General CloudCustodian Rules could enforce benchmarks
python3 -m venv custodiansource custodian/bin/activatepip install c7n- Configure AWS credentials
- Create a role with attaced Policy with the following permissions :
"Version": "2012-10-17", "Statement": [ { "Sid": "CustodianLambdaPermissions", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterface", "events:PutRule", "events:PutTargets", "iam:PassRole", "lambda:CreateFunction", "lambda:TagResource", "lambda:CreateEventSourceMapping", "lambda:UntagResource", "lambda:PutFunctionConcurrency", "lambda:DeleteFunction", "lambda:UpdateEventSourceMapping", "lambda:InvokeFunction", "lambda:UpdateFunctionConfiguration", "lambda:UpdateAlias", "lambda:UpdateFunctionCode", "lambda:AddPermission", "lambda:DeleteAlias", "lambda:DeleteFunctionConcurrency", "lambda:DeleteEventSourceMapping", "lambda:RemovePermission", "lambda:CreateAlias", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": "*" } ] } - Name the Role as preferred. If you name it
custodian, you would not need to replace the role names
| # AWS Service | Rule Name | Description | Actions (if Available) |
|---|---|---|---|
| VPC | VPC Flow logs - S3 | Checks VPCs for flow Logs | Enforce VPC flow logs for the VPC configured with S3 |
| VPC | VPC Flow logs - CloudWatch | Checks VPCs for flow Logs | Enforce VPC flow logs for the VPC with CloudWatch Group |
| VPC | VPC endpoint checks for S3 and KMS | If organization is using VPC endpoints, this checks for Endpoints bieng used for S3 and KMS without PrivateDNS Enabled | N/A |
| AWS Service | Rule Name | Description |
|---|---|---|
| VPC | VPC Flow Logs S3 / VPC Flow Logs CloudWatch | Rule checks for VPC to enable Flow logs and automate the enforcement |
| IAM | Disable IAM keys older than 90 Days | Checks for IAM keys older than 90 days and disable the keys |
| IAM | full permissions policy bieng used | Checks for IAM policies for full policy bieng used |
| EC2 | Terminate public instance when launched | Checks for EC2 instances attached with Public IP address via CLoudwatch events. |
| RDS | Terminate Public and Encrypted RDS instance | Terminate RDS instances with Public IP addresses and Unencrypted via the CloudWatch Events. |
| AWS Service | Rule Name | Description |
|---|---|---|
| RDS | Mandatory RDS Tags | Checks for mandatory tags ie: classification,costcenter,project |
| EC2 | Mandatory EC2 Tags | Checks for mandatory tags ie: classification, costcenter,project |
| RDS | Benchmark checks for confidential RDS instance | Checks for Confidential classified RDS instances not implementing the required practices |
| EC2 | Benchmark checks for Confidential EC2 instance | Checks for Confidential classified EC2 instance with best practices |
| EC2 | Benchmark checks for Public EC2 instance | Checks for public EC2 instances |
| S3 | Benchmarks for Log S3 Buckets | Checks for logs buckets with best practices |
| S3 | Benchamarks for Confidential S3 Buckets | Checks for confidential buckets with best practices |
| S3 | Benchmarks for General S3 Buckets | Checks for general S3 buckets with best practices |
Section 9: Access Control
| AWS Service | Rule Name | Description |
|---|---|---|
| IAM | disabled keys older than 90 days | Rules automatically disables IAM Access keys older than 90 days |
| IAM | Checks for policy used with full AWS access | Identifies used policies with full AWS access |
| IAM | Checks for IAM users with privileged access to permissions management | Identifies Users with access to make changes to permissions |
| SG | Checks for security port allowing SSH, RDP ports | Identifies security groups which allow 0.0.0.0 access to SSH and RDP |
| S3 | Checks for S3 buckets against our best practices | Identifies the S3 buckets violating our best practices |
| KMS | Checks for KMS with the cross region and high Grant Count | Identifies KMS keys violating best practice and Sets Key rotation if disabled |
| IAM | Checks for Users with Privileged EC2 Access | Identifies Users with access to EC2 privileges |
| IAM | Checks for Users with Privileged RDS Access | Identifies Users with access to RDS privileges |
Cryptography:
| AWS Service | Rule Name | Description |
|---|---|---|
| KMS | Check for non-CMK keys | Rules checks for non-cmk keys used |
| KMS | Check for ViaService Statement bieng used | Rules to check ViaService is being used |
| KMS | Check for KMS best practices | Rules to check for KMS general practices |
| ELB | Classic Load Balanacer does not use SSL | Rules to check for non-ssl configured ELB used |
| ALB | Application Load Balancer configured with HTTP | Rules to check for ALB configured for HTTP |
| RDS | RDS Non-encrypted bieng used | Rule checks for RDS without encryption |
| EC2 | EC2 instances with non-encrypted EBS Volumes | Rule checks for EC2 instances without non encrypted EBS volume |
Operational Security
| AWS Service | Rule Name | Description |
|---|---|---|
| RDS | RDS with snapshot retention less than seven days | Checks for RDS instances with less than seven days of snapshot retention |
| RDS | RDS without logging setup | Checks for RDS instances with no logging setup |
| EC2 | EC2 instances without monitoing used | Checks for all the EC2 instances with monitoring state disabled |
| EBS | EBS volumes which are not fault tolerant | Checks for EBS volumes which do not have snapshots taken for last 7 days |
| S3 | [S3 Buckets configured without logging] | Checks for S3 buckets without logging setup |
| ALB | ALBs without logging | Checks for ALBs without logging |
| ELB | ELB without logging | Checks for Classic ELB configured without logging |
| Cloudtrail | Cloud Trails violating best practices | Checks for CloudTrail against best practices |
Communication Security
| AWS Service | Rule Name | Description |
|---|---|---|
| ELB | Classic Load Balanacer does not use SSL | Rules to check for non-ssl configured ELB used |
| ALB | Application Load Balancer configured with HTTP | Rules to check for ALB configured for HTTP |
| EC2 | Benchmark checks for Public EC2 instance | Checks for public EC2 instances |
| SG | Security Groups allow HTTP | Checks for Security group allowing public HTTP |
Section 14: System acquisition, development and maintenance
| AWS Service | Rule Name | Description |
|---|---|---|
| EC2 | Benchmark checks for Public EC2 instance | Checks for public EC2 instances |
| S3 | Benchmarks for General S3 Buckets | Checks for general S3 buckets with best practices |
| RDS | Terminate Public and unencrypted RDS instance | Terminate RDS instances with Public IP addresses and unencrypted via the CloudWatch Events. |
| RDS | Benchmark checks for confidential RDS instance | Checks for Confidential classified RDS instances not implementing the required practices |
| SG | Security Groups allow HTTP | Checks for Security group allowing public HTTPS |
| SG | Security Groups allow Public SSH and RDP | Checks for Security group allowing public SSH and RDP |
| RDS | RDS Snapshot shared cross-Account | Checks for RDS snapshots shared cross accounts |
| EBS | EBS Snapshots shared cross Account | Checks for Cross acount shared EBS snapshots |
Section 17: Information security aspects of business continuity management
| AWS Service | Rule Name | Description |
|---|---|---|
| EC2 | Benchmark checks for Confidential EC2 instance | Checks for Confidential classified EC2 instance with best practices |
| EC2 | Benchmark checks for Public EC2 instance | Checks for public EC2 instances against best practices |
| RDS | RDS with snapshot retention less than 7 days | Checks for RDS instances with less than 7 days of snapshot retention |
| EBS | EBS volumes which are not fault tolerant | Checks for EBS volumes which do not have snapshots taken for last 7 days |
| RDS | Benchmark checks for confidential RDS instance | Checks for Confidential classified RDS instances not implementing the required practices |