CIS AWS Foundations Benchmark
- Version: 5.0
- URL: https://www.cisecurity.org/benchmark/amazon_web_services
- Source of truth:
pipeline_check/core/standards/data/cis_aws_foundations.py
CIS AWS Foundations Benchmark, CI/CD-relevant subset. IAM hardening, S3 protection, KMS hygiene, and the CloudTrail / CloudWatch logging controls the AWS provider scans against a live account.
At a glance
- Controls in this standard: 14
- Controls evidenced by at least one check: 12 / 14
- Distinct checks evidencing this standard: 62
- Of those, autofixable with
--fix: 0
Severity levels (CRITICAL / HIGH / MEDIUM / LOW / INFO) follow the same scale across every provider and standard. See How to read severity on the standards overview for the definitions.
Coverage by control
Click a control ID to jump to the per-control section with the full check list. The severity mix column shows the spread of evidencing checks by severity (Critical / High / Medium / Low / Info).
| Control | Title | Checks | Severity mix |
|---|---|---|---|
1.14 |
Ensure access keys are rotated every 90 days or less | 4 | 4H |
1.16 |
Ensure IAM policies that allow full ':' administrative privileges are not attached | 18 | 5C · 9H · 4M |
1.17 |
Ensure a support role has been created to manage incidents with AWS Support | 0 | — |
2.1.1 |
Ensure all S3 buckets employ encryption-at-rest | 1 | 1H |
2.1.2 |
Ensure S3 Bucket Policy is set to deny HTTP requests | 2 | 2M |
2.1.4 |
Ensure that S3 Buckets are configured with 'Block public access' | 1 | 1C |
3.1 |
Ensure CloudTrail is enabled in all regions | 18 | 1H · 1M · 16I |
3.2 |
Ensure CloudTrail log file validation is enabled | 1 | 1M |
3.4 |
Ensure CloudTrail trails are integrated with CloudWatch Logs | 3 | 2M · 1L |
3.6 |
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | 2 | 1L · 1I |
3.7 |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs | 8 | 2H · 6M |
3.8 |
Ensure rotation for customer-created symmetric CMKs is enabled | 2 | 2M |
4.3 |
Ensure a log metric filter and alarm exist for usage of the root account | 0 | — |
4.16 |
Ensure AWS Security Hub is enabled | 4 | 1H · 2M · 1L |
Filter at runtime
Restrict a scan to checks that evidence this standard with --standard cis_aws_foundations:
# All providers, only checks tied to this standard
pipeline_check --standard cis_aws_foundations
# Compose with --pipeline to scope by provider
pipeline_check --pipeline github --standard cis_aws_foundations
# Compose with another standard to widen the lens
pipeline_check --pipeline aws --standard cis_aws_foundations --standard owasp_cicd_top_10
Controls in scope
1.14: Ensure access keys are rotated every 90 days or less
Evidenced by 4 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
CB-006 |
CodeBuild source auth uses long-lived token | HIGH | AWS | |
CP-004 |
Legacy ThirdParty/GitHub source action (OAuth token) | HIGH | AWS | |
IAM-007 |
IAM user has access key older than 90 days | HIGH | AWS | |
SM-001 |
Secrets Manager secret has no rotation configured | HIGH | AWS |
1.16: Ensure IAM policies that allow full ':' administrative privileges are not attached
Evidenced by 18 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
CA-003 |
CodeArtifact domain policy allows cross-account wildcard | CRITICAL | AWS | |
CA-004 |
CodeArtifact repo policy grants codeartifact:* with Resource '*' |
HIGH | AWS | |
CCM-003 |
CodeCommit trigger targets SNS/Lambda in a different account | MEDIUM | AWS | |
EB-002 |
EventBridge rule has a wildcard target ARN | HIGH | AWS | |
ECR-003 |
Repository policy allows public access | CRITICAL | AWS | |
IAM-001 |
CI/CD role has AdministratorAccess policy attached | CRITICAL | AWS | |
IAM-002 |
CI/CD role has wildcard Action in attached policy | HIGH | AWS | |
IAM-003 |
CI/CD role has no permission boundary | MEDIUM | AWS | |
IAM-004 |
CI/CD role can PassRole to any role | HIGH | AWS | |
IAM-005 |
CI/CD role trust policy missing sts:ExternalId | HIGH | AWS | |
IAM-006 |
Sensitive actions granted with wildcard Resource | MEDIUM | AWS | |
IAM-008 |
OIDC-federated role trust policy missing audience or subject pin | HIGH | AWS | |
KMS-002 |
KMS key policy grants wildcard KMS actions | HIGH | AWS | |
LMB-002 |
Lambda function URL has AuthType=NONE | HIGH | AWS | |
LMB-004 |
Lambda resource policy allows wildcard principal | CRITICAL | AWS | |
PBAC-002 |
CodeBuild service role shared across multiple projects | MEDIUM | AWS | |
PBAC-005 |
CodePipeline stage action roles mirror the pipeline role | HIGH | AWS | |
SM-002 |
Secrets Manager resource policy allows wildcard principal | CRITICAL | AWS |
1.17: Ensure a support role has been created to manage incidents with AWS Support
No checks in this scanner currently evidence this control. Open an issue if your team would value coverage.
2.1.1: Ensure all S3 buckets employ encryption-at-rest
Evidenced by 1 check across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
S3-002 |
Artifact bucket server-side encryption not configured | HIGH | AWS |
2.1.2: Ensure S3 Bucket Policy is set to deny HTTP requests
Evidenced by 2 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
S3-003 |
Artifact bucket versioning not enabled | MEDIUM | AWS | |
S3-005 |
Artifact bucket missing aws:SecureTransport deny | MEDIUM | AWS |
2.1.4: Ensure that S3 Buckets are configured with 'Block public access'
Evidenced by 1 check across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
S3-001 |
Artifact bucket public access block not fully enabled | CRITICAL | AWS |
3.1: Ensure CloudTrail is enabled in all regions
Evidenced by 18 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
CA-000 |
CodeArtifact API access failed | INFO | AWS | |
CB-000 |
CodeBuild API access failed | INFO | AWS | |
CCM-000 |
CodeCommit API access failed | INFO | AWS | |
CD-000 |
CodeDeploy API access failed | INFO | AWS | |
CP-000 |
CodePipeline API access failed | INFO | AWS | |
CT-000 |
CloudTrail API access failed | INFO | AWS | |
CT-001 |
No active CloudTrail trail in region | HIGH | AWS | |
CT-003 |
CloudTrail trail is not multi-region | MEDIUM | AWS | |
CWL-000 |
CloudWatch Logs API access failed | INFO | AWS | |
EB-000 |
EventBridge API access failed | INFO | AWS | |
ECR-000 |
ECR API access failed | INFO | AWS | |
IAM-000 |
IAM API access failed | INFO | AWS | |
KMS-000 |
KMS API access failed | INFO | AWS | |
LMB-000 |
Lambda API access failed | INFO | AWS | |
PBAC-000 |
PBAC enumeration failed | INFO | AWS | |
S3-000 |
S3 API access failed | INFO | AWS | |
SM-000 |
Secrets Manager API access failed | INFO | AWS | |
SSM-000 |
SSM Parameter Store API access failed | INFO | AWS |
3.2: Ensure CloudTrail log file validation is enabled
Evidenced by 1 check across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
CT-002 |
CloudTrail log-file validation disabled | MEDIUM | AWS |
3.4: Ensure CloudTrail trails are integrated with CloudWatch Logs
Evidenced by 3 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
CB-003 |
Build logging not enabled | MEDIUM | AWS | |
CD-003 |
No CloudWatch alarm monitoring on deployment group | MEDIUM | AWS | |
CWL-001 |
CodeBuild log group has no retention policy | LOW | AWS |
3.6: Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Evidenced by 2 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
S3-000 |
S3 API access failed | INFO | AWS | |
S3-004 |
Artifact bucket access logging not enabled | LOW | AWS |
3.7: Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Evidenced by 8 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
CA-001 |
CodeArtifact domain has no KMS encryptionKey configured | MEDIUM | AWS | |
CCM-002 |
CodeCommit repository not encrypted with customer KMS CMK | MEDIUM | AWS | |
CP-002 |
Artifact store not encrypted with customer-managed KMS key | MEDIUM | AWS | |
CWL-002 |
CodeBuild log group not KMS-encrypted | MEDIUM | AWS | |
ECR-005 |
Repository encrypted with AES256 rather than KMS CMK | MEDIUM | AWS | |
LMB-003 |
Lambda function env vars may contain plaintext secrets | HIGH | AWS | |
SSM-001 |
SSM Parameter with secret-like name is not a SecureString | HIGH | AWS | |
SSM-002 |
SSM SecureString uses the default AWS-managed key | MEDIUM | AWS |
3.8: Ensure rotation for customer-created symmetric CMKs is enabled
Evidenced by 2 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
KMS-001 |
KMS customer-managed key has rotation disabled | MEDIUM | AWS | |
SSM-002 |
SSM SecureString uses the default AWS-managed key | MEDIUM | AWS |
4.3: Ensure a log metric filter and alarm exist for usage of the root account
No checks in this scanner currently evidence this control. Open an issue if your team would value coverage.
4.16: Ensure AWS Security Hub is enabled
Evidenced by 4 checks across AWS.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
CW-001 |
No CloudWatch alarm on CodeBuild FailedBuilds metric | LOW | AWS | |
EB-001 |
No EventBridge rule for CodePipeline failure notifications | MEDIUM | AWS | |
ECR-001 |
Image scanning on push not enabled | HIGH | AWS | |
ECR-007 |
Inspector v2 enhanced scanning disabled for ECR | MEDIUM | AWS |
This page is generated. Edit pipeline_check/core/standards/data/cis_aws_foundations.py (mappings) or scripts/gen_standards_docs.py (intro / per-control prose) and run python scripts/gen_standards_docs.py cis_aws_foundations.