity: 'medium'
52 |   ref 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-existing-instances.html'
53 | 
54 |   only_if('This requirement is Non Applicable since no EC2 instances were found.', impact: 0.0) do
55 |     aws_ec2_instances.exist?
56 |   end
57 | 
58 |   failing_ec2 = []
59 |   aws_ec2_instances.instance_ids.each do |instance_id|
60 |     instance = aws_ec2_instance(instance_id)
61 |     next if input('exempt_ec2s').include?(instance_id)
62 |     next if instance.stopped? && input('skip_stopped_ec2s')
63 |     next if instance.metadata_options.http_tokens == 'required'
64 |     next if instance.metadata_options.http_endpoint == 'enabled'
65 |     failing_ec2 += instance_id
66 |   end
67 | 
68 |   describe 'All EC2 Instances' do
69 |     it 'should only allow IMDSv2' do
70 |       expect(failing_ec2).to be_empty, "Failing EC2s:\t#{failing_ec2}"
71 |     end
72 |   end
73 | end
74 | 


--------------------------------------------------------------------------------
/default.inputs.yml:
--------------------------------------------------------------------------------
1 | ---
2 | disable_slow_controls: false
3 | exempt_vpcs: []
4 | exempt_rds: []
5 | 


--------------------------------------------------------------------------------
/default.threshold.yml:
--------------------------------------------------------------------------------
1 | ---
2 | error:
3 |   total: 0
4 | compliance:
5 |   min: 10
6 | 


--------------------------------------------------------------------------------
/generate_inputs.rb:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/ruby
 2 | 
 3 | require 'yaml'
 4 | require 'json'
 5 | require 'pry'
 6 | 
 7 | aws_regions = JSON.parse(
 8 |   `aws ec2 describe-regions --filters "Name=region-name,Values=*us*" --query "Regions[].{Name:RegionName}" --output json`,
 9 | ).map { |x| x['Name'] }
10 | 
11 | # aws_regions = %w{us-east-1 us-east-2 us-west-1 us-west-2}
12 | 
13 | inputs_file = {}
14 | 
15 | config_delivery_channels = {}
16 | 
17 | aws_regions.each do |region|
18 |   channels =
19 |     JSON.parse(
20 |       `aws configservice describe-delivery-channels --region #{region}`,
21 |     )
22 |   channels['DeliveryChannels'].each do |channel|
23 |     puts "channel: #{channel}"
24 |     config_delivery_channels[region] = {
25 |       's3_bucket_name' => channel['s3BucketName'],
26 |       'sns_topic_arn' => channel['snsTopicARN'],
27 |     }
28 |   end
29 | end
30 | 
31 | inputs_file['config_delivery_channels'] = config_delivery_channels
32 | 
33 | puts YAML.dump(inputs_file)
34 | 


--------------------------------------------------------------------------------
/inspec.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | name: "aws-foundations-cis-baseline"
  3 | title: "aws-foundations-cis-baseline"
  4 | maintainer: "MITRE SAF Team"
  5 | copyright: "MITRE, 2023"
  6 | copyright_email: "saf@groups.mitre.org"
  7 | license: "Apache-2.0"
  8 | summary: "InSpec Validation Profile for the CIS AWS Foundations Benchmark v2.0"
  9 | version: 2.0.5
 10 | inspec_version: ">= 4.0"
 11 | supports:
 12 |   - platform: aws
 13 | 
 14 | depends:
 15 |   - name: inspec-aws
 16 |     # path: ../inspec-aws
 17 |     git: https://github.com/mitre/inspec-aws.git
 18 |     branch: al_resource_updates
 19 | 
 20 | inputs:
 21 |   - name: disable_slow_controls
 22 |     description: "Don't Run Long Running Controls (dev/testing only)"
 23 |     type: Boolean
 24 |     value: false
 25 | 
 26 |   - name: default_aws_region
 27 |     description: "Primary aws region your resources are deployed."
 28 |     type: String
 29 |     value: "us-east-1"
 30 |     sensitive: true
 31 | 
 32 |   - name: ignore_other_regions
 33 |     description: "Ignore all regions except your 'default_aws_region'"
 34 |     type: Boolean
 35 |     value: false
 36 | 
 37 |   - name: exempt_regions
 38 |     description: "The AWS Regions exempted from inspection"
 39 |     type: Array
 40 |     value:
 41 |       - us-east-2
 42 |       - us-west-2
 43 |       - eu-central-1
 44 |       - eu-west-1
 45 |       - eu-west-2
 46 |       - eu-west-3
 47 |       - eu-north-1
 48 |       - ap-south-1
 49 |       - ap-southeast-2
 50 |       - ap-southeast-1
 51 |       - sa-east-1
 52 |       - ca-central-1
 53 |       - ap-northeast-1
 54 |       - ap-northeast-2
 55 |       - ap-northeast-3
 56 | 
 57 |   - name: exempt_ports
 58 |     description: "List of ports that you wish to exclude from validation (allow connections from these ports)"
 59 |     type: Array
 60 |     value: []
 61 | 
 62 |   - name: exempt_protocols
 63 |     description: "List of protocols that you wish to exclude from validation (allow connections over these protocols)"
 64 |     type: Array
 65 |     value: []
 66 | 
 67 |   - name: exempt_kms_keys
 68 |     description: "List of KMS keys exempted from inspection"
 69 |     type: Array
 70 |     value: []
 71 | 
 72 |   - name: exempt_routes
 73 |     description: "List of route tables exempted from inspection"
 74 |     type: Array
 75 |     value: []
 76 | 
 77 |   - name: pwd_length
 78 |     description: "Required password length"
 79 |     type: Numeric
 80 |     value: 14
 81 | 
 82 |   - name: aws_cred_age
 83 |     description: "The maximum allowed IAM account age"
 84 |     type: Numeric
 85 |     value: 90
 86 | 
 87 |   - name: exempt_vpcs
 88 |     description: "List of vpcs exempted from inspection"
 89 |     type: Array
 90 |     value: []
 91 | 
 92 |   - name: exempt_buckets
 93 |     description: "List of buckets exempted from inspection"
 94 |     type: Array
 95 |     value:
 96 |       - "factor-test"
 97 | 
 98 |   - name: single_bucket
 99 |     description: "Name of the single bucket you want to be inspected"
100 |     type: String
101 |     value: ""
102 | 
103 |   - name: exempt_ec2s
104 |     description: "List of ec2 exempted from inspection"
105 |     type: Array
106 |     value: []
107 | 
108 |   - name: exempt_efs
109 |     description: "List of efs exempted from inspection"
110 |     type: Array
111 |     value: []
112 | 
113 |   - name: single_efs
114 |     description: "Name of the single EFS you want to be inspected"
115 |     type: String
116 |     value: ""
117 | 
118 |   - name: exempt_rds
119 |     description: "List of RDS DB identifiers exempted from inspection"
120 |     type: Array
121 |     value: []
122 | 
123 |   - name: single_rds
124 |     description: "Name of the single RDS instance you want to be inspected"
125 |     type: String
126 |     value: ""
127 | 
128 |   - name: skip_stopped_ec2s
129 |     description: "Ignore non-running ec2s durning verification"
130 |     type: Boolean
131 |     value: false
132 |   
133 |   - name: exempt_security_groups
134 |     description: "List of security groups exempted from inspection"
135 |     type: Array
136 |     value: []
137 | 
138 |   - name: exempt_sg_patterns
139 |     description: "An array of ruby regex patterns to exempt from evaluation"
140 |     type: Array
141 |     value: []
142 | 
143 |   - name: service_account_mfa_exceptions
144 |     description: "List of service accounts from the MFA requirement"
145 |     type: Array
146 |     value: []
147 | 
148 |   - name: single_trail
149 |     description: "Name of the single CloudTrail you want to be inspected"
150 |     type: String
151 |     value: ""
152 | 
153 |   - name: exempt_acl_ids
154 |     description: "IDs of network ACLs to exempt from evaluation"
155 |     type: Array
156 |     value: []
157 | 
158 |   - name: remote_management_port_ranges
159 |     description: "Port ranges used in the environment for remote access management (can be given as a single integer or as a Ruby range with double-period syntax, ex 1..1024)"
160 |     type: Array
161 |     value:
162 |       - 22
163 |       - 3389
164 | 
165 |   - name: remote_management_protocols
166 |     description: "Protocols used in the environment for remote access management (note AWS parses '-1' as 'all')"
167 |     type: Array
168 |     value:
169 |       - 6
170 |       - 17
171 |       - -1
172 | 
173 |   - name: config_delivery_channels
174 |     description: "Config service settings"
175 |     type: Hash
176 |     value:
177 |       us-east-1:
178 |         s3_bucket_name: ""
179 |         sns_topic_arn: ""
180 |       us-east-2:
181 |         s3_bucket_name: ""
182 |         sns_topic_arn: ""
183 |       us-west-1:
184 |         s3_bucket_name: ""
185 |         sns_topic_arn: ""
186 |       us-west-2:
187 |         s3_bucket_name: ""
188 |         sns_topic_arn: ""
189 | 
190 |   - name: primary_contact
191 |     description: "Primary Account contact information"
192 |     type: Hash
193 |     sensitive: true
194 |     value:
195 |       email_address: "me@you.com"
196 |       phone_number: "555-557-6309"
197 | 
198 |   - name: security_contact
199 |     description: "Account security contact information"
200 |     type: Hash
201 |     sensitive: true
202 |     value:
203 |       phone_number: "555-857-6309"
204 |       email_address: "me@you.com"
205 | 
206 |   - name: last_root_login_date
207 |     description: "(19700101) Last date that root account should have logged in."
208 |     type: numeric
209 |     value: 20231209
210 | 
211 |   - name: third_party_data_management_tool
212 |     description: "Name of the data management tool other than Amazon Macie"
213 |     type: String
214 |     value: ""
215 | 
216 |   - name: third_party_api_monitoring_tool
217 |     description: "Name of the API call monitoring tool other than AWS CloudTrail/AWS CloudWatch"
218 |     type: String
219 |     value: ""
220 | 


--------------------------------------------------------------------------------
/other.inputs.yml:
--------------------------------------------------------------------------------
1 | ---
2 | disable_slow_controls: false
3 | exempt_vpcs: []
4 | exempt_rds: []
5 | 


--------------------------------------------------------------------------------
/other.threshold.yml:
--------------------------------------------------------------------------------
1 | ---
2 | error:
3 |   total: 0
4 | compliance:
5 |   min: 10
6 | 


--------------------------------------------------------------------------------
/utils/5.3-aws-cli.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This uses the aws cli to test requirement 5.3 and simular styles
 4 | 
 5 | for region in $(aws ec2 describe-regions --query "Regions[].RegionName" --output text); do
 6 |   for port in 22 3389; do
 7 |     for groupId in $(aws ec2 describe-security-groups --region "$region" --filters Name=ip-permission.from-port,Values=$port Name=ip-permission.to-port,Values=$port --query 'SecurityGroups[?((IpPermissions.IpRanges.CidrIp == "0.0.0.0/0") || (IpPermissions.Ipv6Ranges.CidrIpv6 == "::/0"))].[GroupId]' --output text); do
 8 |       echo "Region: $region Port: $port GroupId: $groupId"
 9 |     done
10 |   done
11 | done
12 | 


--------------------------------------------------------------------------------
/utils/inactive-iam-users.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | last_sunday () {
 4 |   date -v-sunday +'%Y-%m-%d';
 5 | }
 6 | 
 7 | for user in $(aws iam list-users --query 'Users[?(CreateDate <= `$last_sunday` && (PasswordLastUsed <= `2021-12-26`) || !not_null(PasswordLastUsed))].UserName' --output text); do
 8 |     for access_key in $(aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[].AccessKeyId' --output text); do if [[ "$(aws iam get-access-key-last-used --access-key-id "$access_key" --query 'AccessKeyLastUsed.LastUsedDate >= `2022-02-09`' --output text)" == True ]]; then continue 2; fi; done
 9 |     echo "$user"
10 | done
11 | 


--------------------------------------------------------------------------------