SecFrame Explorer

controls.intelligence

AI lookups:3/3left

3/3

// Level 3 · Controls

AWS

CIS Amazon Web Services Foundations Benchmark

Ensure no 'root' user account access key exists

Root keys should not exist; use IAM users.

Ensure MFA is enabled for the 'root' user account

Protect root with MFA.

Ensure hardware MFA is enabled for the 'root' user account

Hardware MFA for root in production.

Ensure IAM password policy requires minimum length of 14 or greater

Strong password policy.

Ensure multi-factor authentication is enabled for all IAM users with console password

MFA for all console users.

Ensure credentials unused for 45 days or greater are disabled

Reduce credential exposure.

Ensure access keys are rotated every 90 days or less

Limit blast radius of leaked keys.

Ensure that IAM Access analyzer is enabled for all regions

Detect unintended public/cross-account access.

Ensure S3 Bucket Policy is set to deny HTTP requests

Force HTTPS for S3.

Ensure MFA Delete is enabled on S3 buckets

Prevent accidental/malicious deletion.

Ensure that S3 Buckets are configured with 'Block public access'

Prevent public S3 exposure by default.

Ensure CloudTrail is enabled in all regions

Centralised audit log of API calls.

Ensure CloudTrail log file validation is enabled

Detect tampering with audit logs.

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

Audit access to the audit log bucket itself.

Ensure VPC flow logging is enabled in all VPCs

Network-level forensics.

Ensure that Object-level logging for write events is enabled for S3 bucket

Capture S3 object writes for forensics.

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

Block global SSH access.

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Block global RDP access.

Ensure VPC default security group restricts all traffic

Default SG should be a deny-all.

Ensure that EBS volume encryption is enabled

Encrypt block storage at rest.