ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

added checkid to every check and group title

Browse Source
This commit is contained in:
Toni de la Fuente
2018-03-29 10:36:46 -04:00
parent 7cde6f15e7
commit cd41766e22
90 changed files with 378 additions and 284 deletions
Download Patch File Download Diff File Expand all files Collapse all files

392
LIST_OF_CHECKS_AND_GROUPS.md
View File

@@ -1,399 +1,399 @@
``` _ ```
_
_ __ _ __ _____ _| | ___ _ __ _ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__| | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ | | |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v2.0 | .__/|_| \___/ \_/\_/ |_|\___|_|v2.0
|_| the handy cloud security tool |_| the handy cloud security tool
Date: Tue Mar 27 18:38:53 EDT 2018 Date: Thu Mar 29 10:35:09 EDT 2018
Colors code for results: INFO (Information), PASS (Recommended value), FAIL (Fix required) Colors code for results: INFO (Information), PASS (Recommended value), FAIL (Fix required)
1.0 (group1) Identity and Access Management **************************************** 1.0 Identity and Access Management - [group1] **********************
1.1 Avoid the use of the root account (Scored) 1.1 [check11] Avoid the use of the root account (Scored)
1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) 1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) 1.3 [check13] Ensure credentials unused for 90 days or greater are disabled (Scored)
1.4 Ensure access keys are rotated every 90 days or less (Scored) 1.4 [check14] Ensure access keys are rotated every 90 days or less (Scored)
1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) 1.5 [check15] Ensure IAM password policy requires at least one uppercase letter (Scored)
1.6 Ensure IAM password policy require at least one lowercase letter (Scored) 1.6 [check16] Ensure IAM password policy require at least one lowercase letter (Scored)
1.7 Ensure IAM password policy require at least one symbol (Scored) 1.7 [check17] Ensure IAM password policy require at least one symbol (Scored)
1.8 Ensure IAM password policy require at least one number (Scored) 1.8 [check18] Ensure IAM password policy require at least one number (Scored)
1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) 1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)
1.10 Ensure IAM password policy prevents password reuse: 24 or greater (Scored) 1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)
1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) 1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)
1.12 Ensure no root account access key exists (Scored) 1.12 [check112] Ensure no root account access key exists (Scored)
1.13 Ensure MFA is enabled for the root account (Scored) 1.13 [check113] Ensure MFA is enabled for the root account (Scored)
1.14 Ensure hardware MFA is enabled for the root account (Scored) 1.14 [check114] Ensure hardware MFA is enabled for the root account (Scored)
1.15 Ensure security questions are registered in the AWS account (Not Scored) 1.15 [check115] Ensure security questions are registered in the AWS account (Not Scored)
1.16 Ensure IAM policies are attached only to groups or roles (Scored) 1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
1.17 Enable detailed billing (Scored) 1.17 [check117] Enable detailed billing (Scored)
1.18 Ensure IAM Master and IAM Manager roles are active (Scored) 1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
1.19 Maintain current contact details (Scored) 1.19 [check119] Maintain current contact details (Scored)
1.20 Ensure security contact information is registered (Scored) 1.20 [check120] Ensure security contact information is registered (Scored)
1.21 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) 1.21 [check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
1.22 Ensure a support role has been created to manage incidents with AWS Support (Scored) 1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.23 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) 1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.24 Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) 1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.0 (group2) Logging *************************************************************** 2.0 Logging - [group2] *********************************************
2.1 Ensure CloudTrail is enabled in all regions (Scored) 2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)
2.2 Ensure CloudTrail log file validation is enabled (Scored) 2.2 [check22] Ensure CloudTrail log file validation is enabled (Scored)
2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) 2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) 2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
2.5 Ensure AWS Config is enabled in all regions (Scored) 2.5 [check25] Ensure AWS Config is enabled in all regions (Scored)
2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) 2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) 2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
2.8 Ensure rotation for customer created CMKs is enabled (Scored) 2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored)
3.0 (group3) Monitoring ************************************************************ 3.0 Monitoring - [group3] ******************************************
3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) 3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) 3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) 3.3 [check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)
3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) 3.4 [check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) 3.5 [check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) 3.6 [check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) 3.7 [check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) 3.8 [check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) 3.9 [check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
3.10 Ensure a log metric filter and alarm exist for security group changes (Scored) 3.10 [check310] Ensure a log metric filter and alarm exist for security group changes (Scored)
3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) 3.11 [check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) 3.12 [check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) 3.13 [check313] Ensure a log metric filter and alarm exist for route table changes (Scored)
3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) 3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
3.15 Ensure appropriate subscribers to each SNS topic (Not Scored) 3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
4.0 (group4) Networking ************************************************************ 4.0 Networking - [group4] ******************************************
4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) 4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
4.4 Ensure the default security group of every VPC restricts all traffic (Scored) 4.4 [check44] Ensure the default security group of every VPC restricts all traffic (Scored)
4.5 Ensure routing tables for VPC peering are "least access" (Not Scored) 4.5 [check45] Ensure routing tables for VPC peering are "least access" (Not Scored)
5.0 (cislevel1) CIS Level 1 ********************************************************** 5.0 CIS Level 1 - [cislevel1] **************************************
1.1 Avoid the use of the root account (Scored) 1.1 [check11] Avoid the use of the root account (Scored)
1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) 1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) 1.3 [check13] Ensure credentials unused for 90 days or greater are disabled (Scored)
1.4 Ensure access keys are rotated every 90 days or less (Scored) 1.4 [check14] Ensure access keys are rotated every 90 days or less (Scored)
1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) 1.5 [check15] Ensure IAM password policy requires at least one uppercase letter (Scored)
1.6 Ensure IAM password policy require at least one lowercase letter (Scored) 1.6 [check16] Ensure IAM password policy require at least one lowercase letter (Scored)
1.7 Ensure IAM password policy require at least one symbol (Scored) 1.7 [check17] Ensure IAM password policy require at least one symbol (Scored)
1.8 Ensure IAM password policy require at least one number (Scored) 1.8 [check18] Ensure IAM password policy require at least one number (Scored)
1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) 1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)
1.10 Ensure IAM password policy prevents password reuse: 24 or greater (Scored) 1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)
1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) 1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)
1.12 Ensure no root account access key exists (Scored) 1.12 [check112] Ensure no root account access key exists (Scored)
1.13 Ensure MFA is enabled for the root account (Scored) 1.13 [check113] Ensure MFA is enabled for the root account (Scored)
1.15 Ensure security questions are registered in the AWS account (Not Scored) 1.15 [check115] Ensure security questions are registered in the AWS account (Not Scored)
1.16 Ensure IAM policies are attached only to groups or roles (Scored) 1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
1.17 Enable detailed billing (Scored) 1.17 [check117] Enable detailed billing (Scored)
1.18 Ensure IAM Master and IAM Manager roles are active (Scored) 1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
1.19 Maintain current contact details (Scored) 1.19 [check119] Maintain current contact details (Scored)
1.20 Ensure security contact information is registered (Scored) 1.20 [check120] Ensure security contact information is registered (Scored)
1.22 Ensure a support role has been created to manage incidents with AWS Support (Scored) 1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.23 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) 1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.24 Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) 1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.1 Ensure CloudTrail is enabled in all regions (Scored) 2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)
2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) 2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) 2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
2.5 Ensure AWS Config is enabled in all regions (Scored) 2.5 [check25] Ensure AWS Config is enabled in all regions (Scored)
2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) 2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) 3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) 3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) 3.3 [check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)
3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) 3.4 [check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) 3.5 [check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) 3.8 [check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) 3.12 [check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) 3.13 [check313] Ensure a log metric filter and alarm exist for route table changes (Scored)
3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) 3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
3.15 Ensure appropriate subscribers to each SNS topic (Not Scored) 3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
6.0 (cislevel2) CIS Level 2 ********************************************************** 6.0 CIS Level 2 - [cislevel2] **************************************
1.1 Avoid the use of the root account (Scored) 1.1 [check11] Avoid the use of the root account (Scored)
1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) 1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) 1.3 [check13] Ensure credentials unused for 90 days or greater are disabled (Scored)
1.4 Ensure access keys are rotated every 90 days or less (Scored) 1.4 [check14] Ensure access keys are rotated every 90 days or less (Scored)
1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) 1.5 [check15] Ensure IAM password policy requires at least one uppercase letter (Scored)
1.6 Ensure IAM password policy require at least one lowercase letter (Scored) 1.6 [check16] Ensure IAM password policy require at least one lowercase letter (Scored)
1.7 Ensure IAM password policy require at least one symbol (Scored) 1.7 [check17] Ensure IAM password policy require at least one symbol (Scored)
1.8 Ensure IAM password policy require at least one number (Scored) 1.8 [check18] Ensure IAM password policy require at least one number (Scored)
1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) 1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)
1.10 Ensure IAM password policy prevents password reuse: 24 or greater (Scored) 1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)
1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) 1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)
1.12 Ensure no root account access key exists (Scored) 1.12 [check112] Ensure no root account access key exists (Scored)
1.13 Ensure MFA is enabled for the root account (Scored) 1.13 [check113] Ensure MFA is enabled for the root account (Scored)
1.14 Ensure hardware MFA is enabled for the root account (Scored) 1.14 [check114] Ensure hardware MFA is enabled for the root account (Scored)
1.15 Ensure security questions are registered in the AWS account (Not Scored) 1.15 [check115] Ensure security questions are registered in the AWS account (Not Scored)
1.16 Ensure IAM policies are attached only to groups or roles (Scored) 1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
1.17 Enable detailed billing (Scored) 1.17 [check117] Enable detailed billing (Scored)
1.18 Ensure IAM Master and IAM Manager roles are active (Scored) 1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
1.19 Maintain current contact details (Scored) 1.19 [check119] Maintain current contact details (Scored)
1.20 Ensure security contact information is registered (Scored) 1.20 [check120] Ensure security contact information is registered (Scored)
1.21 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) 1.21 [check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
1.22 Ensure a support role has been created to manage incidents with AWS Support (Scored) 1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.23 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) 1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.24 Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) 1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.1 Ensure CloudTrail is enabled in all regions (Scored) 2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)
2.2 Ensure CloudTrail log file validation is enabled (Scored) 2.2 [check22] Ensure CloudTrail log file validation is enabled (Scored)
2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) 2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) 2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
2.5 Ensure AWS Config is enabled in all regions (Scored) 2.5 [check25] Ensure AWS Config is enabled in all regions (Scored)
2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) 2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) 2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
2.8 Ensure rotation for customer created CMKs is enabled (Scored) 2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored)
3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) 3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) 3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored) 3.3 [check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)
3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored) 3.4 [check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) 3.5 [check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) 3.6 [check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) 3.7 [check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) 3.8 [check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) 3.9 [check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
3.10 Ensure a log metric filter and alarm exist for security group changes (Scored) 3.10 [check310] Ensure a log metric filter and alarm exist for security group changes (Scored)
3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) 3.11 [check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored) 3.12 [check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
3.13 Ensure a log metric filter and alarm exist for route table changes (Scored) 3.13 [check313] Ensure a log metric filter and alarm exist for route table changes (Scored)
3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored) 3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
3.15 Ensure appropriate subscribers to each SNS topic (Not Scored) 3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored) 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored) 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) 4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
4.4 Ensure the default security group of every VPC restricts all traffic (Scored) 4.4 [check44] Ensure the default security group of every VPC restricts all traffic (Scored)
4.5 Ensure routing tables for VPC peering are "least access" (Not Scored) 4.5 [check45] Ensure routing tables for VPC peering are "least access" (Not Scored)
7.0 (extras) Extras **************************************************************** 7.0 Extras - [extras] **********************************************
7.1 Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) 7.1 [extra71] Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
7.2 Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) 7.2 [extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
7.3 Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark) 7.3 [extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)
7.4 Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark) 7.4 [extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)
7.5 Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark) 7.5 [extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)
7.6 Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark) 7.6 [extra75] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
7.7 Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark) 7.7 [extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
7.8 Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark) 7.8 [extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
7.9 Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark) 7.9 [extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)
7.10 Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) 7.10 [extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
7.11 Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) 7.11 [extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) 7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) 7.13 [extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) 7.14 [extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) 7.15 [extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
7.16 Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) 7.16 [extra716] Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)
7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) 7.17 [extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
7.18 Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) 7.18 [extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
7.19 Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) 7.19 [extra719] Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
7.20 Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark) 7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
7.21 Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) 7.21 [extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
7.22 Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) 7.22 [extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
7.23 Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark) 7.23 [extra723] Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)
8.0 (forensics-ready) Forensics Readiness *************************************************** 7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)
2.1 Ensure CloudTrail is enabled in all regions (Scored) 8.0 Forensics Readiness - [forensics-ready] ************************
2.2 Ensure CloudTrail log file validation is enabled (Scored) 2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)
2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) 2.2 [check22] Ensure CloudTrail log file validation is enabled (Scored)
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) 2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
2.5 Ensure AWS Config is enabled in all regions (Scored) 2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) 2.5 [check25] Ensure AWS Config is enabled in all regions (Scored)
2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) 2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) 2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) 4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) 7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) 7.13 [extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) 7.14 [extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) 7.15 [extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
7.18 Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) 7.17 [extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
7.19 Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) 7.18 [extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
7.20 Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark) 7.19 [extra719] Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
7.21 Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) 7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
7.22 Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) 7.21 [extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
7.23 Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark) 7.22 [extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
7.24 Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)
``` ```

2
checks/check11
View File

@@ -1,5 +1,5 @@
CHECK_ID_check11="1.1,1.01" CHECK_ID_check11="1.1,1.01"
CHECK_TITLE_check11="Avoid the use of the root account (Scored)" CHECK_TITLE_check11="[check11] Avoid the use of the root account (Scored)"
CHECK_SCORED_check11="SCORED" CHECK_SCORED_check11="SCORED"
CHECK_ALTERNATE_check101="check11" CHECK_ALTERNATE_check101="check11"

2
checks/check110
View File

@@ -1,5 +1,5 @@
CHECK_ID_check110="1.10" CHECK_ID_check110="1.10"
CHECK_TITLE_check110="Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
CHECK_SCORED_check110="SCORED" CHECK_SCORED_check110="SCORED"
CHECK_ALTERNATE_check110="check110" CHECK_ALTERNATE_check110="check110"

2
checks/check111
View File

@@ -1,5 +1,5 @@
CHECK_ID_check111="1.11" CHECK_ID_check111="1.11"
CHECK_TITLE_check111="Ensure IAM password policy expires passwords within 90 days or less (Scored)" CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)"
CHECK_SCORED_check111="SCORED" CHECK_SCORED_check111="SCORED"
CHECK_ALTERNATE_check111="check111" CHECK_ALTERNATE_check111="check111"

2
checks/check112
View File

@@ -1,5 +1,5 @@
CHECK_ID_check112="1.12" CHECK_ID_check112="1.12"
CHECK_TITLE_check112="Ensure no root account access key exists (Scored)" CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)"
CHECK_SCORED_check112="SCORED" CHECK_SCORED_check112="SCORED"
CHECK_ALTERNATE_check112="check112" CHECK_ALTERNATE_check112="check112"

2
checks/check113
View File

@@ -1,5 +1,5 @@
CHECK_ID_check113="1.13" CHECK_ID_check113="1.13"
CHECK_TITLE_check113="Ensure MFA is enabled for the root account (Scored)" CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)"
CHECK_SCORED_check113="SCORED" CHECK_SCORED_check113="SCORED"
CHECK_ALTERNATE_check113="check113" CHECK_ALTERNATE_check113="check113"

2
checks/check114
View File

@@ -1,5 +1,5 @@
CHECK_ID_check114="1.14" CHECK_ID_check114="1.14"
CHECK_TITLE_check114="Ensure hardware MFA is enabled for the root account (Scored)" CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)"
CHECK_SCORED_check114="SCORED" CHECK_SCORED_check114="SCORED"
CHECK_ALTERNATE_check114="check114" CHECK_ALTERNATE_check114="check114"

2
checks/check115
View File

@@ -1,5 +1,5 @@
CHECK_ID_check115="1.15" CHECK_ID_check115="1.15"
CHECK_TITLE_check115="Ensure security questions are registered in the AWS account (Not Scored)" CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)"
CHECK_SCORED_check115="SCORED" CHECK_SCORED_check115="SCORED"
CHECK_ALTERNATE_check115="check115" CHECK_ALTERNATE_check115="check115"

2
checks/check116
View File

@@ -1,5 +1,5 @@
CHECK_ID_check116="1.16" CHECK_ID_check116="1.16"
CHECK_TITLE_check116="Ensure IAM policies are attached only to groups or roles (Scored)" CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)"
CHECK_SCORED_check116="SCORED" CHECK_SCORED_check116="SCORED"
CHECK_ALTERNATE_check116="check116" CHECK_ALTERNATE_check116="check116"

2
checks/check117
View File

@@ -1,5 +1,5 @@
CHECK_ID_check117="1.17" CHECK_ID_check117="1.17"
CHECK_TITLE_check117="Enable detailed billing (Scored)" CHECK_TITLE_check117="[check117] Enable detailed billing (Scored)"
CHECK_SCORED_check117="SCORED" CHECK_SCORED_check117="SCORED"
CHECK_ALTERNATE_check117="check117" CHECK_ALTERNATE_check117="check117"

2
checks/check118
View File

@@ -1,5 +1,5 @@
CHECK_ID_check118="1.18" CHECK_ID_check118="1.18"
CHECK_TITLE_check118="Ensure IAM Master and IAM Manager roles are active (Scored)" CHECK_TITLE_check118="[check118] Ensure IAM Master and IAM Manager roles are active (Scored)"
CHECK_SCORED_check118="SCORED" CHECK_SCORED_check118="SCORED"
CHECK_ALTERNATE_check118="check118" CHECK_ALTERNATE_check118="check118"

2
checks/check119
View File

@@ -1,5 +1,5 @@
CHECK_ID_check119="1.19" CHECK_ID_check119="1.19"
CHECK_TITLE_check119="Maintain current contact details (Scored)" CHECK_TITLE_check119="[check119] Maintain current contact details (Scored)"
CHECK_SCORED_check119="SCORED" CHECK_SCORED_check119="SCORED"
CHECK_ALTERNATE_check119="check119" CHECK_ALTERNATE_check119="check119"

2
checks/check12
View File

@@ -1,5 +1,5 @@
CHECK_ID_check12="1.2,1.02" CHECK_ID_check12="1.2,1.02"
CHECK_TITLE_check12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
CHECK_SCORED_check12="SCORED" CHECK_SCORED_check12="SCORED"
CHECK_ALTERNATE_check102="check12" CHECK_ALTERNATE_check102="check12"

2
checks/check120
View File

@@ -1,5 +1,5 @@
CHECK_ID_check120="1.20" CHECK_ID_check120="1.20"
CHECK_TITLE_check120="Ensure security contact information is registered (Scored)" CHECK_TITLE_check120="[check120] Ensure security contact information is registered (Scored)"
CHECK_SCORED_check120="SCORED" CHECK_SCORED_check120="SCORED"
CHECK_ALTERNATE_check120="check120" CHECK_ALTERNATE_check120="check120"

2
checks/check121
View File

@@ -1,5 +1,5 @@
CHECK_ID_check121="1.21" CHECK_ID_check121="1.21"
CHECK_TITLE_check121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" CHECK_TITLE_check121="[check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
CHECK_SCORED_check121="NOT_SCORED" CHECK_SCORED_check121="NOT_SCORED"
CHECK_ALTERNATE_check121="check121" CHECK_ALTERNATE_check121="check121"

2
checks/check122
View File

@@ -1,5 +1,5 @@
CHECK_ID_check122="1.22" CHECK_ID_check122="1.22"
CHECK_TITLE_check122="Ensure a support role has been created to manage incidents with AWS Support (Scored)" CHECK_TITLE_check122="[check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
CHECK_SCORED_check122="SCORED" CHECK_SCORED_check122="SCORED"
CHECK_ALTERNATE_check122="check122" CHECK_ALTERNATE_check122="check122"

2
checks/check123
View File

@@ -1,5 +1,5 @@
CHECK_ID_check123="1.23" CHECK_ID_check123="1.23"
CHECK_TITLE_check123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" CHECK_TITLE_check123="[check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
CHECK_SCORED_check123="NOT_SCORED" CHECK_SCORED_check123="NOT_SCORED"
CHECK_ALTERNATE_check123="check123" CHECK_ALTERNATE_check123="check123"

2
checks/check124
View File

@@ -1,5 +1,5 @@
CHECK_ID_check124="1.24" CHECK_ID_check124="1.24"
CHECK_TITLE_check124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" CHECK_TITLE_check124="[check124] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
CHECK_SCORED_check124="SCORED" CHECK_SCORED_check124="SCORED"
CHECK_ALTERNATE_check124="check124" CHECK_ALTERNATE_check124="check124"

2
checks/check13
View File

@@ -1,5 +1,5 @@
CHECK_ID_check13="1.3,1.03" CHECK_ID_check13="1.3,1.03"
CHECK_TITLE_check13="Ensure credentials unused for 90 days or greater are disabled (Scored)" CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)"
CHECK_SCORED_check13="SCORED" CHECK_SCORED_check13="SCORED"
CHECK_ALTERNATE_check103="check13" CHECK_ALTERNATE_check103="check13"

2
checks/check14
View File

@@ -1,5 +1,5 @@
CHECK_ID_check14="1.4,1.04" CHECK_ID_check14="1.4,1.04"
CHECK_TITLE_check14="Ensure access keys are rotated every 90 days or less (Scored)" CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)"
CHECK_SCORED_check14="SCORED" CHECK_SCORED_check14="SCORED"
CHECK_ALTERNATE_check104="check14" CHECK_ALTERNATE_check104="check14"

2
checks/check15
View File

@@ -1,5 +1,5 @@
CHECK_ID_check15="1.5,1.05" CHECK_ID_check15="1.5,1.05"
CHECK_TITLE_check15="Ensure IAM password policy requires at least one uppercase letter (Scored)" CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)"
CHECK_SCORED_check15="SCORED" CHECK_SCORED_check15="SCORED"
CHECK_ALTERNATE_check105="check15" CHECK_ALTERNATE_check105="check15"

2
checks/check16
View File

@@ -1,5 +1,5 @@
CHECK_ID_check16="1.6,1.06" CHECK_ID_check16="1.6,1.06"
CHECK_TITLE_check16="Ensure IAM password policy require at least one lowercase letter (Scored)" CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)"
CHECK_SCORED_check16="SCORED" CHECK_SCORED_check16="SCORED"
CHECK_ALTERNATE_check106="check16" CHECK_ALTERNATE_check106="check16"

2
checks/check17
View File

@@ -1,5 +1,5 @@
CHECK_ID_check17="1.7,1.07" CHECK_ID_check17="1.7,1.07"
CHECK_TITLE_check17="Ensure IAM password policy require at least one symbol (Scored)" CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)"
CHECK_SCORED_check17="SCORED" CHECK_SCORED_check17="SCORED"
CHECK_ALTERNATE_check107="check17" CHECK_ALTERNATE_check107="check17"

2
checks/check18
View File

@@ -1,5 +1,5 @@
CHECK_ID_check18="1.8,1.08" CHECK_ID_check18="1.8,1.08"
CHECK_TITLE_check18="Ensure IAM password policy require at least one number (Scored)" CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)"
CHECK_SCORED_check18="SCORED" CHECK_SCORED_check18="SCORED"
CHECK_ALTERNATE_check18="check18" CHECK_ALTERNATE_check18="check18"

2
checks/check19
View File

@@ -1,5 +1,5 @@
CHECK_ID_check19="1.9,1.09" CHECK_ID_check19="1.9,1.09"
CHECK_TITLE_check19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)" CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
CHECK_SCORED_check19="SCORED" CHECK_SCORED_check19="SCORED"
CHECK_ALTERNATE_check109="check19" CHECK_ALTERNATE_check109="check19"

2
checks/check21
View File

@@ -1,5 +1,5 @@
CHECK_ID_check21="2.1,2.01" CHECK_ID_check21="2.1,2.01"
CHECK_TITLE_check21="Ensure CloudTrail is enabled in all regions (Scored)" CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)"
CHECK_SCORED_check21="SCORED" CHECK_SCORED_check21="SCORED"
CHECK_ALTERNATE_check201="check21" CHECK_ALTERNATE_check201="check21"

2
checks/check22
View File

@@ -1,5 +1,5 @@
CHECK_ID_check22="2.2,2.02" CHECK_ID_check22="2.2,2.02"
CHECK_TITLE_check22="Ensure CloudTrail log file validation is enabled (Scored)" CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)"
CHECK_SCORED_check22="SCORED" CHECK_SCORED_check22="SCORED"
CHECK_ALTERNATE_check202="check22" CHECK_ALTERNATE_check202="check22"

2
checks/check23
View File

@@ -1,5 +1,5 @@
CHECK_ID_check23="2.3,2.03" CHECK_ID_check23="2.3,2.03"
CHECK_TITLE_check23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
CHECK_SCORED_check23="SCORED" CHECK_SCORED_check23="SCORED"
CHECK_ALTERNATE_check203="check23" CHECK_ALTERNATE_check203="check23"

2
checks/check24
View File

@@ -1,5 +1,5 @@
CHECK_ID_check24="2.4,2.04" CHECK_ID_check24="2.4,2.04"
CHECK_TITLE_check24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
CHECK_SCORED_check24="SCORED" CHECK_SCORED_check24="SCORED"
CHECK_ALTERNATE_check204="check24" CHECK_ALTERNATE_check204="check24"

2
checks/check25
View File

@@ -1,5 +1,5 @@
CHECK_ID_check25="2.5,2.05" CHECK_ID_check25="2.5,2.05"
CHECK_TITLE_check25="Ensure AWS Config is enabled in all regions (Scored)" CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)"
CHECK_SCORED_check25="SCORED" CHECK_SCORED_check25="SCORED"
CHECK_ALTERNATE_check205="check25" CHECK_ALTERNATE_check205="check25"

2
checks/check26
View File

@@ -1,5 +1,5 @@
CHECK_ID_check26="2.6,2.06" CHECK_ID_check26="2.6,2.06"
CHECK_TITLE_check26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
CHECK_SCORED_check26="SCORED" CHECK_SCORED_check26="SCORED"
CHECK_ALTERNATE_check206="check26" CHECK_ALTERNATE_check206="check26"

2
checks/check27
View File

@@ -1,5 +1,5 @@
CHECK_ID_check27="2.7,2.07" CHECK_ID_check27="2.7,2.07"
CHECK_TITLE_check27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
CHECK_SCORED_check27="SCORED" CHECK_SCORED_check27="SCORED"
CHECK_ALTERNATE_check207="check27" CHECK_ALTERNATE_check207="check27"

2
checks/check28
View File

@@ -1,5 +1,5 @@
CHECK_ID_check28="2.8,2.08" CHECK_ID_check28="2.8,2.08"
CHECK_TITLE_check28="Ensure rotation for customer created CMKs is enabled (Scored)" CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)"
CHECK_SCORED_check28="SCORED" CHECK_SCORED_check28="SCORED"
CHECK_ALTERNATE_check208="check28" CHECK_ALTERNATE_check208="check28"

2
checks/check31
View File

@@ -1,5 +1,5 @@
CHECK_ID_check31="3.1,3.01" CHECK_ID_check31="3.1,3.01"
CHECK_TITLE_check31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
CHECK_SCORED_check31="SCORED" CHECK_SCORED_check31="SCORED"
CHECK_ALTERNATE_check301="check31" CHECK_ALTERNATE_check301="check31"

2
checks/check310
View File

@@ -1,5 +1,5 @@
CHECK_ID_check310="3.10" CHECK_ID_check310="3.10"
CHECK_TITLE_check310="Ensure a log metric filter and alarm exist for security group changes (Scored)" CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)"
CHECK_SCORED_check310="SCORED" CHECK_SCORED_check310="SCORED"
CHECK_ALTERNATE_check310="check310" CHECK_ALTERNATE_check310="check310"

2
checks/check311
View File

@@ -1,5 +1,5 @@
CHECK_ID_check311="3.11" CHECK_ID_check311="3.11"
CHECK_TITLE_check311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
CHECK_SCORED_check311="SCORED" CHECK_SCORED_check311="SCORED"
CHECK_ALTERNATE_check311="check311" CHECK_ALTERNATE_check311="check311"

2
checks/check312
View File

@@ -1,5 +1,5 @@
CHECK_ID_check312="3.12" CHECK_ID_check312="3.12"
CHECK_TITLE_check312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
CHECK_SCORED_check312="SCORED" CHECK_SCORED_check312="SCORED"
CHECK_ALTERNATE_check312="check312" CHECK_ALTERNATE_check312="check312"

2
checks/check313
View File

@@ -1,5 +1,5 @@
CHECK_ID_check313="3.13" CHECK_ID_check313="3.13"
CHECK_TITLE_check313="Ensure a log metric filter and alarm exist for route table changes (Scored)" CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)"
CHECK_SCORED_check313="SCORED" CHECK_SCORED_check313="SCORED"
CHECK_ALTERNATE_check313="check313" CHECK_ALTERNATE_check313="check313"

2
checks/check314
View File

@@ -1,5 +1,5 @@
CHECK_ID_check314="3.14" CHECK_ID_check314="3.14"
CHECK_TITLE_check314="Ensure a log metric filter and alarm exist for VPC changes (Scored)" CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)"
CHECK_SCORED_check314="SCORED" CHECK_SCORED_check314="SCORED"
CHECK_ALTERNATE_check314="check314" CHECK_ALTERNATE_check314="check314"

2
checks/check315
View File

@@ -1,5 +1,5 @@
CHECK_ID_check315="3.15" CHECK_ID_check315="3.15"
CHECK_TITLE_check315="Ensure appropriate subscribers to each SNS topic (Not Scored)" CHECK_TITLE_check315="[check315] Ensure appropriate subscribers to each SNS topic (Not Scored)"
CHECK_SCORED_check315="SCORED" CHECK_SCORED_check315="SCORED"
CHECK_ALTERNATE_check315="check315" CHECK_ALTERNATE_check315="check315"

2
checks/check32
View File

@@ -1,5 +1,5 @@
CHECK_ID_check32="3.2,3.02" CHECK_ID_check32="3.2,3.02"
CHECK_TITLE_check32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
CHECK_SCORED_check32="SCORED" CHECK_SCORED_check32="SCORED"
CHECK_ALTERNATE_check302="check32" CHECK_ALTERNATE_check302="check32"

2
checks/check33
View File

@@ -1,5 +1,5 @@
CHECK_ID_check33="3.3,3.03" CHECK_ID_check33="3.3,3.03"
CHECK_TITLE_check33="Ensure a log metric filter and alarm exist for usage of root account (Scored)" CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)"
CHECK_SCORED_check33="SCORED" CHECK_SCORED_check33="SCORED"
CHECK_ALTERNATE_check303="check33" CHECK_ALTERNATE_check303="check33"

2
checks/check34
View File

@@ -1,5 +1,5 @@
CHECK_ID_check34="3.4,3.04" CHECK_ID_check34="3.4,3.04"
CHECK_TITLE_check34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
CHECK_SCORED_check34="SCORED" CHECK_SCORED_check34="SCORED"
CHECK_ALTERNATE_check304="check34" CHECK_ALTERNATE_check304="check34"

2
checks/check35
View File

@@ -1,5 +1,5 @@
CHECK_ID_check35="3.5,3.05" CHECK_ID_check35="3.5,3.05"
CHECK_TITLE_check35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
CHECK_SCORED_check35="SCORED" CHECK_SCORED_check35="SCORED"
CHECK_ALTERNATE_check305="check35" CHECK_ALTERNATE_check305="check35"

2
checks/check36
View File

@@ -1,5 +1,5 @@
CHECK_ID_check36="3.6,3.06" CHECK_ID_check36="3.6,3.06"
CHECK_TITLE_check36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
CHECK_SCORED_check36="SCORED" CHECK_SCORED_check36="SCORED"
CHECK_ALTERNATE_check306="check36" CHECK_ALTERNATE_check306="check36"

2
checks/check37
View File

@@ -1,5 +1,5 @@
CHECK_ID_check37="3.7,3.07" CHECK_ID_check37="3.7,3.07"
CHECK_TITLE_check37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
CHECK_SCORED_check37="SCORED" CHECK_SCORED_check37="SCORED"
CHECK_ALTERNATE_check307="check37" CHECK_ALTERNATE_check307="check37"

2
checks/check38
View File

@@ -1,5 +1,5 @@
CHECK_ID_check38="3.8,3.08" CHECK_ID_check38="3.8,3.08"
CHECK_TITLE_check38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
CHECK_SCORED_check38="SCORED" CHECK_SCORED_check38="SCORED"
CHECK_ALTERNATE_check308="check38" CHECK_ALTERNATE_check308="check38"

2
checks/check39
View File

@@ -1,5 +1,5 @@
CHECK_ID_check39="3.9,3.09" CHECK_ID_check39="3.9,3.09"
CHECK_TITLE_check39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
CHECK_SCORED_check39="SCORED" CHECK_SCORED_check39="SCORED"
CHECK_ALTERNATE_check309="check39" CHECK_ALTERNATE_check309="check39"

2
checks/check41
View File

@@ -1,5 +1,5 @@
CHECK_ID_check41="4.1,4.01" CHECK_ID_check41="4.1,4.01"
CHECK_TITLE_check41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)" CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
CHECK_SCORED_check41="SCORED" CHECK_SCORED_check41="SCORED"
CHECK_ALTERNATE_check401="check41" CHECK_ALTERNATE_check401="check41"

2
checks/check42
View File

@@ -1,5 +1,5 @@
CHECK_ID_check42="4.2,4.02" CHECK_ID_check42="4.2,4.02"
CHECK_TITLE_check42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)" CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
CHECK_SCORED_check42="SCORED" CHECK_SCORED_check42="SCORED"
CHECK_ALTERNATE_check402="check42" CHECK_ALTERNATE_check402="check42"

2
checks/check43
View File

@@ -1,5 +1,5 @@
CHECK_ID_check43="4.3,4.03" CHECK_ID_check43="4.3,4.03"
CHECK_TITLE_check43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" CHECK_TITLE_check43="[check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
CHECK_SCORED_check43="SCORED" CHECK_SCORED_check43="SCORED"
CHECK_ALTERNATE_check403="check43" CHECK_ALTERNATE_check403="check43"

2
checks/check44
View File

@@ -1,5 +1,5 @@
CHECK_ID_check44="4.4,4.04" CHECK_ID_check44="4.4,4.04"
CHECK_TITLE_check44="Ensure the default security group of every VPC restricts all traffic (Scored)" CHECK_TITLE_check44="[check44] Ensure the default security group of every VPC restricts all traffic (Scored)"
CHECK_SCORED_check44="SCORED" CHECK_SCORED_check44="SCORED"
CHECK_ALTERNATE_check404="check44" CHECK_ALTERNATE_check404="check44"

2
checks/check45
View File

@@ -1,5 +1,5 @@
CHECK_ID_check45="4.5,4.05" CHECK_ID_check45="4.5,4.05"
CHECK_TITLE_check45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)" CHECK_TITLE_check45="[check45] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
CHECK_SCORED_check45="NOT_SCORED" CHECK_SCORED_check45="NOT_SCORED"
CHECK_ALTERNATE_check405="check45" CHECK_ALTERNATE_check405="check45"

2
checks/check_extra71
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra71="7.1,7.01" CHECK_ID_extra71="7.1,7.01"
CHECK_TITLE_extra71="Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra71="[extra71] Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra71="NOT_SCORED" CHECK_SCORED_extra71="NOT_SCORED"
CHECK_ALTERNATE_extra701="extra71" CHECK_ALTERNATE_extra701="extra71"
CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check71="extra71"

2
checks/check_extra710
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra710="7.10" CHECK_ID_extra710="7.10"
CHECK_TITLE_extra710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra710="NOT_SCORED" CHECK_SCORED_extra710="NOT_SCORED"
CHECK_ALTERNATE_check710="extra710" CHECK_ALTERNATE_check710="extra710"

2
checks/check_extra711
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra711="7.11" CHECK_ID_extra711="7.11"
CHECK_TITLE_extra711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra711="NOT_SCORED" CHECK_SCORED_extra711="NOT_SCORED"
CHECK_ALTERNATE_check711="extra711" CHECK_ALTERNATE_check711="extra711"

2
checks/check_extra712
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra712="7.12" CHECK_ID_extra712="7.12"
CHECK_TITLE_extra712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra712="NOT_SCORED" CHECK_SCORED_extra712="NOT_SCORED"
CHECK_ALTERNATE_check712="extra712" CHECK_ALTERNATE_check712="extra712"

2
checks/check_extra713
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra713="7.13" CHECK_ID_extra713="7.13"
CHECK_TITLE_extra713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra713="NOT_SCORED" CHECK_SCORED_extra713="NOT_SCORED"
CHECK_ALTERNATE_check713="extra713" CHECK_ALTERNATE_check713="extra713"

2
checks/check_extra714
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra714="7.14" CHECK_ID_extra714="7.14"
CHECK_TITLE_extra714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra714="NOT_SCORED" CHECK_SCORED_extra714="NOT_SCORED"
CHECK_ALTERNATE_check714="extra714" CHECK_ALTERNATE_check714="extra714"

2
checks/check_extra715
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra715="7.15" CHECK_ID_extra715="7.15"
CHECK_TITLE_extra715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra715="[extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra715="NOT_SCORED" CHECK_SCORED_extra715="NOT_SCORED"
CHECK_ALTERNATE_check715="extra715" CHECK_ALTERNATE_check715="extra715"

2
checks/check_extra716
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra716="7.16" CHECK_ID_extra716="7.16"
CHECK_TITLE_extra716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra716="[extra716] Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra716="NOT_SCORED" CHECK_SCORED_extra716="NOT_SCORED"
CHECK_ALTERNATE_check716="extra716" CHECK_ALTERNATE_check716="extra716"

2
checks/check_extra717
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra717="7.17" CHECK_ID_extra717="7.17"
CHECK_TITLE_extra717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra717="[extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra717="NOT_SCORED" CHECK_SCORED_extra717="NOT_SCORED"
CHECK_ALTERNATE_check717="extra717" CHECK_ALTERNATE_check717="extra717"

2
checks/check_extra718
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra718="7.18" CHECK_ID_extra718="7.18"
CHECK_TITLE_extra718="Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra718="[extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra718="NOT_SCORED" CHECK_SCORED_extra718="NOT_SCORED"
CHECK_ALTERNATE_check718="extra718" CHECK_ALTERNATE_check718="extra718"

2
checks/check_extra719
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra719="7.19" CHECK_ID_extra719="7.19"
CHECK_TITLE_extra719="Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra719="[extra719] Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra719="NOT_SCORED" CHECK_SCORED_extra719="NOT_SCORED"
CHECK_ALTERNATE_check719="extra719" CHECK_ALTERNATE_check719="extra719"

2
checks/check_extra72
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra72="7.2,7.02" CHECK_ID_extra72="7.2,7.02"
CHECK_TITLE_extra72="Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra72="[extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra72="NOT_SCORED" CHECK_SCORED_extra72="NOT_SCORED"
CHECK_ALTERNATE_extra702="extra72" CHECK_ALTERNATE_extra702="extra72"
CHECK_ALTERNATE_check72="extra72" CHECK_ALTERNATE_check72="extra72"

2
checks/check_extra720
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra720="7.20" CHECK_ID_extra720="7.20"
CHECK_TITLE_extra720="Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra720="NOT_SCORED" CHECK_SCORED_extra720="NOT_SCORED"
CHECK_ALTERNATE_check720="extra720" CHECK_ALTERNATE_check720="extra720"

2
checks/check_extra721
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra721="7.21" CHECK_ID_extra721="7.21"
CHECK_TITLE_extra721="Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra721="[extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra721="NOT_SCORED" CHECK_SCORED_extra721="NOT_SCORED"
CHECK_ALTERNATE_check721="extra721" CHECK_ALTERNATE_check721="extra721"

2
checks/check_extra722
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra722="7.22" CHECK_ID_extra722="7.22"
CHECK_TITLE_extra722="Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra722="[extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra722="NOT_SCORED" CHECK_SCORED_extra722="NOT_SCORED"
CHECK_ALTERNATE_check722="extra722" CHECK_ALTERNATE_check722="extra722"

2
checks/check_extra723
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra723="7.23" CHECK_ID_extra723="7.23"
CHECK_TITLE_extra723="Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra723="NOT_SCORED" CHECK_SCORED_extra723="NOT_SCORED"
CHECK_ALTERNATE_check723="extra723" CHECK_ALTERNATE_check723="extra723"

2
checks/check_extra724
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra724="7.24" CHECK_ID_extra724="7.24"
CHECK_TITLE_extra724="Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra724="[extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra724="NOT_SCORED" CHECK_SCORED_extra724="NOT_SCORED"
CHECK_ALTERNATE_check724="extra724" CHECK_ALTERNATE_check724="extra724"

46
checks/check_extra725 Normal file
View File

@@ -0,0 +1,46 @@
# CHECK_ID_extra725="7.25"
# CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled (Not Scored) (Not part of CIS benchmark)"
# CHECK_SCORED_extra725="NOT_SCORED"
# CHECK_ALTERNATE_check725="extra725"
#
# aws cloudtrail get-event-selectors --trail-name Default --profile security --region us-east-1 --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1 |cut -d: -f 6|sed 's/\///g'
#
# extra725(){
# # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
# for regx in $REGIONS; do
# LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
# if [[ $LIST_OF_FUNCTIONS ]]; then
# for lambdafunction in $LIST_OF_FUNCTIONS;do
# LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text)
# if [[ $LIST_OF_TRAILS ]]; then
# for trail in $LIST_OF_TRAILS; do
# FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
# if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then
# textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
# else
# textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
# fi
# done
# # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text)
# # if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then
# # for trail in $LIST_OF_MULTIREGION_TRAILS; do
# # REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text)
# # FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
# # if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then
# # textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
# # else
# # textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
# # fi
# # done
# # else
# # textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx"
# # fi
# else
# textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx"
# fi
# done
# else
# textInfo "$regx: No Lambda functions found" "$regx"
# fi
# done
# }

48
checks/check_extra726 Normal file
View File

@@ -0,0 +1,48 @@
# CHECK_ID_extra726="7.26"
# CHECK_TITLE_extra726="[extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)"
# CHECK_SCORED_extra726="NOT_SCORED"
# CHECK_ALTERNATE_check726="extra726"
#
# tachecks=$(aws support describe-trusted-advisor-checks --language en --profile security --region us-east-1 --query checks[*].id --output text)
#
# for i in $tachecks; do aws support describe-trusted-advisor-check-result --check-id $i --language en --profile security --region us-east-1 --query result.status --output text; done
#
# extra726(){
# # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
# for regx in $REGIONS; do
# LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
# if [[ $LIST_OF_FUNCTIONS ]]; then
# for lambdafunction in $LIST_OF_FUNCTIONS;do
# LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text)
# if [[ $LIST_OF_TRAILS ]]; then
# for trail in $LIST_OF_TRAILS; do
# FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
# if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then
# textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
# else
# textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
# fi
# done
# # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text)
# # if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then
# # for trail in $LIST_OF_MULTIREGION_TRAILS; do
# # REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text)
# # FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
# # if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then
# # textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
# # else
# # textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
# # fi
# # done
# # else
# # textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx"
# # fi
# else
# textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx"
# fi
# done
# else
# textInfo "$regx: No Lambda functions found" "$regx"
# fi
# done
# }

2
checks/check_extra73
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra73="7.3,7.03" CHECK_ID_extra73="7.3,7.03"
CHECK_TITLE_extra73="Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra73="[extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra73="NOT_SCORED" CHECK_SCORED_extra73="NOT_SCORED"
CHECK_ALTERNATE_extra703="extra73" CHECK_ALTERNATE_extra703="extra73"
CHECK_ALTERNATE_check73="extra73" CHECK_ALTERNATE_check73="extra73"

2
checks/check_extra74
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra74="7.4,7.04" CHECK_ID_extra74="7.4,7.04"
CHECK_TITLE_extra74="Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra74="[extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra74="NOT_SCORED" CHECK_SCORED_extra74="NOT_SCORED"
CHECK_ALTERNATE_extra704="extra74" CHECK_ALTERNATE_extra704="extra74"
CHECK_ALTERNATE_check74="extra74" CHECK_ALTERNATE_check74="extra74"

2
checks/check_extra75
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra75="7.5,7.05" CHECK_ID_extra75="7.5,7.05"
CHECK_TITLE_extra75="Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra75="[extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra75="NOT_SCORED" CHECK_SCORED_extra75="NOT_SCORED"
CHECK_ALTERNATE_extra705="extra75" CHECK_ALTERNATE_extra705="extra75"
CHECK_ALTERNATE_check75="extra75" CHECK_ALTERNATE_check75="extra75"

2
checks/check_extra76
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra76="7.6,7.06" CHECK_ID_extra76="7.6,7.06"
CHECK_TITLE_extra76="Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra76="[extra75] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra76="NOT_SCORED" CHECK_SCORED_extra76="NOT_SCORED"
CHECK_ALTERNATE_extra706="extra76" CHECK_ALTERNATE_extra706="extra76"
CHECK_ALTERNATE_check76="extra76" CHECK_ALTERNATE_check76="extra76"

2
checks/check_extra77
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra77="7.7,7.07" CHECK_ID_extra77="7.7,7.07"
CHECK_TITLE_extra77="Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra77="[extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra77="NOT_SCORED" CHECK_SCORED_extra77="NOT_SCORED"
CHECK_ALTERNATE_extra707="extra77" CHECK_ALTERNATE_extra707="extra77"
CHECK_ALTERNATE_check77="extra77" CHECK_ALTERNATE_check77="extra77"

2
checks/check_extra78
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra78="7.8,7.08" CHECK_ID_extra78="7.8,7.08"
CHECK_TITLE_extra78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra78="[extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra78="NOT_SCORED" CHECK_SCORED_extra78="NOT_SCORED"
CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_extra708="extra78"
CHECK_ALTERNATE_check78="extra78" CHECK_ALTERNATE_check78="extra78"

2
checks/check_extra79
View File

@@ -1,5 +1,5 @@
CHECK_ID_extra79="7.9,7.09" CHECK_ID_extra79="7.9,7.09"
CHECK_TITLE_extra79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" CHECK_TITLE_extra79="[extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra79="NOT_SCORED" CHECK_SCORED_extra79="NOT_SCORED"
CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_extra709="extra79"
CHECK_ALTERNATE_check79="extra79" CHECK_ALTERNATE_check79="extra79"

2
checks/check_sample
View File

@@ -1,5 +1,5 @@
# CHECK_ID_checkN="N.N" # CHECK_ID_checkN="N.N"
# CHECK_TITLE_checkN="Description (Not Scored) (Not part of CIS benchmark)" # CHECK_TITLE_checkN="[checkN] Description (Not Scored) (Not part of CIS benchmark)"
# CHECK_SCORED_checkN="NOT_SCORED" # CHECK_SCORED_checkN="NOT_SCORED"
# CHECK_ALTERNATE_checkN="extraN" # CHECK_ALTERNATE_checkN="extraN"
# #

2
groups/group1_iam
View File

@@ -1,5 +1,5 @@
GROUP_ID[1]='group1' GROUP_ID[1]='group1'
GROUP_NUMBER[1]='1.0' GROUP_NUMBER[1]='1.0'
GROUP_TITLE[1]='Identity and Access Management ****************************************' GROUP_TITLE[1]='Identity and Access Management - [group1] **********************'
GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called
GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124' GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124'

2
groups/group2_logging
View File

@@ -1,5 +1,5 @@
GROUP_ID[2]='group2' GROUP_ID[2]='group2'
GROUP_NUMBER[2]='2.0' GROUP_NUMBER[2]='2.0'
GROUP_TITLE[2]='Logging ***************************************************************' GROUP_TITLE[2]='Logging - [group2] *********************************************'
GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called
GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28' GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28'

2
groups/group3_monitoring
View File

@@ -1,5 +1,5 @@
GROUP_ID[3]='group3' GROUP_ID[3]='group3'
GROUP_NUMBER[3]='3.0' GROUP_NUMBER[3]='3.0'
GROUP_TITLE[3]='Monitoring ************************************************************' GROUP_TITLE[3]='Monitoring - [group3] ******************************************'
GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called
GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315' GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315'

2
groups/group4_networking
View File

@@ -1,5 +1,5 @@
GROUP_ID[4]="group4" GROUP_ID[4]="group4"
GROUP_NUMBER[4]="4.0" GROUP_NUMBER[4]="4.0"
GROUP_TITLE[4]="Networking ************************************************************" GROUP_TITLE[4]="Networking - [group4] ******************************************"
GROUP_RUN_BY_DEFAULT[4]="Y" # run it when execute_all is called GROUP_RUN_BY_DEFAULT[4]="Y" # run it when execute_all is called
GROUP_CHECKS[4]="check41,check42,check43,check44,check45" GROUP_CHECKS[4]="check41,check42,check43,check44,check45"

2
groups/group5_cislevel1
View File

@@ -1,5 +1,5 @@
GROUP_ID[5]='cislevel1' GROUP_ID[5]='cislevel1'
GROUP_NUMBER[5]='5.0' GROUP_NUMBER[5]='5.0'
GROUP_TITLE[5]='CIS Level 1 **********************************************************' GROUP_TITLE[5]='CIS Level 1 - [cislevel1] **************************************'
GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called
GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42' GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42'

2
groups/group6_cislevel2
View File

@@ -1,5 +1,5 @@
GROUP_ID[6]='cislevel2' GROUP_ID[6]='cislevel2'
GROUP_NUMBER[6]='6.0' GROUP_NUMBER[6]='6.0'
GROUP_TITLE[6]='CIS Level 2 **********************************************************' GROUP_TITLE[6]='CIS Level 2 - [cislevel2] **************************************'
GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called
GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45' GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45'

2
groups/group7_extras
View File

@@ -1,5 +1,5 @@
GROUP_ID[7]='extras' GROUP_ID[7]='extras'
GROUP_NUMBER[7]='7.0' GROUP_NUMBER[7]='7.0'
GROUP_TITLE[7]='Extras ****************************************************************' GROUP_TITLE[7]='Extras - [extras] **********************************************'
GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724' GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724'

2
groups/group8_forensics
View File

@@ -1,5 +1,5 @@
GROUP_ID[8]='forensics-ready' GROUP_ID[8]='forensics-ready'
GROUP_NUMBER[8]='8.0' GROUP_NUMBER[8]='8.0'
GROUP_TITLE[8]='Forensics Readiness ***************************************************' GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************'
GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called
GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722' GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722'

2
groups/group9_gdpr
View File

@@ -1,5 +1,5 @@
GROUP_ID[9]='gdpr' GROUP_ID[9]='gdpr'
GROUP_NUMBER[9]='8.0' GROUP_NUMBER[9]='8.0'
GROUP_TITLE[9]='GDPR Readiness ***************************************************' GROUP_TITLE[9]='GDPR Readiness - [gdpr] ****************************************'
GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
GROUP_CHECKS[9]='' GROUP_CHECKS[9]=''

4
groups/groupN_sample
View File

@@ -1,5 +1,5 @@
GROUP_ID[9]='my-custom-group' GROUP_ID[9]='my-custom-group'
GROUP_NUMBER[9]='9.0' GROUP_NUMBER[9]='9.0'
GROUP_TITLE[9]='My Custom Group **********************************************' GROUP_TITLE[9]='My Custom Group - [my-custom-group] ****************************'
GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
GROUP_CHECKS[9]='checkNN,checkMM' GROUP_CHECKS[9]='checkNN,checkMM'