Skip to main content

Traceability matrix

Use the table below as a quick reference to map the CIS AWS Foundations Benchmark recommendations to the sections above.

#

Section

Description

1.1

Answer security questions and complete contact details

Complete the contact details on the AWS account page

1.2

Answer security questions and complete contact details

Complete the security contact information on the AWS account page

1.3

Answer security questions and complete contact details

Answer the security questions on the AWS account page

1.4

Apply the account-baseline-root baseline to the root account

Apply the account-baseline-security to the security account

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to set up your accounts. This will ensure that the Security Hub service is enabled, which will notify you if the root user has access keys set

1.5

Enable MFA for the root account

Manually configure MFA for the root user

1.6

Enable MFA for the root account

Use a Yubikey (or other hardware MFA) for the root user

1.7

Manual steps

Take manual steps to complete this recommendation

1.8-9

Apply the account-baseline-security to the security account

Use the account-baseline-security module to set up the IAM password policy

1.10

Configure authentication

Configure authentication using SAML or IAM

1.11

Apply the account-baseline-security to the security account

Use the account-baseline-security module to create users

1.12

Apply the account-baseline-root baseline to the root account

,

Apply the account-baseline-security to the security account

,

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to set up your accounts. This will ensure that there are no unused credentials

1.13

Apply the account-baseline-root baseline to the root account

,

Apply the account-baseline-security to the security account

,

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to set up your accounts. This will ensure that there are no extra access keys

1.14

Apply the account-baseline-root baseline to the root account

,

Apply the account-baseline-security to the security account

,

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to set up your accounts. This will ensure that there are no unused access keys

1.15

Apply the account-baseline-security to the security account

Use the account-baseline-security module to create users and groups

1.16

Apply the account-baseline-security to the security account

Use the account-baseline-security module to ensure no full-access policies are attached to any groups or users

1.17

Apply the account-baseline-security to the security account

Use the account-baseline-security module to create a support group

1.18

Use IAM roles for EC2 instances

Use Gruntwork modules to ensure EC2 instances use roles for access

1.19

Cleanup Expired SSL/TLS certificates

Use Gruntwork modules to automatically remove expired certificates from IAM

1.20

IAM Access Analyzer

Use Gruntwork modules to enable IAM Access Analyzer across regions

1.21

Apply the account-baseline-root baseline to the root account

,

Apply the account-baseline-security to the security account

,

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to set up your accounts. This will ensure IAM users are managed centrally through the user of AWS Organizations.

2.1.1-2.1.2

S3 Buckets

Use the private-s3-bucket module

2.1.3

S3 Buckets

Use the private-s3-bucket module and follow the instructions in the README

2.1.4

Apply the account-baseline-root baseline to the root account

,

Apply the account-baseline-security to the security account

,

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to set up your accounts. This will ensure Amazon Macie is enabled.

2.1.5

S3 Buckets

Use the private-s3-bucket module

2.2.1

Configure EBS Encryption

Use Gruntwork modules to configure AWS EBS encryption

2.3.1

Configure RDS Encryption

Use Gruntwork modules to configure AWS RDS encryption

3.1-3.4

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to ensure CloudTrail is enabled and configured in all regions

3.5

Apply the account-baseline-security to the security account

Use the account-baseline-security module to ensure AWS Config is enabled in all regions

3.6

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to ensure CloudTrail S3 bucket has access logging enabled

3.7

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to ensure CloudTrail logs are encrypted at rest using KMS CMKs

3.8

Enable key rotation for KMS keys

Use the KMS module

3.9

Create VPC flow logs

Use the Gruntwork CIS-compliant vpc service to provision VPCs with flow logs enabled

3.10-3.11

Apply the account-baseline-app to the logs account

Use the account-baseline-* modules to ensure Object-level logging is enabled for S3 buckets for read and write events

4.1-4.15

Maintaining compliance by following Monitoring best practices

The CloudWatch Logs metrics filters wrapper module will satisfy each recommendation

5.1

Maintaining compliance by following Networking best practices

Use the Gruntwork CIS-compliant vpc service to ensure there is no public remote access

5.2

Maintaining compliance by following Networking best practices

Use the Gruntwork CIS-compliant vpc service for a secure network configuration

5.3

Maintaining compliance by following Networking best practices

Use the cloud-nuke tool to remove all default security groups

5.4

Maintaining compliance by following Networking best practices

Use the Gruntwork CIS-compliant vpc service to configure least-privilege routing by default