# | Section | Description |
1.1 | Answer security questions and complete contact details | Complete the contact details on the AWS account page |
1.2 | Answer security questions and complete contact details | Complete the security contact information on the AWS account page |
1.3 | Answer security questions and complete contact details | Answer the security questions on the AWS account page |
1.4 | Apply the account-baseline-root baseline to the root account, Apply the account-baseline-security to the security account, Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your accounts. This will ensure that the Security Hub service is enabled, which will notify you if the root user has access keys set |
1.5 | Enable MFA for the root account | Manually configure MFA for the root user |
1.6 | Enable MFA for the root account | Use a Yubikey (or other hardware MFA) for the root user |
1.7 | Manual steps | Take manual steps to complete this recommendation |
1.8-9 | Apply the account-baseline-security to the security account | Use the account-baseline-security module to set up the IAM password policy |
1.10 | Configure authentication | Configure authentication using SAML or IAM |
1.11 | Apply the account-baseline-security to the security account | Use the account-baseline-security module to create users |
1.12 | Apply the account-baseline-root baseline to the root account, Apply the account-baseline-security to the security account, Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your accounts. This will ensure that there are no unused credentials |
1.13 | Apply the account-baseline-root baseline to the root account, Apply the account-baseline-security to the security account, Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your accounts. This will ensure that there are no extra access keys |
1.14 | Apply the account-baseline-root baseline to the root account, Apply the account-baseline-security to the security account, Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your accounts. This will ensure that there are no unused access keys |
1.15 | Apply the account-baseline-security to the security account | Use the account-baseline-security module to create users and groups |
1.16 | Apply the account-baseline-security to the security account | Use the account-baseline-security module to ensure no full-access policies are attached to any groups or users |
1.17 | Apply the account-baseline-security to the security account | Use the account-baseline-security module to create a support group |
1.18 | Use IAM roles for EC2 instances | Use Gruntwork modules to ensure EC2 instances use roles for access |
1.19 | Cleanup Expired SSL/TLS certificates | Use Gruntwork modules to automatically remove expired certificates from IAM |
1.20 | IAM Access Analyzer | Use Gruntwork modules to enable IAM Access Analyzer across regions |
1.21 | Apply the account-baseline-root baseline to the root account, Apply the account-baseline-security to the security account, Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your accounts. This will ensure IAM users are managed centrally through the user of AWS Organizations. |
2.1.1-2.1.2 | S3 Buckets | Use the private-s3-bucket module |
2.1.3 | S3 Buckets | Use the private-s3-bucket module and follow the instructions in the README |
2.1.4 | Apply the account-baseline-root baseline to the root account, Apply the account-baseline-security to the security account, Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to set up your accounts. This will ensure Amazon Macie is enabled. |
2.1.5 | S3 Buckets | Use the private-s3-bucket module |
2.2.1 | Configure EBS Encryption | Use Gruntwork modules to configure AWS EBS encryption |
2.3.1 | Configure RDS Encryption | Use Gruntwork modules to configure AWS RDS encryption |
3.1-3.4 | Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to ensure CloudTrail is enabled and configured in all regions |
3.5 | Apply the account-baseline-security to the security account | Use the account-baseline-security module to ensure AWS Config is enabled in all regions |
3.6 | Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to ensure CloudTrail S3 bucket has access logging enabled |
3.7 | Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to ensure CloudTrail logs are encrypted at rest using KMS CMKs |
3.8 | Enable key rotation for KMS keys | Use the KMS module |
3.9 | Create VPC flow logs | Use the Gruntwork CIS-compliant vpc service to provision VPCs with flow logs enabled |
3.10-3.11 | Apply the account-baseline-app to the logs account | Use the account-baseline-* modules to ensure Object-level logging is enabled for S3 buckets for read and write events |
4.1-4.15 | Maintaining compliance by following Monitoring best practices | The CloudWatch Logs metrics filters wrapper module will satisfy each recommendation |
5.1 | Maintaining compliance by following Networking best practices | Use the Gruntwork CIS-compliant vpc service to ensure there is no public remote access |
5.2 | Maintaining compliance by following Networking best practices | Use the Gruntwork CIS-compliant vpc service for a secure network configuration |
5.3 | Maintaining compliance by following Networking best practices | Use the cloud-nuke tool to remove all default security groups |
5.4 | Maintaining compliance by following Networking best practices | Use the Gruntwork CIS-compliant vpc service to configure least-privilege routing by default |