Mods

turbot/alicloud_compliance

GitHub
Overview
0Dashboards
78Controls
40Queries
0Variables
GitHub
CIS v1.0.0
1 Identity and Access Management
1.1 Avoid the use of the 'root' account
1.2 Ensure no root account access key exists
1.3 Ensure MFA is enabled for the 'root' account
1.4 Ensure that multi-factor authentication is enabled for all RAM users that have a console password
1.5 Ensure users not logged on for 90 days or longer are disabled for console logon
1.6 Ensure access keys are rotated every 90 days or less
1.7 Ensure RAM password policy requires at least one uppercase letter
1.8 Ensure RAM password policy requires at least one lowercase letter
1.9 Ensure RAM password policy require at least one symbol
1.10 Ensure RAM password policy require at least one number
1.11 Ensure RAM password policy requires minimum length of 14 or greater
1.12 Ensure RAM password policy prevents password reuse
1.13 Ensure RAM password policy expires passwords within 90 days or less
1.14 Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
1.16 Ensure RAM policies are attached only to groups or roles
2 Logging and Monitoring
2.1 Ensure that ActionTrail are configured to export copies of all Log entries
2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible
2.3 Ensure audit logs for multiple cloud resources are integrated with Log Service
2.4 Ensure Log Service is enabled for Container Service for Kubernetes
2.5 Ensure virtual network flow log service is enabled
2.6 Ensure Anti-DDoS access and security log service is enabled
2.7 Ensure Web Application Firewall access and security log service is enabled
2.8 Ensure Cloud Firewall access and security log analysis is enabled
2.9 Ensure Security Center Network, Host and Security log analysis is enabled
2.10 Ensure log monitoring and alerts are set up for RAM Role changes
2.11 Ensure log monitoring and alerts are set up for Cloud Firewall changes
2.12 Ensure log monitoring and alerts are set up for VPC network route changes
2.13 Ensure log monitoring and alerts are set up for VPC changes
2.14 Ensure log monitoring and alerts are set up for OSS permission changes
2.15 Ensure log monitoring and alerts are set up for RDS instance configuration changes
2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls
2.17 Ensure a log monitoring and alerts are set up for Management Console sign-in without MFA
2.18 Ensure a log monitoring and alerts are set up for usage of 'root' account
2.19 Ensure a log monitoring and alerts are set up for Management Console authentication failures
2.20 Ensure a log monitoring and alerts are set up for disabling or deletion of customer created CMKs
2.21 Ensure a log monitoring and alerts are set up for OSS bucket policy changes
2.22 Ensure a log monitoring and alerts are set up for security group changes
2.23 Ensure that Logstore data retention period is set 365 days or greater
3 Networking
3.1 Ensure legacy networks does not exist
3.2 Ensure that SSH access is restricted from the internet
3.3 Ensure VPC flow logging is enabled in all VPCs
3.4 Ensure routing tables for VPC peering are 'least access'
3.5 Ensure the security group are configured with fine grained rules
4 Virtual Machines
4.1 Ensure that 'Unattached disks' are encrypted
4.2 Ensure that 'Virtual Machine’s disk' are encrypted
4.3 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
4.4 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
4.5 Ensure that the latest OS Patches for all Virtual Machines are applied
5 Storage
5.1 Ensure that OSS bucket is not anonymously or publicly accessible
5.2 Ensure that there are no publicly accessible objects in storage buckets
5.3 Ensure that logging is enabled for OSS buckets
5.4 Ensure that 'Secure transfer required' is set to 'Enabled'
5.5 Ensure that the shared URL signature expires within an hour
5.6 Ensure that URL signature is allowed only over https
5.8 Ensure server-side encryption is set to 'Encrypt with Service Key'
5.9 Ensure server-side encryption is set to 'Encrypt with BYOK'
6 Relational Database Services
6.1 Ensure that RDS instance requires all incoming connections to use SSL
6.2 Ensure that RDS Instances are not open to the world
6.3 Ensure that 'Auditing' is set to 'On' for applicable database instances
6.4 Ensure that 'Auditing' Retention is 'greater than 6 months'
6.5 Ensure that 'TDE' is set to 'Enabled' on for applicable database instance
6.7 Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database
6.8 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
6.9 Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server
7 Kubernetes Engine
7.1 Ensure Log Service is set to 'Enabled' on Kubernetes Engine Clusters
7.4 Ensure Cluster Check triggered at least once per week for Kubernetes Clusters
7.5 Ensure Kubernetes web UI / Dashboard is not enabled
7.6 Ensure Basic Authentication is not enabled on Kubernetes Engine
7.7 Ensure Network policy is enabled on Kubernetes Engine Clusters
7.8 Ensure ENI multiple IP mode support for Kubernetes Cluster
7.9 Ensure Kubernetes Cluster is created with Private cluster enabled
8 Security Center
8.1 Ensure that Security Center is Advanced or Enterprise Edition
8.3 Ensure that Automatic Quarantine is enabled
8.4 Ensure that Webshell detection is enabled on all web servers
8.5 Ensure that notification is enabled on all high risk items
8.6 Ensure that Config Assessment is granted with privilege
8.7 Ensure that scheduled vulnerability scan is enabled on all servers
8.8 Ensure that Asset Fingerprint automatically collects asset fingerprint data
On This Page
Description
Remediation
Usage
SQL
Tags
Get Involved
Edit on GitHub
Discuss on Slack

Control: 3.4 Ensure routing tables for VPC peering are 'least access'

Description

Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired, even peering a VPC to only a single host on the other side of the connection.

Remediation

From Console

  1. Logon to VPC console.
  2. Open the routing table.
  3. Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.

Usage

steampipe check alicloud_compliance.control.cis_v100_3_4

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 3.4
cis_level = 2
cis_section_id = 3
cis_type = manual
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/VPC