CIS Benchmark version 1.4.0 is Now Available in the Compliance Module
Stax has introduced support for the Center for Internet Security's Amazon Web Services Foundations Benchmark version 1.4.0. This introduces the following changes over the previous iteration, version 1.3.0:
Three new rules were added to the Benchmark:
- 2.1.3: Ensure MFA Delete is enabled on S3 buckets
- 2.1.4: Ensure all data in Amazon S3 has been discovered, classified and secured when required (This rule cannot be automatically checked by Stax, see below for more details)
- 2.3.1: Ensure that encryption is enabled for RDS instances
One rule changed category:
- 2.1.5: Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' was moved from Identity and Access Management to Storage.
The Rule Bundle cannot validate all components of the Benchmark, so the following items must be evaluated manually:
- 1.1: Maintain current contact details
- 1.2: Ensure security contact information is registered
- 1.3: Ensure security questions are registered in the AWS account
- 1.18: Ensure IAM instance roles are used for AWS resource access from instances
- 1.21: Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- 2.1.4: Ensure all data in Amazon S3 has been discovered, classified and secured when required
- 5.4: Ensure routing tables for VPC peering are "least access"
To enable this new version of the Bundle, see Keep Bundles Up To Date. If you have automatic updates enabled, no action is required.