AWS Remediation Rules

The following provides guidance on how to remediate any security issues flagged by the Open Raven platform. You can find more information on rules and remediation via the AWS CIS Benchmark document. Most of the rules below include a number (i.e., "1.1," "2.2," etc.) for easy reference to this AWS CIS Benchmark document.

Rule Name

Description

Identity and Access Management

Avoid the use of the "root" account

It is recommended that the use of the root account be avoided.

Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (1.2)

It is recommended that MFA be enabled for all accounts that have a console password.

Ensure credentials unused for 90 days or greater are disabled (1.3)

It is recommended that all credentials that have been unused for 90 or more days be removed or deactivated.

Ensure access keys are rotated every 90 days or less (1.4)

It is recommended that all access keys be regularly rotated.

Password policy complexity (1.5 to 1.11)

It is strongly recommended that your organization's password policy:

  • Requires at least one uppercase letter
  • Requires at least one lowercase letter
  • Requires at least one symbol
  • Requires at least one number
  • Has a minimum password length of 14 characters
  • Prevents password reuse
  • Expires after 90 days or less.

Ensure no root account access key exists (1.12)

It is strongly recommended that your organization enforces password complexity requirements.

MFA for the root account (1.13 and 1.14)

It is recommended that the root account be protected with MFA.

Ensure security questions are registered in the AWS account (1.15)

It is recommended that security questions be established.

Ensure IAM policies are attached only to groups or roles (1.16)

It is recommended that IAM policies be applied directly to groups and roles but not users.

Maintain current contact details (1.17)

It is strongly recommended that organizations maintain contact details for more than just a single individual.

Ensure security contact information is registered (1.18)

It is recommended that security contact information is provided.

Ensure IAM instance roles are used for AWS resource access from instances (1.19)

It is recommended that instance roles are used for AWS resource access from instances.

Ensure a support role has been created to manage incidents with AWS Support (1.20)

It is recommended that a support role has been created to manage incidents with AWS Support.

Do not set up access keys during initial user setup for all IAM users that have a console password (1.21)

It is recommended that access keys that do not pass the audit via the AWS Management Console are deleted.

Ensure IAM policies that allow full administrative privileges are not created (1.22)

It is recommended and considered standard security advice to grant IAM policies based on the principle of least privilege.

Logging

Ensure CloudTrail is enabled in all regions (2.1)

It is recommended that CloudTrail is enabled in all regions.

Ensure CloudTrail log file validation is enabled (2.2)

It is recommended that file validation be enabled on all CloudTrails.

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (2.3)

It is recommended that the bucket policy, or access control list (ACL), is applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.

Ensure CloudTrail trails are integrated with CloudWatch Logs (2.4)

It is recommended that CloudTrail logs be sent to CloudWatch Logs.

Ensure AWS Config is enabled in all regions (2.5)

It is recommended that AWS Config is enabled in all regions.

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (2.6)

It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Ensure CloudTrail logs are encrypted at rest using KMS CMKs (2.7)

It is recommended that CloudTrail be configured to use SSE-KMS.

Ensure rotation for customer created CMKs is enabled (2.8)

It is recommended that CMK key rotation be enabled.

Ensure VPC flow logging is enabled in all VPCs (2.9)

It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

Monitoring

Ensure recommended metric-filters and alarms are implemented on Multi-region CloudTrail (3.1 to 3.13)

It is strongly recommended that a metric filter and alarm be established for detecting:

  • Unauthorized API calls
  • Console logins that are not protected by MFA
  • Root login attempts
  • Changes made to Identity
  • Access Management (IAM) policies
  • Changes to CloudTrail's configurations
  • Failed console authentication attempts
  • Customer-created CMKs which have changed state to disabled or scheduled deletion
  • Changes to S3 buckets
  • Changes to AWS Config configuration
  • Changes made to Security Groups
  • Changes made to NACLs
  • Changes to the network
  • Changes to route tables
  • Changes made to VPCs.

Networking

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

It is recommended that no security group allows unrestricted ingress access to port 3389 and port 22.

Ensure the default security group of every VPC restricts all traffic (4.3)

It is recommended that the default security group restrict all traffic.

Ensure routing tables for VPC peering are "least access" (4.4)

It is recommended that routing tables for VPC peering are "least access" to minimize the impact of breaches.

Other Security Rules

Ensure that GuardDuty enabled for required region

It is recommended that GuardDuty is enabled to receive a threat detection service.

Ensure there no stale roles with Attached Policies for S3 access

It is recommended to avoid stale roles as these could cause access leakage and uncontrolled manipulation with S3 bucket data, which can lead to ransomware violations.

Ensure all EC2 EBS Volumes has snapshots

It is recommended to create snapshots for EC2 EBS Volumes to prevent data loss and simplify data recovery in the case of data encryption.

Ensure all EC2 instances are managed by SSM

It is recommended to configure EC2 instances for use with SMM to maintain security and compliance.

Ensure that SecurityHub enabled for required region

It is recommended that SecurityHub is enabled for required region.

AWS security group allows access to known command and control destinations

It is recommended that access to known command and control destinations is gained with the minimum required connectivity in the event of a ransomware or botnet attack.

Ensure that S3 Bucket has MFA option enabled for changing Bucket Versioning settings and permanently deleting object versions

It is recommended that S3 bucket versioning and MFA Delete are enabled.

Ensure S3 bucket deny overriding of default KMS Key encryption

It is recommended that a policy to allow object modification using only the defined default KMS Key is defined, which attackers are unlikely to have permissions to change or modify.

Ensure that S3 Bucket restrict public access by ACL and policy

It is recommended that public access to S3 Buckets is restricted.

Ensure S3 bucket has no server-side encryption being enabled by another account

It is recommended that cross-account KMS Key on S3 is cleared.