Table of Contents generated with DocToc
This profile covers some parts of the "CIS Amazon Web Services Foundations Benchmark (v1.2.0)".
Batteries included:
- IAM
- MFA for root account ✅
- Password Policy ✅
- all your Access Keys - Expiration ✅
- Logging
- AWS Config is active ✅
- CloudTrail is enabled ✅
- Networking
- Security Groups for SSH are restricted ✅
- Security Groups for Remote Desktop (RDP) are restricted ✅
- additional best-practices not covered by the CIS Benchmark:
- all your S3 Buckets are not public and encrypted (per Region) ✅
- Organizations ✅
- all your EBS volumes should be encrypted (per region) ✅
- ECR: Test that images are scanned for vulnerabilities at a push to repository ✅
Please make sure you have InSpec version >= 4 installed, e.g. with bundle install
(see Gemfile for details).
We recommend the usage of aws-vault.
Make sure your Auditor IAM User has the following managed policy attached:
arn:aws:iam::aws:policy/SecurityAudit
It is also possible to use higher privileged policies, such as arn:aws:iam::aws:policy/ReadOnlyAccess
.
You can easily use this InSpec profile from Github:
## the "-n" instructs aws-vault not to use AWS STS session tokens:
aws-vault exec -n <YOURNAMEDPROFILEHERE> -- inspec exec \
-t aws:// --show-progress \
https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz
Call InSpec with AWS region + your local configured Profile:
inspec exec -t aws://eu-central-1/my-named-profile --show-progress \
https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz
inspec vendor --overwrite .
You can also check if a given account is part of AWS Organizations (Master or Member). This feature is disabled by default. You can enable it by providing variables given as an InSpec Input File.
See example configurations here.
aws-vault exec -n <YOURNAMEDPROFILEHERE> -- inspec exec \
https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz \
-t aws:// --show-progress \
--input-file enable-aws-organizations-checks.yml
git clone https://github.com/centriascolocation/inspec-aws-baseline.git
make build-docker-images
aws-vault exec -n <YOURNAMEDPROFILEHERE> -- make test
These values are based off CVSS 3.0:
numeric value | impact, importance |
---|---|
0.0 to <0.01 | none - they only provide information |
0.01 to <0.4 | low |
0.4 to <0.7 | medium |
0.7 to <0.9 | high |
0.9 to 1.0 | critical |