| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | s3 |
| Provider | AWS |
Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
Enable Object-level logging for S3 buckets.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | s3 |
| Provider | AWS |
Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
Enable Object-level logging for S3 buckets.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | rds |
| Provider | AWS |
RDS instances are deployed without Performance Insights enabled, reducing the visibility into database performance metrics and activity. This omission limits the ability to detect anomalies or investigate potential security incidents.
Insufficient monitoring makes it harder to identify performance issues or suspicious activity, potentially allowing attacks or misconfigurations to go undetected and hindering effective incident response.
Enable performance insights
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | security-center |
| Provider | Azure |
To benefit from Azure Defender you should use the Standard subscription tier.
Enabling Azure Defender extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.
Enable standard subscription tier to benefit from Azure Defender
| Property | |
|---|---|
| Language | |
| Severity |  |
| Service | iam |
| Provider | AWS |
Hardware MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they’re prompted for their user name and password and for an authentication code from their AWS MFA device.
Enable hardware MFA on the root user account.
| Property | |
|---|---|
| Language | |
| Severity |  |
| Service | iam |
| Provider | AWS |
MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they’re prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for the root user, CIS recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | cloudwatch |
| Provider | AWS |
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account.
Create an alarm to alert on AWS Config configuration changes
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | cloudwatch |
| Provider | AWS |
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations.
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | cloudwatch |
| Provider | AWS |
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm console logins that aren’t protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren’t protected by MFA.
Create an alarm to alert on non MFA logins
| Property | |
|---|---|
| Language | |
| Severity | |
| Service | cloudwatch |
| Provider | AWS |
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC.
CIS recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren’t unintentionally exposed.