CIS Foundation Benchmarks
This page provides an overview of CIS compliance policy and the current CIS requirements & controls monitored by Secberus.
Overview
The CIS Controls® and CIS Benchmarks™ are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. The official CIS Benchmarks can be found here.
Secberus supports the majority of the AWS, Azure, and GCP CIS Foundation Benchmarks.
Supported CIS Foundation Benchmark Controls
AWS CIS Benchmark v1.2.0
| Control ID | Name |
|---|---|
| 1.2 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
| 1.3 | Ensure credentials unused for 90 days or greater are disabled |
| 1.4 | Ensure access keys are rotated every 90 days or less |
| 1.5 | Ensure IAM password policy requires at least one uppercase letter |
| 1.6 | Ensure IAM password policy requires at least one uppercase letter |
| 1.7 | Ensure IAM password policy require at least one symbol |
| 1.8 | Ensure IAM password policy require at least one number |
| 1.9 | Ensure IAM password policy requires a minimum length of 14 or greater |
| 1.10 | Ensure IAM password policy prevents password reuse |
| 1.11 | Ensure IAM password policy expires passwords within 90 days or less |
| 1.12 | Ensure no root account access key exists |
| 1.13 | Ensure MFA is enabled for the "root" account |
| 1.14 | Ensure hardware MFA is enabled for the "root" account |
| 1.15 | Ensure security questions are registered in the AWS account |
| 1.16 | Ensure IAM policies are attached only to groups or roles |
| 1.20 | Ensure a support role has been created to manage incidents with AWS Support |
| 2.1 | Ensure CloudTrail is enabled in all regions |
| 2.2 | Ensure CloudTrail log file validation is enabled |
| 2.3 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
| 2.4 | Ensure CloudTrail trails are integrated with CloudWatch Logs |
| 2.6 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
| 2.7 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| 2.8 | Ensure rotation for customer created CMKs is enabled |
| 2.9 | Ensure VPC flow logging is enabled in all VPCs |
| 3.1 | Ensure a log metric filter and alarm exist for unauthorized API calls |
| 3.2 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
| 3.3 | Ensure a log metric filter and alarm exist for usage of "root" account |
| 3.4 | Ensure a log metric filter and alarm exist for IAM policy changes |
| 3.5 | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
| 3.6 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
| 3.8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
| 3.9 | Ensure a log metric filter and alarm exist for AWS Config configuration changes |
| 3.10 | Ensure a log metric filter and alarm exist for security group changes |
| 3.11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists |
| 3.12 | Ensure a log metric filter and alarm exist for changes to network gateways |
| 3.13 | Ensure a log metric filter and alarm exist for route table changes |
| 3.14 | Ensure a log metric filter and alarm exist for VPC changes |
| 4.3 | Ensure the default security group of every VPC restricts all traffic |
Azure CIS Benchmark v 1.3.0
| Control ID | Policy Name |
|---|---|
| 2.11 | Ensure that 'Automatic provisioning of monitoring agent' is set to 'ON' |
| 3.1 | Ensure that 'Secure transfer required' is set to 'Enable' |
| 3.2 | Ensure that storage account access keys are periodically regenerated |
| 3.5 | Ensure that 'Public access level' is set to Private for blob containers |
| 4.1.1 | Ensure that 'Auditing' is set to 'On' for SQL Server |
| 4.1.2 | Ensure that 'Data encryption' is set to 'On' for SQL Database |
| 4.1.3 | Ensure that 'Auditing' Retention is 'Greater than 90 days' |
| 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database server |
| 4.3.4 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database server |
| 4.3.5 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database server |
| 4.3.6 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database server |
| 4.3.7 | Ensure server parameters 'log_retention_days' is greater than 33 days for PostgreSQL Database server |
| 4.5 | Ensure SQL server's TDE protector is encrypted with Customer-managed key |
| 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment |
| 5.2.3 | Ensure that Activity Log Alerts exists for Create or Update Network Security Group |
| 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group |
| 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
| 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule |
| 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution |
| 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution |
| 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
| 6.2 | Ensure that SSH access is restricted from the internet |
| 6.5 | Ensure that Network Watcher is 'Enabled' |
| 7.5 | Ensure the lastest OS patches for all virtual machines are applied |
| 7.6 | Ensure that endpoint protection for all virtual machines is installed |
GCP CIS Benchmark v1.0.0
| Control ID | Name |
|---|---|
| 1.3 | Ensure that there are only GCP-managed service account keys for each service account |
| 2.1 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
| 2.2 | Ensure that sinks are configured for all Log entries |
| 2.3 | Ensure that object versioning is enabled on log-buckets |
| 2.4 | Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
| 2.5 | Ensure log metric filter and alerts exists for Audit Configuration Changes |
| 2.6 | Ensure log metric filter and alerts exists for Custom Role changes |
| 2.7 | Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
| 2.8 | Ensure log metric filter and alerts exists for VPC network route changes |
| 2.9 | Ensure log metric filter and alerts exists for VPC network changes |
| 2.11 | Ensure log metric filter and alerts exists for SQL instance configuration changes |
| 3.1 | Ensure the default network does not exist in a project |
| 3.2 | Ensure legacy networks does not exist for a project |
| 3.3 | Ensure that DNSSEC is enabled for Cloud DNS |
| 3.4 | Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
| 3.5 | Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
| 3.6 | Ensure that SSH access is restricted from the internet |
| 3.7 | Ensure that RDP access is restricted from the internet |
| 3.8 | Ensure Private Google Access is enabled for all subnetwork in VPC Network |
| 3.9 | Ensure VPC Flow logs is enabled for every subnet in VPC Network |
| 4.1 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
| 4.2 | Ensure "Block Project-wide SSH keys" enabled for VM instances |
| 4.3 | Ensure oslogin is enabled for a Project |
| 4.4 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
| 4.5 | Ensure that IP forwarding is not enabled on Instances |
| 4.6 | Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) |
| 5.1 | Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
| 5.2 | Ensure that there are no publicly accessible objects in storage buckets |
| 5.3 | Ensure that logging is enabled for Cloud buckets |
| 6.1 | Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
| 6.2 | Ensure that Cloud SQL database Instances are not open to the world |
| 6.4 | Ensure that MySQL Database Instance does not allow root login from any Host |
| 7.1 | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
| 7.2 | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
| 7.3 | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
| 7.4 | Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
| 7.5 | Ensure Kubernetes Clusters are configured with Labels |
| 7.6 | Ensure Kubernetes web UI / Dashboard is disabled |
| 7.7 | Ensure Automatic node repair is enabled for Kubernetes Clusters |
| 7.8 | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
| 7.9 | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
| 7.11 | Ensure Network policy is enabled on Kubernetes Engine Clusters |
| 7.12 | Ensure Kubernetes Cluster is created with Client Certificate enabled |
| 7.13 | Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
| 7.14 | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters |
| 7.15 | Ensure Kubernetes Cluster is created with Private cluster enabled |
| 7.16 | Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
| 7.17 | Ensure default Service account is not used for Project access in Kubernetes Clusters |
| 7.18 | Ensure Kubernetes Clusters created with limited service account Access scopes for Project access |
If there is a specific requirement not included here that you would like to monitor, please email [email protected].
Updated 10 months ago