CIS Amazon Web Services Benchmark v2.0
Center for Internet Security benchmark for Amazon Web Services. 140+ controls covering IAM, storage, logging, monitoring, and networking.
Ensure MFA is enabled for the root account
The root account has unrestricted access to all resources. MFA must be enabled.
Ensure MFA is enabled for all IAM users with console access
All IAM users who have console access must have MFA enabled.
Ensure access keys are rotated within 90 days
IAM access keys must be rotated at least every 90 days.
Ensure no root account access keys exist
Root account should not have active access keys.
Ensure S3 buckets are not publicly accessible
S3 buckets should block all public access through bucket policies and ACLs.
Ensure S3 bucket logging is enabled
Server access logging should be enabled on all S3 buckets for audit trail.
Ensure CloudTrail is enabled in all regions
AWS CloudTrail must be enabled in all regions to capture API activity.
Ensure no security groups allow unrestricted SSH
Security groups should not allow SSH (port 22) access from 0.0.0.0/0.
Ensure no security groups allow unrestricted RDP
Security groups should not allow RDP (port 3389) access from 0.0.0.0/0.
Ensure VPC Flow Logs are enabled
VPC Flow Logs must be enabled for network traffic monitoring and forensic analysis.
Ensure RDS instances are not publicly accessible
RDS database instances should not be publicly accessible from the internet.
Ensure RDS instances have encryption enabled
RDS database instances must have encryption at rest enabled.
Ensure EC2 instances use IMDSv2
Instance Metadata Service v2 (IMDSv2) must be required to prevent SSRF-based credential theft.
Root user access keys deleted
Ensure no AWS account root user access keys exist.
Hardware MFA on root account
Use hardware MFA (YubiKey or equivalent FIDO2) on AWS root account.
Password Policy length requirement
IAM password policy requires minimum 14-char length + complexity.
Disable inactive access keys
Disable IAM access keys unused for 45+ days.
Restrict full admin policies
No IAM policy grants full admin (*:*) privileges to users.
S3 Block Public Access — Account-level
Block Public Access settings enabled at the AWS account level.
S3 Server-Side Encryption enforced
S3 buckets configured with server-side encryption by default.
S3 Object Lock for compliance retention
Enable S3 Object Lock for buckets requiring retention (CloudTrail, backups, audit logs).
S3 bucket access logging on CloudTrail target
S3 bucket access logging enabled on the S3 bucket receiving CloudTrail logs.
CloudTrail logs encrypted with KMS CMK
CloudTrail logs encrypted at rest using customer-managed KMS keys (CMK).
S3 Object Lock on CloudTrail bucket
S3 Object Lock enabled on CloudTrail logs bucket for tamper-resistant retention.
VPC Flow Logs enabled
VPC Flow Logs enabled on all VPCs for network traffic visibility.
RDS encryption at rest
All RDS instances encrypted at rest using KMS-managed keys.
RDS not publicly accessible
RDS instances not configured as publicly accessible (private subnets only).
DynamoDB encryption with KMS CMK
DynamoDB tables encrypted at rest using customer-managed KMS keys.
Disable credentials unused for 45 days
Disable IAM user credentials (password + access keys) unused for 45+ days.
Single active access key per user
Each IAM user has at most one active access key.
Access keys rotated within 90 days
All IAM access keys rotated at least every 90 days.
IAM policies attached to groups/roles, not users
IAM policies attached to groups or roles rather than individual users.
S3 Versioning enabled
S3 buckets have versioning enabled.
EBS encryption by default
EBS encryption enabled by default for all new volumes in a region.
AWS Support role created
Dedicated IAM role for AWS Support access exists with AWSSupportAccess managed policy.