CIS AWS Benchmark v6.0.0¶

The Center for Internet Security (CIS) AWS Foundations Benchmark version 6.0.0 provides prescriptive guidance for establishing a secure baseline configuration of Amazon Web Services environments. This is the current version with updated controls reflecting the latest AWS security best practices and services. It is applicable to all organizations using AWS infrastructure.

Terraform Registry Subdomain: cisv600¶

module "..." {
  source  = "cisv600.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://cisv600.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• CloudTrail trail logs should be encrypted with KMS CMK
• CloudTrail trail log file validation should be enabled
• EC2 instances should use IMDSv2
• Ensure IAM instance roles are used for AWS resource access from instances
• EFS file system encryption at rest should be enabled
• Ensure IAM password policy requires a minimum length of 14 or greater
• Ensure IAM password policy prevents password reuse
• KMS CMK rotation should be enabled
• RDS DB instance automatic minor version upgrade should be enabled
• RDS DB instance encryption at rest should be enabled
• RDS DB instance multiple az should be enabled
• RDS DB instances should prohibit public access
• S3 bucket MFA delete should be enabled

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with CIS AWS Benchmark v6.0.0 compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://cisv600.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=cloudtrail_trail_logs_encrypted_with_kms_cmk,cloudtrail_trail_validation_enabled"
}