CIS Controls v8.0 IG1¶

The Center for Internet Security (CIS) Controls version 8.0 is a prioritized set of actions to protect organizations from known cyber attack vectors. Implementation Group 1 (IG1) represents essential cyber defense safeguards for enterprises of all sizes with limited cybersecurity resources. Released in May 2021, this framework provides a modernized approach to foundational cybersecurity controls applicable globally across all industries.

Terraform Registry Subdomain: cisv80ig1¶

module "..." {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://cisv80ig1.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• API Gateway stage logging should be enabled
• Backup plan min frequency and min retention check
• CloudFront distributions access logs should be enabled
• At least one enabled trail should be present in a region
• CloudTrail trails should be integrated with CloudWatch logs
• CloudTrail trail logs should be encrypted with KMS CMK
• CloudTrail trail log file validation should be enabled
• Log group retention period should be at least 365 days
• DMS replication instances should not be publicly accessible
• DynamoDB table point-in-time recovery should be enabled
• Attached EBS volumes should have encryption enabled
• EC2 instance should have EBS optimization enabled
• EC2 instances should have IAM profile attached
• EC2 instances should be in a VPC
• EC2 instances should not have a public IP address
• EC2 instances should use IMDSv2
• EKS clusters endpoint should restrict public access
• ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• ELB application and classic load balancer logging should be enabled
• EMR cluster Kerberos should be enabled
• ES domains should be in a VPC
• Elasticsearch domain should send logs to CloudWatch
• IAM password policies for users should have strong configurations
• KMS CMK rotation should be enabled
• Lambda functions should be in a VPC
• RDS DB instance backup should be enabled
• RDS DB instance encryption at rest should be enabled
• Database logging should be enabled
• RDS DB instances should prohibit public access
• AWS Redshift clusters should have automatic snapshots enabled
• Redshift cluster audit logging and encryption should be enabled
• AWS Redshift should have required maintenance settings
• Redshift clusters should prohibit public access
• S3 bucket cross-region replication should be enabled
• S3 bucket default encryption should be enabled
• S3 bucket logging should be enabled
• S3 bucket policy should prohibit public access
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 buckets with versioning enabled should have lifecycle policies configured
• S3 bucket versioning should be enabled
• S3 public access should be blocked at account level
• S3 public access should be blocked at bucket levels
• SageMaker notebook instances should not have direct internet access
• VPC Security groups should only allow unrestricted incoming traffic for authorized ports
• VPC subnet auto assign public IP should be disabled

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with CIS Controls v8.0 IG1 compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://cisv80ig1.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=apigateway_stage_logging_enabled,backup_plan_min_retention_35_days"
}