Skip to main content

Connect to AWS Cloud

AJ Suurhoff
AJ Suurhoff
  • Updated

AWS cloud connector

 

1. What evidence does this connector collect?

ControlMap scans your AWS environment on a daily or a weekly basis for CIS best practices such as MFA being used, backups being enabled on RDS instances, and databases being encrypted. 

You can read more about the best practices on the AWS-CIS website here.

 

For the complete list of evidence collected click on the 'Show' list of rules on AWS integration screen in ControlMap.

 

pI7tRGvM4lfC4abyjJfoT6pLb7KcA9jeyw.png

 

How does ControlMap connect to AWS?

ControlMap creates an IAM role with READ and LIST only permissions which it uses to connect to your environment and perform compliance checks. The role can be easily created by using a Cloud Formation template (clicking on the 'Create ControlMap role in your AWS' button on the integration screen in ControlMap).

Once the role is successfully created, provide the URN of the role in ControlMap settings. You can view the ARN of the role in the 'Outputs' tab of the Cloud Formation stack if you are using a CloudFormation stack.

 

What compliance checks does this connector collect?

  1. Avoid the use of the "root" account
  2. Ensure IAM password policy prevents password reuse
  3. Ensure IAM password policy expires passwords within 90 days or less
  4. Ensure no root account access key exists
  5. Ensure MFA is enabled for the "root" account
  6. Ensure hardware MFA is enabled for the "root" account
  7. Ensure IAM policies are attached only to groups or roles
  8. Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  9. Ensure a support role has been created to manage incidents with AWS Support
  10. Ensure IAM policies that allow full "*:*" administrative privileges are not created
  11. Ensure credentials unused for 90 days or greater are disabled
  12. Ensure access keys are rotated every 90 days or less
  13. Ensure IAM password policy requires at least one uppercase letter
  14. Ensure IAM password policy require at least one lowercase letter
  15. Ensure IAM password policy require at least one symbol
  16. Ensure IAM password policy require at least one number
  17. Ensure IAM password policy requires minimum length of 14 or greater
  18. Ensure CloudTrail is enabled in all regions
  19. Ensure CloudTrail log file validation is enabled
  20. Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  21. Ensure CloudTrail trails are integrated with CloudWatch Logs
  22. Ensure AWS Config is enabled in all regions
  23. Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  24. Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  25. Ensure rotation for customer created CMKs is enabled
  26. Ensure VPC flow logging is enabled in all VPCs
  27. Ensure a log metric filter and alarm exist for unauthorized API calls
  28. Ensure a log metric filter and alarm exist for security group changes
  29. Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
  30. Ensure a log metric filter and alarm exist for changes to network gateways
  31. Ensure a log metric filter and alarm exist for route table changes
  32. Ensure a log metric filter and alarm exist for VPC changes
  33. Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
  34. Ensure a log metric filter and alarm exist for usage of "root" account
  35. Ensure a log metric filter and alarm exist for IAM policy changes
  36. Ensure a log metric filter and alarm exist for CloudTrail configuration changes
  37. Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
  38. Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
  39. Ensure a log metric filter and alarm exist for S3 bucket policy changes
  40. Ensure a log metric filter and alarm exist for AWS Config configuration changes
  41. Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
  42. Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
  43. Ensure the default security group of every VPC restricts all traffic
  44. Ensure all client databases encrypted
     
  45. Ensure all customer S3 buckets are encrypted
  46. Automatic backups are enabled on the databases
  47. Backup plan module is enabled for databases
  48. Backups are retained for at least 14 days
  49. Backups are distributed and present in a different zone
  50. Redshift cluster has automated backups enabled
  51. Redshift cluster has retention period more than 14 days
  52. Redshift cluster has audit logging enabled
  53. Redshift cluster has encryption enabled
  54. Redshift cluster is not publicly available

 

 

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request