AWS securityhub documentation change
Summary
Updated multiple security controls to include CIS AWS Foundations Benchmark v5.0.0 in applicable standards references
Security assessment
The changes add references to CIS AWS Foundations Benchmark v5.0.0 compliance standards for existing security controls. This updates documentation to reflect alignment with newer compliance frameworks but does not directly address a specific security vulnerability or weakness. The controls themselves describe security best practices, so this reinforces existing security documentation.
Diff
diff --git a/securityhub/latest/userguide/securityhub-controls-reference.md b/securityhub/latest/userguide/securityhub-controls-reference.md index d79f5538c..6cd870d9d 100644 --- a//securityhub/latest/userguide/securityhub-controls-reference.md +++ b//securityhub/latest/userguide/securityhub-controls-reference.md @@ -34 +34 @@ Security control ID | Security control title | Applicable standards | Severity | -[Account.1](./account-controls.html#account-1) | Security contact information should be provided for an AWS account | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[Account.1](./account-controls.html#account-1) | Security contact information should be provided for an AWS account | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic @@ -94,2 +94,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[CloudTrail.1](./cloudtrail-controls.html#cloudtrail-1) | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Periodic -[CloudTrail.2](./cloudtrail-controls.html#cloudtrail-2) | CloudTrail should have encryption at-rest enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic +[CloudTrail.1](./cloudtrail-controls.html#cloudtrail-1) | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | HIGH | No | Periodic +[CloudTrail.2](./cloudtrail-controls.html#cloudtrail-2) | CloudTrail should have encryption at-rest enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0 AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic @@ -97 +97 @@ Security control ID | Security control title | Applicable standards | Severity | -[CloudTrail.4](./cloudtrail-controls.html#cloudtrail-4) | CloudTrail log file validation should be enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, PCI DSS v3.2.1, Service-Managed Standard: AWS Control Tower | LOW | No | Periodic +[CloudTrail.4](./cloudtrail-controls.html#cloudtrail-4) | CloudTrail log file validation should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, PCI DSS v3.2.1, Service-Managed Standard: AWS Control Tower | LOW | No | Periodic @@ -100 +100 @@ Security control ID | Security control title | Applicable standards | Severity | -[CloudTrail.7](./cloudtrail-controls.html#cloudtrail-7) | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | LOW | No | Periodic +[CloudTrail.7](./cloudtrail-controls.html#cloudtrail-7) | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | LOW | No | Periodic @@ -130 +130 @@ Security control ID | Security control title | Applicable standards | Severity | -[Config.1](./config-controls.html#config-1) | AWS Config should be enabled and use the service-linked role for resource recording | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1 | CRITICAL | Yes | Periodic +[Config.1](./config-controls.html#config-1) | AWS Config should be enabled and use the service-linked role for resource recording | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1 | CRITICAL | Yes | Periodic @@ -163 +163 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.2](./ec2-controls.html#ec2-2) | VPC default security groups should not allow inbound or outbound traffic | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered +[EC2.2](./ec2-controls.html#ec2-2) | VPC default security groups should not allow inbound or outbound traffic | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | HIGH | No | Change triggered @@ -166,3 +166,3 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.6](./ec2-controls.html#ec2-6) | VPC flow logging should be enabled in all VPCs | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic -[EC2.7](./ec2-controls.html#ec2-7) | EBS default encryption should be enabled | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic -[EC2.8](./ec2-controls.html#ec2-8) | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[EC2.6](./ec2-controls.html#ec2-6) | VPC flow logging should be enabled in all VPCs | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic +[EC2.7](./ec2-controls.html#ec2-7) | EBS default encryption should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[EC2.8](./ec2-controls.html#ec2-8) | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered @@ -180 +180 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.21](./ec2-controls.html#ec2-21) | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | No | Change triggered +[EC2.21](./ec2-controls.html#ec2-21) | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | No | Change triggered @@ -206,2 +206,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[EC2.53](./ec2-controls.html#ec2-53) | EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports | CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | HIGH | No | Periodic -[EC2.54](./ec2-controls.html#ec2-54) | EC2 security groups should not allow ingress from ::/0 to remote server administration ports | CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | HIGH | No | Periodic +[EC2.53](./ec2-controls.html#ec2-53) | EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | HIGH | No | Periodic +[EC2.54](./ec2-controls.html#ec2-54) | EC2 security groups should not allow ingress from ::/0 to remote server administration ports | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | HIGH | No | Periodic @@ -243 +243 @@ Security control ID | Security control title | Applicable standards | Severity | -[EFS.1](./efs-controls.html#efs-1) | Elastic File System should be configured to encrypt file data at-rest using AWS KMS | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic +[EFS.1](./efs-controls.html#efs-1) | Elastic File System should be configured to encrypt file data at-rest using AWS KMS | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Periodic @@ -250 +250 @@ Security control ID | Security control title | Applicable standards | Severity | -[EFS.8](./efs-controls.html#efs-8) | EFS file systems should be encrypted at rest | AWS Foundational Security Best Practices | MEDIUM | Yes | Change triggered +[EFS.8](./efs-controls.html#efs-8) | EFS file systems should be encrypted at rest | CIS AWS Foundations Benchmark v5.0.0, AWS Foundational Security Best Practices | MEDIUM | Yes | Change triggered @@ -326,5 +326,5 @@ Security control ID | Security control title | Applicable standards | Severity | -[IAM.2](./iam-controls.html#iam-2) | IAM users should not have IAM policies attached | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | LOW | No | Change triggered -[IAM.3](./iam-controls.html#iam-3) | IAM users' access keys should be rotated every 90 days or less | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic -[IAM.4](./iam-controls.html#iam-4) | IAM root user access key should not exist | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | No | Periodic -[IAM.5](./iam-controls.html#iam-5) | MFA should be enabled for all IAM users that have a console password | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic -[IAM.6](./iam-controls.html#iam-6) | Hardware MFA should be enabled for the root user | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Periodic +[IAM.2](./iam-controls.html#iam-2) | IAM users should not have IAM policies attached | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | LOW | No | Change triggered +[IAM.3](./iam-controls.html#iam-3) | IAM users' access keys should be rotated every 90 days or less | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic +[IAM.4](./iam-controls.html#iam-4) | IAM root user access key should not exist | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | No | Periodic +[IAM.5](./iam-controls.html#iam-5) | MFA should be enabled for all IAM users that have a console password | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic +[IAM.6](./iam-controls.html#iam-6) | Hardware MFA should be enabled for the root user | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | CRITICAL | No | Periodic @@ -333 +333 @@ Security control ID | Security control title | Applicable standards | Severity | -[IAM.9](./iam-controls.html#iam-9) | MFA should be enabled for the root user | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | No | Periodic +[IAM.9](./iam-controls.html#iam-9) | MFA should be enabled for the root user | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | No | Periodic @@ -339,2 +339,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[IAM.15](./iam-controls.html#iam-15) | Ensure IAM password policy requires minimum password length of 14 or greater | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic -[IAM.16](./iam-controls.html#iam-16) | Ensure IAM password policy prevents password reuse | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | No | Periodic +[IAM.15](./iam-controls.html#iam-15) | Ensure IAM password policy requires minimum password length of 14 or greater | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic +[IAM.16](./iam-controls.html#iam-16) | Ensure IAM password policy prevents password reuse | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | No | Periodic @@ -342 +342 @@ Security control ID | Security control title | Applicable standards | Severity | -[IAM.18](./iam-controls.html#iam-18) | Ensure a support role has been created to manage incidents with AWS Support | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | No | Periodic +[IAM.18](./iam-controls.html#iam-18) | Ensure a support role has been created to manage incidents with AWS Support | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | No | Periodic @@ -345 +345 @@ Security control ID | Security control title | Applicable standards | Severity | -[IAM.22](./iam-controls.html#iam-22) | IAM user credentials unused for 45 days should be removed | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic +[IAM.22](./iam-controls.html#iam-22) | IAM user credentials unused for 45 days should be removed | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-171 Rev. 2 | MEDIUM | No | Periodic @@ -349,3 +349,3 @@ Security control ID | Security control title | Applicable standards | Severity | -[IAM.26](./iam-controls.html#iam-26) | Expired SSL/TLS certificates managed in IAM should be removed | CIS AWS Foundations Benchmark v3.0.0 | MEDIUM | No | Periodic -[IAM.27](./iam-controls.html#iam-27) | IAM identities should not have the AWSCloudShellFullAccess policy attached | CIS AWS Foundations Benchmark v3.0.0 | MEDIUM | No | Change triggered -[IAM.28](./iam-controls.html#iam-28) | IAM Access Analyzer external access analyzer should be enabled | CIS AWS Foundations Benchmark v3.0.0 | HIGH | No | Periodic +[IAM.26](./iam-controls.html#iam-26) | Expired SSL/TLS certificates managed in IAM should be removed | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0 | MEDIUM | No | Periodic +[IAM.27](./iam-controls.html#iam-27) | IAM identities should not have the AWSCloudShellFullAccess policy attached | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0 | MEDIUM | No | Change triggered +[IAM.28](./iam-controls.html#iam-28) | IAM Access Analyzer external access analyzer should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0 | HIGH | No | Periodic @@ -387 +387 @@ Security control ID | Security control title | Applicable standards | Severity | -[KMS.4](./kms-controls.html#kms-4) | AWS KMS key rotation should be enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | No | Periodic +[KMS.4](./kms-controls.html#kms-4) | AWS KMS key rotation should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, CIS AWS Foundations Benchmark v1.2.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | No | Periodic @@ -441,2 +441,2 @@ Security control ID | Security control title | Applicable standards | Severity | -[RDS.2](./rds-controls.html#rds-2) | RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | No | Change triggered -[RDS.3](./rds-controls.html#rds-3) | RDS DB instances should have encryption at-rest enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[RDS.2](./rds-controls.html#rds-2) | RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | No | Change triggered +[RDS.3](./rds-controls.html#rds-3) | RDS DB instances should have encryption at-rest enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -444 +444 @@ Security control ID | Security control title | Applicable standards | Severity | -[RDS.5](./rds-controls.html#rds-5) | RDS DB instances should be configured with multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[RDS.5](./rds-controls.html#rds-5) | RDS DB instances should be configured with multiple Availability Zones | CIS AWS Foundations Benchmark v5.0.0, AWS Foundational Security Best Practices v1.0.0, Service-Managed Standard: AWS Control Tower, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -452 +452 @@ Security control ID | Security control title | Applicable standards | Severity | -[RDS.13](./rds-controls.html#rds-13) | RDS automatic minor version upgrades should be enabled | CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[RDS.13](./rds-controls.html#rds-13) | RDS automatic minor version upgrades should be enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered @@ -454 +454 @@ Security control ID | Security control title | Applicable standards | Severity | -[RDS.15](./rds-controls.html#rds-15) | RDS DB clusters should be configured for multiple Availability Zones | AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered +[RDS.15](./rds-controls.html#rds-15) | RDS DB clusters should be configured for multiple Availability Zones | CIS AWS Foundations Benchmark v5.0.0, AWS Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | No | Change triggered @@ -509 +509 @@ Security control ID | Security control title | Applicable standards | Severity | -[S3.1](./s3-controls.html#s3-1) | S3 general purpose buckets should have block public access settings enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic +[S3.1](./s3-controls.html#s3-1) | S3 general purpose buckets should have block public access settings enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Periodic @@ -512 +512 @@ Security control ID | Security control title | Applicable standards | Severity | -[S3.5](./s3-controls.html#s3-5) | S3 general purpose buckets should require requests to use SSL | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered +[S3.5](./s3-controls.html#s3-5) | S3 general purpose buckets should require requests to use SSL | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | MEDIUM | No | Change triggered @@ -515 +515 @@ Security control ID | Security control title | Applicable standards | Severity | -[S3.8](./s3-controls.html#s3-8) | S3 general purpose buckets should block public access | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered +[S3.8](./s3-controls.html#s3-8) | S3 general purpose buckets should block public access | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, AWS Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, Service-Managed Standard: AWS Control Tower | HIGH | No | Change triggered @@ -525,3 +525,3 @@ Security control ID | Security control title | Applicable standards | Severity | -[S3.20](./s3-controls.html#s3-20) | S3 general purpose buckets should have MFA delete enabled | CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered -[S3.22](./s3-controls.html#s3-22) | S3 general purpose buckets should log object-level write events | CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | MEDIUM | No | Periodic -[S3.23](./s3-controls.html#s3-23) | S3 general purpose buckets should log object-level read events | CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | MEDIUM | No | Periodic +[S3.20](./s3-controls.html#s3-20) | S3 general purpose buckets should have MFA delete enabled | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | LOW | No | Change triggered +[S3.22](./s3-controls.html#s3-22) | S3 general purpose buckets should log object-level write events | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | MEDIUM | No | Periodic +[S3.23](./s3-controls.html#s3-23) | S3 general purpose buckets should log object-level read events | CIS AWS Foundations Benchmark v5.0.0, CIS AWS Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | MEDIUM | No | Periodic