From cd41766e228033cdae8e16b51581b8b8a909cca4 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 29 Mar 2018 10:36:46 -0400 Subject: [PATCH] added checkid to every check and group title --- LIST_OF_CHECKS_AND_GROUPS.md | 392 +++++++++++++++++------------------ checks/check11 | 2 +- checks/check110 | 2 +- checks/check111 | 2 +- checks/check112 | 2 +- checks/check113 | 2 +- checks/check114 | 2 +- checks/check115 | 2 +- checks/check116 | 2 +- checks/check117 | 2 +- checks/check118 | 2 +- checks/check119 | 2 +- checks/check12 | 2 +- checks/check120 | 2 +- checks/check121 | 2 +- checks/check122 | 2 +- checks/check123 | 2 +- checks/check124 | 2 +- checks/check13 | 2 +- checks/check14 | 2 +- checks/check15 | 2 +- checks/check16 | 2 +- checks/check17 | 2 +- checks/check18 | 2 +- checks/check19 | 2 +- checks/check21 | 2 +- checks/check22 | 2 +- checks/check23 | 2 +- checks/check24 | 2 +- checks/check25 | 2 +- checks/check26 | 2 +- checks/check27 | 2 +- checks/check28 | 2 +- checks/check31 | 2 +- checks/check310 | 2 +- checks/check311 | 2 +- checks/check312 | 2 +- checks/check313 | 2 +- checks/check314 | 2 +- checks/check315 | 2 +- checks/check32 | 2 +- checks/check33 | 2 +- checks/check34 | 2 +- checks/check35 | 2 +- checks/check36 | 2 +- checks/check37 | 2 +- checks/check38 | 2 +- checks/check39 | 2 +- checks/check41 | 2 +- checks/check42 | 2 +- checks/check43 | 2 +- checks/check44 | 2 +- checks/check45 | 2 +- checks/check_extra71 | 2 +- checks/check_extra710 | 2 +- checks/check_extra711 | 2 +- checks/check_extra712 | 2 +- checks/check_extra713 | 2 +- checks/check_extra714 | 2 +- checks/check_extra715 | 2 +- checks/check_extra716 | 2 +- checks/check_extra717 | 2 +- checks/check_extra718 | 2 +- checks/check_extra719 | 2 +- checks/check_extra72 | 2 +- checks/check_extra720 | 2 +- checks/check_extra721 | 2 +- checks/check_extra722 | 2 +- checks/check_extra723 | 2 +- checks/check_extra724 | 2 +- checks/check_extra725 | 46 ++++ checks/check_extra726 | 48 +++++ checks/check_extra73 | 2 +- checks/check_extra74 | 2 +- checks/check_extra75 | 2 +- checks/check_extra76 | 2 +- checks/check_extra77 | 2 +- checks/check_extra78 | 2 +- checks/check_extra79 | 2 +- checks/check_sample | 2 +- groups/group1_iam | 2 +- groups/group2_logging | 2 +- groups/group3_monitoring | 2 +- groups/group4_networking | 2 +- groups/group5_cislevel1 | 2 +- groups/group6_cislevel2 | 2 +- groups/group7_extras | 2 +- groups/group8_forensics | 2 +- groups/group9_gdpr | 2 +- groups/groupN_sample | 4 +- 90 files changed, 378 insertions(+), 284 deletions(-) create mode 100644 checks/check_extra725 create mode 100644 checks/check_extra726 diff --git a/LIST_OF_CHECKS_AND_GROUPS.md b/LIST_OF_CHECKS_AND_GROUPS.md index 893bf802..03a9f6f6 100644 --- a/LIST_OF_CHECKS_AND_GROUPS.md +++ b/LIST_OF_CHECKS_AND_GROUPS.md @@ -1,399 +1,399 @@ -``` _ +``` + _ _ __ _ __ _____ _| | ___ _ __ | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__| | |_) | | | (_) \ V V /| | __/ | | .__/|_| \___/ \_/\_/ |_|\___|_|v2.0 |_| the handy cloud security tool -Date: Tue Mar 27 18:38:53 EDT 2018 +Date: Thu Mar 29 10:35:09 EDT 2018 Colors code for results: INFO (Information), PASS (Recommended value), FAIL (Fix required) -1.0 (group1) Identity and Access Management **************************************** +1.0 Identity and Access Management - [group1] ********************** -1.1 Avoid the use of the root account (Scored) +1.1 [check11] Avoid the use of the root account (Scored) -1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) +1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) -1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) +1.3 [check13] Ensure credentials unused for 90 days or greater are disabled (Scored) -1.4 Ensure access keys are rotated every 90 days or less (Scored) +1.4 [check14] Ensure access keys are rotated every 90 days or less (Scored) -1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) +1.5 [check15] Ensure IAM password policy requires at least one uppercase letter (Scored) -1.6 Ensure IAM password policy require at least one lowercase letter (Scored) +1.6 [check16] Ensure IAM password policy require at least one lowercase letter (Scored) -1.7 Ensure IAM password policy require at least one symbol (Scored) +1.7 [check17] Ensure IAM password policy require at least one symbol (Scored) -1.8 Ensure IAM password policy require at least one number (Scored) +1.8 [check18] Ensure IAM password policy require at least one number (Scored) -1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) +1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored) -1.10 Ensure IAM password policy prevents password reuse: 24 or greater (Scored) +1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored) -1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) +1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less (Scored) -1.12 Ensure no root account access key exists (Scored) +1.12 [check112] Ensure no root account access key exists (Scored) -1.13 Ensure MFA is enabled for the root account (Scored) +1.13 [check113] Ensure MFA is enabled for the root account (Scored) -1.14 Ensure hardware MFA is enabled for the root account (Scored) +1.14 [check114] Ensure hardware MFA is enabled for the root account (Scored) -1.15 Ensure security questions are registered in the AWS account (Not Scored) +1.15 [check115] Ensure security questions are registered in the AWS account (Not Scored) -1.16 Ensure IAM policies are attached only to groups or roles (Scored) +1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored) -1.17 Enable detailed billing (Scored) +1.17 [check117] Enable detailed billing (Scored) -1.18 Ensure IAM Master and IAM Manager roles are active (Scored) +1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored) -1.19 Maintain current contact details (Scored) +1.19 [check119] Maintain current contact details (Scored) -1.20 Ensure security contact information is registered (Scored) +1.20 [check120] Ensure security contact information is registered (Scored) -1.21 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) +1.21 [check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) -1.22 Ensure a support role has been created to manage incidents with AWS Support (Scored) +1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored) -1.23 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) +1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) -1.24 Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) +1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) -2.0 (group2) Logging *************************************************************** +2.0 Logging - [group2] ********************************************* -2.1 Ensure CloudTrail is enabled in all regions (Scored) +2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored) -2.2 Ensure CloudTrail log file validation is enabled (Scored) +2.2 [check22] Ensure CloudTrail log file validation is enabled (Scored) -2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) +2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) -2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) +2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) -2.5 Ensure AWS Config is enabled in all regions (Scored) +2.5 [check25] Ensure AWS Config is enabled in all regions (Scored) -2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) +2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) -2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) +2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) -2.8 Ensure rotation for customer created CMKs is enabled (Scored) +2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored) -3.0 (group3) Monitoring ************************************************************ +3.0 Monitoring - [group3] ****************************************** -3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) +3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) -3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) +3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) -3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) +3.3 [check33] Ensure a log metric filter and alarm exist for usage of root account (Scored) -3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) +3.4 [check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored) -3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) +3.5 [check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) -3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) +3.6 [check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) -3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) +3.7 [check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) -3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) +3.8 [check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) -3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) +3.9 [check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) -3.10 Ensure a log metric filter and alarm exist for security group changes (Scored) +3.10 [check310] Ensure a log metric filter and alarm exist for security group changes (Scored) -3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) +3.11 [check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) -3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) +3.12 [check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored) -3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) +3.13 [check313] Ensure a log metric filter and alarm exist for route table changes (Scored) -3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) +3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored) -3.15 Ensure appropriate subscribers to each SNS topic (Not Scored) +3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored) -4.0 (group4) Networking ************************************************************ +4.0 Networking - [group4] ****************************************** -4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) +4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) -4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) +4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) -4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) +4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored) -4.4 Ensure the default security group of every VPC restricts all traffic (Scored) +4.4 [check44] Ensure the default security group of every VPC restricts all traffic (Scored) -4.5 Ensure routing tables for VPC peering are "least access" (Not Scored) +4.5 [check45] Ensure routing tables for VPC peering are "least access" (Not Scored) -5.0 (cislevel1) CIS Level 1 ********************************************************** +5.0 CIS Level 1 - [cislevel1] ************************************** -1.1 Avoid the use of the root account (Scored) +1.1 [check11] Avoid the use of the root account (Scored) -1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) +1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) -1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) +1.3 [check13] Ensure credentials unused for 90 days or greater are disabled (Scored) -1.4 Ensure access keys are rotated every 90 days or less (Scored) +1.4 [check14] Ensure access keys are rotated every 90 days or less (Scored) -1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) +1.5 [check15] Ensure IAM password policy requires at least one uppercase letter (Scored) -1.6 Ensure IAM password policy require at least one lowercase letter (Scored) +1.6 [check16] Ensure IAM password policy require at least one lowercase letter (Scored) -1.7 Ensure IAM password policy require at least one symbol (Scored) +1.7 [check17] Ensure IAM password policy require at least one symbol (Scored) -1.8 Ensure IAM password policy require at least one number (Scored) +1.8 [check18] Ensure IAM password policy require at least one number (Scored) -1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) +1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored) -1.10 Ensure IAM password policy prevents password reuse: 24 or greater (Scored) +1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored) -1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) +1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less (Scored) -1.12 Ensure no root account access key exists (Scored) +1.12 [check112] Ensure no root account access key exists (Scored) -1.13 Ensure MFA is enabled for the root account (Scored) +1.13 [check113] Ensure MFA is enabled for the root account (Scored) -1.15 Ensure security questions are registered in the AWS account (Not Scored) +1.15 [check115] Ensure security questions are registered in the AWS account (Not Scored) -1.16 Ensure IAM policies are attached only to groups or roles (Scored) +1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored) -1.17 Enable detailed billing (Scored) +1.17 [check117] Enable detailed billing (Scored) -1.18 Ensure IAM Master and IAM Manager roles are active (Scored) +1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored) -1.19 Maintain current contact details (Scored) +1.19 [check119] Maintain current contact details (Scored) -1.20 Ensure security contact information is registered (Scored) +1.20 [check120] Ensure security contact information is registered (Scored) -1.22 Ensure a support role has been created to manage incidents with AWS Support (Scored) +1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored) -1.23 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) +1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) -1.24 Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) +1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) -2.1 Ensure CloudTrail is enabled in all regions (Scored) +2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored) -2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) +2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) -2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) +2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) -2.5 Ensure AWS Config is enabled in all regions (Scored) +2.5 [check25] Ensure AWS Config is enabled in all regions (Scored) -2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) +2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) -3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) +3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) -3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) +3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) -3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) +3.3 [check33] Ensure a log metric filter and alarm exist for usage of root account (Scored) -3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) +3.4 [check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored) -3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) +3.5 [check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) -3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) +3.8 [check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) -3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) +3.12 [check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored) -3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) +3.13 [check313] Ensure a log metric filter and alarm exist for route table changes (Scored) -3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) +3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored) -3.15 Ensure appropriate subscribers to each SNS topic (Not Scored) +3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored) -4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) +4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) -4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) +4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) -6.0 (cislevel2) CIS Level 2 ********************************************************** +6.0 CIS Level 2 - [cislevel2] ************************************** -1.1 Avoid the use of the root account (Scored) +1.1 [check11] Avoid the use of the root account (Scored) -1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) +1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) -1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) +1.3 [check13] Ensure credentials unused for 90 days or greater are disabled (Scored) -1.4 Ensure access keys are rotated every 90 days or less (Scored) +1.4 [check14] Ensure access keys are rotated every 90 days or less (Scored) -1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) +1.5 [check15] Ensure IAM password policy requires at least one uppercase letter (Scored) -1.6 Ensure IAM password policy require at least one lowercase letter (Scored) +1.6 [check16] Ensure IAM password policy require at least one lowercase letter (Scored) -1.7 Ensure IAM password policy require at least one symbol (Scored) +1.7 [check17] Ensure IAM password policy require at least one symbol (Scored) -1.8 Ensure IAM password policy require at least one number (Scored) +1.8 [check18] Ensure IAM password policy require at least one number (Scored) -1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) +1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored) -1.10 Ensure IAM password policy prevents password reuse: 24 or greater (Scored) +1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored) -1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) +1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less (Scored) -1.12 Ensure no root account access key exists (Scored) +1.12 [check112] Ensure no root account access key exists (Scored) -1.13 Ensure MFA is enabled for the root account (Scored) +1.13 [check113] Ensure MFA is enabled for the root account (Scored) -1.14 Ensure hardware MFA is enabled for the root account (Scored) +1.14 [check114] Ensure hardware MFA is enabled for the root account (Scored) -1.15 Ensure security questions are registered in the AWS account (Not Scored) +1.15 [check115] Ensure security questions are registered in the AWS account (Not Scored) -1.16 Ensure IAM policies are attached only to groups or roles (Scored) +1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored) -1.17 Enable detailed billing (Scored) +1.17 [check117] Enable detailed billing (Scored) -1.18 Ensure IAM Master and IAM Manager roles are active (Scored) +1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored) -1.19 Maintain current contact details (Scored) +1.19 [check119] Maintain current contact details (Scored) -1.20 Ensure security contact information is registered (Scored) +1.20 [check120] Ensure security contact information is registered (Scored) -1.21 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) +1.21 [check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) -1.22 Ensure a support role has been created to manage incidents with AWS Support (Scored) +1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored) -1.23 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) +1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) -1.24 Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) +1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) -2.1 Ensure CloudTrail is enabled in all regions (Scored) +2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored) -2.2 Ensure CloudTrail log file validation is enabled (Scored) +2.2 [check22] Ensure CloudTrail log file validation is enabled (Scored) -2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) +2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) -2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) +2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) -2.5 Ensure AWS Config is enabled in all regions (Scored) +2.5 [check25] Ensure AWS Config is enabled in all regions (Scored) -2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) +2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) -2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) +2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) -2.8 Ensure rotation for customer created CMKs is enabled (Scored) +2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored) -3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) +3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) -3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) +3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) -3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) +3.3 [check33] Ensure a log metric filter and alarm exist for usage of root account (Scored) -3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) +3.4 [check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored) -3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) +3.5 [check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) -3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) +3.6 [check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) -3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) +3.7 [check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) -3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) +3.8 [check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) -3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) +3.9 [check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) -3.10 Ensure a log metric filter and alarm exist for security group changes (Scored) +3.10 [check310] Ensure a log metric filter and alarm exist for security group changes (Scored) -3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) +3.11 [check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) -3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) +3.12 [check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored) -3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) +3.13 [check313] Ensure a log metric filter and alarm exist for route table changes (Scored) -3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) +3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored) -3.15 Ensure appropriate subscribers to each SNS topic (Not Scored) +3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored) -4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) +4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) -4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) +4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) -4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) +4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored) -4.4 Ensure the default security group of every VPC restricts all traffic (Scored) +4.4 [check44] Ensure the default security group of every VPC restricts all traffic (Scored) -4.5 Ensure routing tables for VPC peering are "least access" (Not Scored) +4.5 [check45] Ensure routing tables for VPC peering are "least access" (Not Scored) -7.0 (extras) Extras **************************************************************** +7.0 Extras - [extras] ********************************************** -7.1 Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) +7.1 [extra71] Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) -7.2 Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) +7.2 [extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) -7.3 Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark) +7.3 [extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark) -7.4 Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark) +7.4 [extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark) -7.5 Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark) +7.5 [extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark) -7.6 Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark) +7.6 [extra75] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark) -7.7 Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark) +7.7 [extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark) -7.8 Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark) +7.8 [extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark) -7.9 Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark) +7.9 [extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark) -7.10 Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) +7.10 [extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) -7.11 Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) +7.11 [extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) -7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) +7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) -7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) +7.13 [extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) -7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) +7.14 [extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) -7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) +7.15 [extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) -7.16 Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) +7.16 [extra716] Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) -7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) +7.17 [extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) -7.18 Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) +7.18 [extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) -7.19 Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) +7.19 [extra719] Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) -7.20 Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark) +7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark) -7.21 Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) +7.21 [extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) -7.22 Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) +7.22 [extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) -7.23 Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark) +7.23 [extra723] Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark) -8.0 (forensics-ready) Forensics Readiness *************************************************** +7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark) -2.1 Ensure CloudTrail is enabled in all regions (Scored) +8.0 Forensics Readiness - [forensics-ready] ************************ -2.2 Ensure CloudTrail log file validation is enabled (Scored) +2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored) -2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) +2.2 [check22] Ensure CloudTrail log file validation is enabled (Scored) -2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) +2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) -2.5 Ensure AWS Config is enabled in all regions (Scored) +2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) -2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) +2.5 [check25] Ensure AWS Config is enabled in all regions (Scored) -2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) +2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) -4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) +2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) -7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) +4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored) -7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) +7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) -7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) +7.13 [extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) -7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) +7.14 [extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) -7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) +7.15 [extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) -7.18 Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) +7.17 [extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) -7.19 Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) +7.18 [extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) -7.20 Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark) +7.19 [extra719] Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) -7.21 Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) +7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark) -7.22 Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) +7.21 [extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) -7.23 Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark) +7.22 [extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) -7.24 Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark) ``` diff --git a/checks/check11 b/checks/check11 index 4db61633..751b981e 100644 --- a/checks/check11 +++ b/checks/check11 @@ -1,5 +1,5 @@ CHECK_ID_check11="1.1,1.01" -CHECK_TITLE_check11="Avoid the use of the root account (Scored)" +CHECK_TITLE_check11="[check11] Avoid the use of the root account (Scored)" CHECK_SCORED_check11="SCORED" CHECK_ALTERNATE_check101="check11" diff --git a/checks/check110 b/checks/check110 index 4aada2f0..0432aa62 100644 --- a/checks/check110 +++ b/checks/check110 @@ -1,5 +1,5 @@ CHECK_ID_check110="1.10" -CHECK_TITLE_check110="Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" +CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" CHECK_SCORED_check110="SCORED" CHECK_ALTERNATE_check110="check110" diff --git a/checks/check111 b/checks/check111 index 5ff5845f..9ef36c23 100644 --- a/checks/check111 +++ b/checks/check111 @@ -1,5 +1,5 @@ CHECK_ID_check111="1.11" -CHECK_TITLE_check111="Ensure IAM password policy expires passwords within 90 days or less (Scored)" +CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)" CHECK_SCORED_check111="SCORED" CHECK_ALTERNATE_check111="check111" diff --git a/checks/check112 b/checks/check112 index 3d79f6e0..61155980 100644 --- a/checks/check112 +++ b/checks/check112 @@ -1,5 +1,5 @@ CHECK_ID_check112="1.12" -CHECK_TITLE_check112="Ensure no root account access key exists (Scored)" +CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)" CHECK_SCORED_check112="SCORED" CHECK_ALTERNATE_check112="check112" diff --git a/checks/check113 b/checks/check113 index 46aaf4a5..5b52c77c 100644 --- a/checks/check113 +++ b/checks/check113 @@ -1,5 +1,5 @@ CHECK_ID_check113="1.13" -CHECK_TITLE_check113="Ensure MFA is enabled for the root account (Scored)" +CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)" CHECK_SCORED_check113="SCORED" CHECK_ALTERNATE_check113="check113" diff --git a/checks/check114 b/checks/check114 index d98371be..c6a81a6a 100644 --- a/checks/check114 +++ b/checks/check114 @@ -1,5 +1,5 @@ CHECK_ID_check114="1.14" -CHECK_TITLE_check114="Ensure hardware MFA is enabled for the root account (Scored)" +CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)" CHECK_SCORED_check114="SCORED" CHECK_ALTERNATE_check114="check114" diff --git a/checks/check115 b/checks/check115 index 19a5c2a9..41b78915 100644 --- a/checks/check115 +++ b/checks/check115 @@ -1,5 +1,5 @@ CHECK_ID_check115="1.15" -CHECK_TITLE_check115="Ensure security questions are registered in the AWS account (Not Scored)" +CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)" CHECK_SCORED_check115="SCORED" CHECK_ALTERNATE_check115="check115" diff --git a/checks/check116 b/checks/check116 index 0534903f..b8dbde01 100644 --- a/checks/check116 +++ b/checks/check116 @@ -1,5 +1,5 @@ CHECK_ID_check116="1.16" -CHECK_TITLE_check116="Ensure IAM policies are attached only to groups or roles (Scored)" +CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)" CHECK_SCORED_check116="SCORED" CHECK_ALTERNATE_check116="check116" diff --git a/checks/check117 b/checks/check117 index 49818cc8..bace6575 100644 --- a/checks/check117 +++ b/checks/check117 @@ -1,5 +1,5 @@ CHECK_ID_check117="1.17" -CHECK_TITLE_check117="Enable detailed billing (Scored)" +CHECK_TITLE_check117="[check117] Enable detailed billing (Scored)" CHECK_SCORED_check117="SCORED" CHECK_ALTERNATE_check117="check117" diff --git a/checks/check118 b/checks/check118 index 62961ce0..abe009ee 100644 --- a/checks/check118 +++ b/checks/check118 @@ -1,5 +1,5 @@ CHECK_ID_check118="1.18" -CHECK_TITLE_check118="Ensure IAM Master and IAM Manager roles are active (Scored)" +CHECK_TITLE_check118="[check118] Ensure IAM Master and IAM Manager roles are active (Scored)" CHECK_SCORED_check118="SCORED" CHECK_ALTERNATE_check118="check118" diff --git a/checks/check119 b/checks/check119 index 66c70b6a..f0ec82e1 100644 --- a/checks/check119 +++ b/checks/check119 @@ -1,5 +1,5 @@ CHECK_ID_check119="1.19" -CHECK_TITLE_check119="Maintain current contact details (Scored)" +CHECK_TITLE_check119="[check119] Maintain current contact details (Scored)" CHECK_SCORED_check119="SCORED" CHECK_ALTERNATE_check119="check119" diff --git a/checks/check12 b/checks/check12 index ad88e9b9..3fd8e24f 100644 --- a/checks/check12 +++ b/checks/check12 @@ -1,5 +1,5 @@ CHECK_ID_check12="1.2,1.02" -CHECK_TITLE_check12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" +CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" CHECK_SCORED_check12="SCORED" CHECK_ALTERNATE_check102="check12" diff --git a/checks/check120 b/checks/check120 index 5a0c4625..ba15cd21 100644 --- a/checks/check120 +++ b/checks/check120 @@ -1,5 +1,5 @@ CHECK_ID_check120="1.20" -CHECK_TITLE_check120="Ensure security contact information is registered (Scored)" +CHECK_TITLE_check120="[check120] Ensure security contact information is registered (Scored)" CHECK_SCORED_check120="SCORED" CHECK_ALTERNATE_check120="check120" diff --git a/checks/check121 b/checks/check121 index 581affca..01b4014e 100644 --- a/checks/check121 +++ b/checks/check121 @@ -1,5 +1,5 @@ CHECK_ID_check121="1.21" -CHECK_TITLE_check121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" +CHECK_TITLE_check121="[check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" CHECK_SCORED_check121="NOT_SCORED" CHECK_ALTERNATE_check121="check121" diff --git a/checks/check122 b/checks/check122 index 52f9b3b5..3c898a16 100644 --- a/checks/check122 +++ b/checks/check122 @@ -1,5 +1,5 @@ CHECK_ID_check122="1.22" -CHECK_TITLE_check122="Ensure a support role has been created to manage incidents with AWS Support (Scored)" +CHECK_TITLE_check122="[check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)" CHECK_SCORED_check122="SCORED" CHECK_ALTERNATE_check122="check122" diff --git a/checks/check123 b/checks/check123 index 766df866..fa60d819 100644 --- a/checks/check123 +++ b/checks/check123 @@ -1,5 +1,5 @@ CHECK_ID_check123="1.23" -CHECK_TITLE_check123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" +CHECK_TITLE_check123="[check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" CHECK_SCORED_check123="NOT_SCORED" CHECK_ALTERNATE_check123="check123" diff --git a/checks/check124 b/checks/check124 index 03bbb44a..f9ca3943 100644 --- a/checks/check124 +++ b/checks/check124 @@ -1,5 +1,5 @@ CHECK_ID_check124="1.24" -CHECK_TITLE_check124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" +CHECK_TITLE_check124="[check124] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" CHECK_SCORED_check124="SCORED" CHECK_ALTERNATE_check124="check124" diff --git a/checks/check13 b/checks/check13 index a515ebc9..c52a2480 100644 --- a/checks/check13 +++ b/checks/check13 @@ -1,5 +1,5 @@ CHECK_ID_check13="1.3,1.03" -CHECK_TITLE_check13="Ensure credentials unused for 90 days or greater are disabled (Scored)" +CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)" CHECK_SCORED_check13="SCORED" CHECK_ALTERNATE_check103="check13" diff --git a/checks/check14 b/checks/check14 index d3cb2798..ab1b823c 100644 --- a/checks/check14 +++ b/checks/check14 @@ -1,5 +1,5 @@ CHECK_ID_check14="1.4,1.04" -CHECK_TITLE_check14="Ensure access keys are rotated every 90 days or less (Scored)" +CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)" CHECK_SCORED_check14="SCORED" CHECK_ALTERNATE_check104="check14" diff --git a/checks/check15 b/checks/check15 index d9172d92..998ed698 100644 --- a/checks/check15 +++ b/checks/check15 @@ -1,5 +1,5 @@ CHECK_ID_check15="1.5,1.05" -CHECK_TITLE_check15="Ensure IAM password policy requires at least one uppercase letter (Scored)" +CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)" CHECK_SCORED_check15="SCORED" CHECK_ALTERNATE_check105="check15" diff --git a/checks/check16 b/checks/check16 index f940a89d..04cb5d89 100644 --- a/checks/check16 +++ b/checks/check16 @@ -1,5 +1,5 @@ CHECK_ID_check16="1.6,1.06" -CHECK_TITLE_check16="Ensure IAM password policy require at least one lowercase letter (Scored)" +CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)" CHECK_SCORED_check16="SCORED" CHECK_ALTERNATE_check106="check16" diff --git a/checks/check17 b/checks/check17 index df54d702..b4dab411 100644 --- a/checks/check17 +++ b/checks/check17 @@ -1,5 +1,5 @@ CHECK_ID_check17="1.7,1.07" -CHECK_TITLE_check17="Ensure IAM password policy require at least one symbol (Scored)" +CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)" CHECK_SCORED_check17="SCORED" CHECK_ALTERNATE_check107="check17" diff --git a/checks/check18 b/checks/check18 index 279c5e09..4378ea88 100644 --- a/checks/check18 +++ b/checks/check18 @@ -1,5 +1,5 @@ CHECK_ID_check18="1.8,1.08" -CHECK_TITLE_check18="Ensure IAM password policy require at least one number (Scored)" +CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)" CHECK_SCORED_check18="SCORED" CHECK_ALTERNATE_check18="check18" diff --git a/checks/check19 b/checks/check19 index 876babdd..b367556c 100644 --- a/checks/check19 +++ b/checks/check19 @@ -1,5 +1,5 @@ CHECK_ID_check19="1.9,1.09" -CHECK_TITLE_check19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)" +CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)" CHECK_SCORED_check19="SCORED" CHECK_ALTERNATE_check109="check19" diff --git a/checks/check21 b/checks/check21 index f7d4f9df..56bc5fd0 100644 --- a/checks/check21 +++ b/checks/check21 @@ -1,5 +1,5 @@ CHECK_ID_check21="2.1,2.01" -CHECK_TITLE_check21="Ensure CloudTrail is enabled in all regions (Scored)" +CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)" CHECK_SCORED_check21="SCORED" CHECK_ALTERNATE_check201="check21" diff --git a/checks/check22 b/checks/check22 index 8c329a8b..0506228c 100644 --- a/checks/check22 +++ b/checks/check22 @@ -1,5 +1,5 @@ CHECK_ID_check22="2.2,2.02" -CHECK_TITLE_check22="Ensure CloudTrail log file validation is enabled (Scored)" +CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)" CHECK_SCORED_check22="SCORED" CHECK_ALTERNATE_check202="check22" diff --git a/checks/check23 b/checks/check23 index e3b0da34..f7cea4e7 100644 --- a/checks/check23 +++ b/checks/check23 @@ -1,5 +1,5 @@ CHECK_ID_check23="2.3,2.03" -CHECK_TITLE_check23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" +CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" CHECK_SCORED_check23="SCORED" CHECK_ALTERNATE_check203="check23" diff --git a/checks/check24 b/checks/check24 index 36c1f123..84decf74 100644 --- a/checks/check24 +++ b/checks/check24 @@ -1,5 +1,5 @@ CHECK_ID_check24="2.4,2.04" -CHECK_TITLE_check24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" +CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" CHECK_SCORED_check24="SCORED" CHECK_ALTERNATE_check204="check24" diff --git a/checks/check25 b/checks/check25 index fb5e3551..2544ef16 100644 --- a/checks/check25 +++ b/checks/check25 @@ -1,5 +1,5 @@ CHECK_ID_check25="2.5,2.05" -CHECK_TITLE_check25="Ensure AWS Config is enabled in all regions (Scored)" +CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)" CHECK_SCORED_check25="SCORED" CHECK_ALTERNATE_check205="check25" diff --git a/checks/check26 b/checks/check26 index 9d73568e..dc9d3b39 100644 --- a/checks/check26 +++ b/checks/check26 @@ -1,5 +1,5 @@ CHECK_ID_check26="2.6,2.06" -CHECK_TITLE_check26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" +CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" CHECK_SCORED_check26="SCORED" CHECK_ALTERNATE_check206="check26" diff --git a/checks/check27 b/checks/check27 index 0e9654a0..06036a0d 100644 --- a/checks/check27 +++ b/checks/check27 @@ -1,5 +1,5 @@ CHECK_ID_check27="2.7,2.07" -CHECK_TITLE_check27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" +CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" CHECK_SCORED_check27="SCORED" CHECK_ALTERNATE_check207="check27" diff --git a/checks/check28 b/checks/check28 index 172bc100..3784a8b1 100644 --- a/checks/check28 +++ b/checks/check28 @@ -1,5 +1,5 @@ CHECK_ID_check28="2.8,2.08" -CHECK_TITLE_check28="Ensure rotation for customer created CMKs is enabled (Scored)" +CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)" CHECK_SCORED_check28="SCORED" CHECK_ALTERNATE_check208="check28" diff --git a/checks/check31 b/checks/check31 index 09d7ef1b..f3a92e62 100644 --- a/checks/check31 +++ b/checks/check31 @@ -1,5 +1,5 @@ CHECK_ID_check31="3.1,3.01" -CHECK_TITLE_check31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" +CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" CHECK_SCORED_check31="SCORED" CHECK_ALTERNATE_check301="check31" diff --git a/checks/check310 b/checks/check310 index 7e43cd31..70c0cf28 100644 --- a/checks/check310 +++ b/checks/check310 @@ -1,5 +1,5 @@ CHECK_ID_check310="3.10" -CHECK_TITLE_check310="Ensure a log metric filter and alarm exist for security group changes (Scored)" +CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)" CHECK_SCORED_check310="SCORED" CHECK_ALTERNATE_check310="check310" diff --git a/checks/check311 b/checks/check311 index b7a5ea91..e6744e02 100644 --- a/checks/check311 +++ b/checks/check311 @@ -1,5 +1,5 @@ CHECK_ID_check311="3.11" -CHECK_TITLE_check311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" +CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" CHECK_SCORED_check311="SCORED" CHECK_ALTERNATE_check311="check311" diff --git a/checks/check312 b/checks/check312 index 32e3c33e..6c0a0706 100644 --- a/checks/check312 +++ b/checks/check312 @@ -1,5 +1,5 @@ CHECK_ID_check312="3.12" -CHECK_TITLE_check312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" +CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" CHECK_SCORED_check312="SCORED" CHECK_ALTERNATE_check312="check312" diff --git a/checks/check313 b/checks/check313 index 1c25be02..54ebef55 100644 --- a/checks/check313 +++ b/checks/check313 @@ -1,5 +1,5 @@ CHECK_ID_check313="3.13" -CHECK_TITLE_check313="Ensure a log metric filter and alarm exist for route table changes (Scored)" +CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)" CHECK_SCORED_check313="SCORED" CHECK_ALTERNATE_check313="check313" diff --git a/checks/check314 b/checks/check314 index 87d67b41..e78aecb4 100644 --- a/checks/check314 +++ b/checks/check314 @@ -1,5 +1,5 @@ CHECK_ID_check314="3.14" -CHECK_TITLE_check314="Ensure a log metric filter and alarm exist for VPC changes (Scored)" +CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)" CHECK_SCORED_check314="SCORED" CHECK_ALTERNATE_check314="check314" diff --git a/checks/check315 b/checks/check315 index 2598fd83..df9c8ceb 100644 --- a/checks/check315 +++ b/checks/check315 @@ -1,5 +1,5 @@ CHECK_ID_check315="3.15" -CHECK_TITLE_check315="Ensure appropriate subscribers to each SNS topic (Not Scored)" +CHECK_TITLE_check315="[check315] Ensure appropriate subscribers to each SNS topic (Not Scored)" CHECK_SCORED_check315="SCORED" CHECK_ALTERNATE_check315="check315" diff --git a/checks/check32 b/checks/check32 index 516eefd0..35ceeb6d 100644 --- a/checks/check32 +++ b/checks/check32 @@ -1,5 +1,5 @@ CHECK_ID_check32="3.2,3.02" -CHECK_TITLE_check32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" +CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" CHECK_SCORED_check32="SCORED" CHECK_ALTERNATE_check302="check32" diff --git a/checks/check33 b/checks/check33 index 9dc3ed94..cb09c9bb 100644 --- a/checks/check33 +++ b/checks/check33 @@ -1,5 +1,5 @@ CHECK_ID_check33="3.3,3.03" -CHECK_TITLE_check33="Ensure a log metric filter and alarm exist for usage of root account (Scored)" +CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)" CHECK_SCORED_check33="SCORED" CHECK_ALTERNATE_check303="check33" diff --git a/checks/check34 b/checks/check34 index 83c5cbb6..c5a53224 100644 --- a/checks/check34 +++ b/checks/check34 @@ -1,5 +1,5 @@ CHECK_ID_check34="3.4,3.04" -CHECK_TITLE_check34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" +CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" CHECK_SCORED_check34="SCORED" CHECK_ALTERNATE_check304="check34" diff --git a/checks/check35 b/checks/check35 index 50fd2889..a91679ab 100644 --- a/checks/check35 +++ b/checks/check35 @@ -1,5 +1,5 @@ CHECK_ID_check35="3.5,3.05" -CHECK_TITLE_check35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" +CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" CHECK_SCORED_check35="SCORED" CHECK_ALTERNATE_check305="check35" diff --git a/checks/check36 b/checks/check36 index 54e320f7..a32dc102 100644 --- a/checks/check36 +++ b/checks/check36 @@ -1,5 +1,5 @@ CHECK_ID_check36="3.6,3.06" -CHECK_TITLE_check36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" +CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" CHECK_SCORED_check36="SCORED" CHECK_ALTERNATE_check306="check36" diff --git a/checks/check37 b/checks/check37 index 01147afd..36f00481 100644 --- a/checks/check37 +++ b/checks/check37 @@ -1,5 +1,5 @@ CHECK_ID_check37="3.7,3.07" -CHECK_TITLE_check37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" +CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" CHECK_SCORED_check37="SCORED" CHECK_ALTERNATE_check307="check37" diff --git a/checks/check38 b/checks/check38 index 9ddfa902..87783438 100644 --- a/checks/check38 +++ b/checks/check38 @@ -1,5 +1,5 @@ CHECK_ID_check38="3.8,3.08" -CHECK_TITLE_check38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" +CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" CHECK_SCORED_check38="SCORED" CHECK_ALTERNATE_check308="check38" diff --git a/checks/check39 b/checks/check39 index 3aa14527..deb7714c 100644 --- a/checks/check39 +++ b/checks/check39 @@ -1,5 +1,5 @@ CHECK_ID_check39="3.9,3.09" -CHECK_TITLE_check39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" +CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" CHECK_SCORED_check39="SCORED" CHECK_ALTERNATE_check309="check39" diff --git a/checks/check41 b/checks/check41 index d63ae4de..74d986d7 100644 --- a/checks/check41 +++ b/checks/check41 @@ -1,5 +1,5 @@ CHECK_ID_check41="4.1,4.01" -CHECK_TITLE_check41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)" +CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)" CHECK_SCORED_check41="SCORED" CHECK_ALTERNATE_check401="check41" diff --git a/checks/check42 b/checks/check42 index 6db241f4..31e9f789 100644 --- a/checks/check42 +++ b/checks/check42 @@ -1,5 +1,5 @@ CHECK_ID_check42="4.2,4.02" -CHECK_TITLE_check42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)" +CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)" CHECK_SCORED_check42="SCORED" CHECK_ALTERNATE_check402="check42" diff --git a/checks/check43 b/checks/check43 index 1da367d7..257442db 100644 --- a/checks/check43 +++ b/checks/check43 @@ -1,5 +1,5 @@ CHECK_ID_check43="4.3,4.03" -CHECK_TITLE_check43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" +CHECK_TITLE_check43="[check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" CHECK_SCORED_check43="SCORED" CHECK_ALTERNATE_check403="check43" diff --git a/checks/check44 b/checks/check44 index 0d1e3bbe..4b0d3478 100644 --- a/checks/check44 +++ b/checks/check44 @@ -1,5 +1,5 @@ CHECK_ID_check44="4.4,4.04" -CHECK_TITLE_check44="Ensure the default security group of every VPC restricts all traffic (Scored)" +CHECK_TITLE_check44="[check44] Ensure the default security group of every VPC restricts all traffic (Scored)" CHECK_SCORED_check44="SCORED" CHECK_ALTERNATE_check404="check44" diff --git a/checks/check45 b/checks/check45 index 5776a6b0..4e01e6c9 100644 --- a/checks/check45 +++ b/checks/check45 @@ -1,5 +1,5 @@ CHECK_ID_check45="4.5,4.05" -CHECK_TITLE_check45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)" +CHECK_TITLE_check45="[check45] Ensure routing tables for VPC peering are \"least access\" (Not Scored)" CHECK_SCORED_check45="NOT_SCORED" CHECK_ALTERNATE_check405="check45" diff --git a/checks/check_extra71 b/checks/check_extra71 index 0cb0632c..25e60788 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -1,5 +1,5 @@ CHECK_ID_extra71="7.1,7.01" -CHECK_TITLE_extra71="Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra71="[extra71] Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra71="NOT_SCORED" CHECK_ALTERNATE_extra701="extra71" CHECK_ALTERNATE_check71="extra71" diff --git a/checks/check_extra710 b/checks/check_extra710 index a30bf720..940324bb 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -1,5 +1,5 @@ CHECK_ID_extra710="7.10" -CHECK_TITLE_extra710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra710="NOT_SCORED" CHECK_ALTERNATE_check710="extra710" diff --git a/checks/check_extra711 b/checks/check_extra711 index 7cd41c82..1e0faa52 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -1,5 +1,5 @@ CHECK_ID_extra711="7.11" -CHECK_TITLE_extra711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra711="NOT_SCORED" CHECK_ALTERNATE_check711="extra711" diff --git a/checks/check_extra712 b/checks/check_extra712 index a16d9952..86126c9a 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -1,5 +1,5 @@ CHECK_ID_extra712="7.12" -CHECK_TITLE_extra712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra712="NOT_SCORED" CHECK_ALTERNATE_check712="extra712" diff --git a/checks/check_extra713 b/checks/check_extra713 index 83355ca5..86aecfe4 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -1,5 +1,5 @@ CHECK_ID_extra713="7.13" -CHECK_TITLE_extra713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra713="NOT_SCORED" CHECK_ALTERNATE_check713="extra713" diff --git a/checks/check_extra714 b/checks/check_extra714 index c7672f7e..6c0cf2c5 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -1,5 +1,5 @@ CHECK_ID_extra714="7.14" -CHECK_TITLE_extra714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra714="NOT_SCORED" CHECK_ALTERNATE_check714="extra714" diff --git a/checks/check_extra715 b/checks/check_extra715 index e3af9706..88a41715 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -1,5 +1,5 @@ CHECK_ID_extra715="7.15" -CHECK_TITLE_extra715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra715="[extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra715="NOT_SCORED" CHECK_ALTERNATE_check715="extra715" diff --git a/checks/check_extra716 b/checks/check_extra716 index 30b669fb..3d85d53c 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -1,5 +1,5 @@ CHECK_ID_extra716="7.16" -CHECK_TITLE_extra716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra716="[extra716] Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra716="NOT_SCORED" CHECK_ALTERNATE_check716="extra716" diff --git a/checks/check_extra717 b/checks/check_extra717 index 6a07975c..0c36dda4 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -1,5 +1,5 @@ CHECK_ID_extra717="7.17" -CHECK_TITLE_extra717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra717="[extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra717="NOT_SCORED" CHECK_ALTERNATE_check717="extra717" diff --git a/checks/check_extra718 b/checks/check_extra718 index 77c74783..927f3d75 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -1,5 +1,5 @@ CHECK_ID_extra718="7.18" -CHECK_TITLE_extra718="Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra718="[extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra718="NOT_SCORED" CHECK_ALTERNATE_check718="extra718" diff --git a/checks/check_extra719 b/checks/check_extra719 index fba60d76..fddc65fc 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -1,5 +1,5 @@ CHECK_ID_extra719="7.19" -CHECK_TITLE_extra719="Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra719="[extra719] Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra719="NOT_SCORED" CHECK_ALTERNATE_check719="extra719" diff --git a/checks/check_extra72 b/checks/check_extra72 index fc90c0b6..2523822c 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -1,5 +1,5 @@ CHECK_ID_extra72="7.2,7.02" -CHECK_TITLE_extra72="Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra72="[extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra72="NOT_SCORED" CHECK_ALTERNATE_extra702="extra72" CHECK_ALTERNATE_check72="extra72" diff --git a/checks/check_extra720 b/checks/check_extra720 index 139f30e9..af9f63fe 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -1,5 +1,5 @@ CHECK_ID_extra720="7.20" -CHECK_TITLE_extra720="Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra720="NOT_SCORED" CHECK_ALTERNATE_check720="extra720" diff --git a/checks/check_extra721 b/checks/check_extra721 index b430025e..9a9f1b81 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -1,5 +1,5 @@ CHECK_ID_extra721="7.21" -CHECK_TITLE_extra721="Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra721="[extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra721="NOT_SCORED" CHECK_ALTERNATE_check721="extra721" diff --git a/checks/check_extra722 b/checks/check_extra722 index d2621c61..b08c5ba6 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -1,5 +1,5 @@ CHECK_ID_extra722="7.22" -CHECK_TITLE_extra722="Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra722="[extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra722="NOT_SCORED" CHECK_ALTERNATE_check722="extra722" diff --git a/checks/check_extra723 b/checks/check_extra723 index 31a3daa4..1c9ef447 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -1,5 +1,5 @@ CHECK_ID_extra723="7.23" -CHECK_TITLE_extra723="Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra723="NOT_SCORED" CHECK_ALTERNATE_check723="extra723" diff --git a/checks/check_extra724 b/checks/check_extra724 index 8fece770..fc396844 100644 --- a/checks/check_extra724 +++ b/checks/check_extra724 @@ -1,5 +1,5 @@ CHECK_ID_extra724="7.24" -CHECK_TITLE_extra724="Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra724="[extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra724="NOT_SCORED" CHECK_ALTERNATE_check724="extra724" diff --git a/checks/check_extra725 b/checks/check_extra725 new file mode 100644 index 00000000..d8076b05 --- /dev/null +++ b/checks/check_extra725 @@ -0,0 +1,46 @@ +# CHECK_ID_extra725="7.25" +# CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled (Not Scored) (Not part of CIS benchmark)" +# CHECK_SCORED_extra725="NOT_SCORED" +# CHECK_ALTERNATE_check725="extra725" +# +# aws cloudtrail get-event-selectors --trail-name Default --profile security --region us-east-1 --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1 |cut -d: -f 6|sed 's/\///g' +# +# extra725(){ +# # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" +# for regx in $REGIONS; do +# LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text) +# if [[ $LIST_OF_FUNCTIONS ]]; then +# for lambdafunction in $LIST_OF_FUNCTIONS;do +# LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text) +# if [[ $LIST_OF_TRAILS ]]; then +# for trail in $LIST_OF_TRAILS; do +# FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$") +# if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then +# textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" +# else +# textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" +# fi +# done +# # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text) +# # if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then +# # for trail in $LIST_OF_MULTIREGION_TRAILS; do +# # REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text) +# # FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$") +# # if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then +# # textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" +# # else +# # textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" +# # fi +# # done +# # else +# # textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx" +# # fi +# else +# textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx" +# fi +# done +# else +# textInfo "$regx: No Lambda functions found" "$regx" +# fi +# done +# } diff --git a/checks/check_extra726 b/checks/check_extra726 new file mode 100644 index 00000000..6d77d65b --- /dev/null +++ b/checks/check_extra726 @@ -0,0 +1,48 @@ +# CHECK_ID_extra726="7.26" +# CHECK_TITLE_extra726="[extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)" +# CHECK_SCORED_extra726="NOT_SCORED" +# CHECK_ALTERNATE_check726="extra726" +# +# tachecks=$(aws support describe-trusted-advisor-checks --language en --profile security --region us-east-1 --query checks[*].id --output text) +# +# for i in $tachecks; do aws support describe-trusted-advisor-check-result --check-id $i --language en --profile security --region us-east-1 --query result.status --output text; done +# +# extra726(){ +# # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" +# for regx in $REGIONS; do +# LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text) +# if [[ $LIST_OF_FUNCTIONS ]]; then +# for lambdafunction in $LIST_OF_FUNCTIONS;do +# LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text) +# if [[ $LIST_OF_TRAILS ]]; then +# for trail in $LIST_OF_TRAILS; do +# FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$") +# if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then +# textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" +# else +# textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" +# fi +# done +# # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text) +# # if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then +# # for trail in $LIST_OF_MULTIREGION_TRAILS; do +# # REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text) +# # FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$") +# # if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then +# # textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" +# # else +# # textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" +# # fi +# # done +# # else +# # textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx" +# # fi +# else +# textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx" +# fi +# done +# else +# textInfo "$regx: No Lambda functions found" "$regx" +# fi +# done +# } diff --git a/checks/check_extra73 b/checks/check_extra73 index 3dfc14c4..0d8e3e80 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -1,5 +1,5 @@ CHECK_ID_extra73="7.3,7.03" -CHECK_TITLE_extra73="Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra73="[extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra73="NOT_SCORED" CHECK_ALTERNATE_extra703="extra73" CHECK_ALTERNATE_check73="extra73" diff --git a/checks/check_extra74 b/checks/check_extra74 index 80a69b7e..d106d444 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -1,5 +1,5 @@ CHECK_ID_extra74="7.4,7.04" -CHECK_TITLE_extra74="Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra74="[extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra74="NOT_SCORED" CHECK_ALTERNATE_extra704="extra74" CHECK_ALTERNATE_check74="extra74" diff --git a/checks/check_extra75 b/checks/check_extra75 index f004a0a8..20aba235 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -1,5 +1,5 @@ CHECK_ID_extra75="7.5,7.05" -CHECK_TITLE_extra75="Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra75="[extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra75="NOT_SCORED" CHECK_ALTERNATE_extra705="extra75" CHECK_ALTERNATE_check75="extra75" diff --git a/checks/check_extra76 b/checks/check_extra76 index aad168cf..18bb4de2 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -1,5 +1,5 @@ CHECK_ID_extra76="7.6,7.06" -CHECK_TITLE_extra76="Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra76="[extra75] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra76="NOT_SCORED" CHECK_ALTERNATE_extra706="extra76" CHECK_ALTERNATE_check76="extra76" diff --git a/checks/check_extra77 b/checks/check_extra77 index 147dc263..ac726e8e 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -1,5 +1,5 @@ CHECK_ID_extra77="7.7,7.07" -CHECK_TITLE_extra77="Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra77="[extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra77="NOT_SCORED" CHECK_ALTERNATE_extra707="extra77" CHECK_ALTERNATE_check77="extra77" diff --git a/checks/check_extra78 b/checks/check_extra78 index 34cbe835..b2ff9954 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -1,5 +1,5 @@ CHECK_ID_extra78="7.8,7.08" -CHECK_TITLE_extra78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra78="[extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra78="NOT_SCORED" CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" diff --git a/checks/check_extra79 b/checks/check_extra79 index 5085df8d..45c58a0c 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -1,5 +1,5 @@ CHECK_ID_extra79="7.9,7.09" -CHECK_TITLE_extra79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra79="[extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra79="NOT_SCORED" CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" diff --git a/checks/check_sample b/checks/check_sample index 97663561..024dbd56 100644 --- a/checks/check_sample +++ b/checks/check_sample @@ -1,5 +1,5 @@ # CHECK_ID_checkN="N.N" -# CHECK_TITLE_checkN="Description (Not Scored) (Not part of CIS benchmark)" +# CHECK_TITLE_checkN="[checkN] Description (Not Scored) (Not part of CIS benchmark)" # CHECK_SCORED_checkN="NOT_SCORED" # CHECK_ALTERNATE_checkN="extraN" # diff --git a/groups/group1_iam b/groups/group1_iam index 6145bff4..aa809806 100644 --- a/groups/group1_iam +++ b/groups/group1_iam @@ -1,5 +1,5 @@ GROUP_ID[1]='group1' GROUP_NUMBER[1]='1.0' -GROUP_TITLE[1]='Identity and Access Management ****************************************' +GROUP_TITLE[1]='Identity and Access Management - [group1] **********************' GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124' diff --git a/groups/group2_logging b/groups/group2_logging index da10a1d4..c0ea6c35 100644 --- a/groups/group2_logging +++ b/groups/group2_logging @@ -1,5 +1,5 @@ GROUP_ID[2]='group2' GROUP_NUMBER[2]='2.0' -GROUP_TITLE[2]='Logging ***************************************************************' +GROUP_TITLE[2]='Logging - [group2] *********************************************' GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28' diff --git a/groups/group3_monitoring b/groups/group3_monitoring index 56356f84..61ab3d9c 100644 --- a/groups/group3_monitoring +++ b/groups/group3_monitoring @@ -1,5 +1,5 @@ GROUP_ID[3]='group3' GROUP_NUMBER[3]='3.0' -GROUP_TITLE[3]='Monitoring ************************************************************' +GROUP_TITLE[3]='Monitoring - [group3] ******************************************' GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315' diff --git a/groups/group4_networking b/groups/group4_networking index b5be3299..8a1029d1 100644 --- a/groups/group4_networking +++ b/groups/group4_networking @@ -1,5 +1,5 @@ GROUP_ID[4]="group4" GROUP_NUMBER[4]="4.0" -GROUP_TITLE[4]="Networking ************************************************************" +GROUP_TITLE[4]="Networking - [group4] ******************************************" GROUP_RUN_BY_DEFAULT[4]="Y" # run it when execute_all is called GROUP_CHECKS[4]="check41,check42,check43,check44,check45" diff --git a/groups/group5_cislevel1 b/groups/group5_cislevel1 index 277ec060..663df5e2 100644 --- a/groups/group5_cislevel1 +++ b/groups/group5_cislevel1 @@ -1,5 +1,5 @@ GROUP_ID[5]='cislevel1' GROUP_NUMBER[5]='5.0' -GROUP_TITLE[5]='CIS Level 1 **********************************************************' +GROUP_TITLE[5]='CIS Level 1 - [cislevel1] **************************************' GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42' diff --git a/groups/group6_cislevel2 b/groups/group6_cislevel2 index 3d627e3b..eeb61521 100644 --- a/groups/group6_cislevel2 +++ b/groups/group6_cislevel2 @@ -1,5 +1,5 @@ GROUP_ID[6]='cislevel2' GROUP_NUMBER[6]='6.0' -GROUP_TITLE[6]='CIS Level 2 **********************************************************' +GROUP_TITLE[6]='CIS Level 2 - [cislevel2] **************************************' GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45' diff --git a/groups/group7_extras b/groups/group7_extras index bddb4c84..0690022f 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -1,5 +1,5 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' -GROUP_TITLE[7]='Extras ****************************************************************' +GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724' diff --git a/groups/group8_forensics b/groups/group8_forensics index 704b31ac..1f7e6d68 100644 --- a/groups/group8_forensics +++ b/groups/group8_forensics @@ -1,5 +1,5 @@ GROUP_ID[8]='forensics-ready' GROUP_NUMBER[8]='8.0' -GROUP_TITLE[8]='Forensics Readiness ***************************************************' +GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************' GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722' diff --git a/groups/group9_gdpr b/groups/group9_gdpr index 3707fbf7..9e5b5658 100644 --- a/groups/group9_gdpr +++ b/groups/group9_gdpr @@ -1,5 +1,5 @@ GROUP_ID[9]='gdpr' GROUP_NUMBER[9]='8.0' -GROUP_TITLE[9]='GDPR Readiness ***************************************************' +GROUP_TITLE[9]='GDPR Readiness - [gdpr] ****************************************' GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called GROUP_CHECKS[9]='' diff --git a/groups/groupN_sample b/groups/groupN_sample index a286c9f8..e9f44685 100644 --- a/groups/groupN_sample +++ b/groups/groupN_sample @@ -1,5 +1,5 @@ -GROUP_ID[9]='my-custom-group' +GROUP_ID[9]='my-custom-group' GROUP_NUMBER[9]='9.0' -GROUP_TITLE[9]='My Custom Group **********************************************' +GROUP_TITLE[9]='My Custom Group - [my-custom-group] ****************************' GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called GROUP_CHECKS[9]='checkNN,checkMM'