Moderniser.repo
  • 日本語
  • English✔️
Archive
【Guidelines】Consideration for introducing AWS Config to Corporate Organization/S... 【Guidelines】Consideration for introducing Amazon GuardDuty to Corporate Organiza...
Thorough explanation of the aws:executeScript action for SSM Automation
How to get information on multiple AWS resources in Terraform's Data Source 【IaC】CloudFormation template / SAM template coding rules
【Update in March 2024】Recommended plug-in summary of Visual Studio Code for clou...
Tips / Workaround
【Tips】How to use the latest AWS icon in Draw.io of Visual Studio Code
【Tips】How to create custom checks with Prowler 【Tips】How to scrape the reference of Security Hub control and convert it to data 【Tips】 Investigating security check tools that support CIS AWS Foundations Bench...
【Workaround】How to use the latest Boto3 with SSM Automation (or Lambda)
How to switch accounts for GitHub CLI commands using commands
Codes
【IaC】Amazon S3 sample code collection
【Python】How to write a CommaDelimitedList in List (array) format in samconfig.ym...
Others
Privacy Policy
Profile
...

Kanji

・ Cloud engineer / freelance
・ Born in 1993
・ Born in Ehime Prefecture / Lives in Shibuya-ku, Tokyo
・ AWS history 5 years

Profile details

Contact
Twitter(@kanji_aws_fl) Instagram(kanji_aws_freelance) Mail(kanji@cont-aid.com)


【Tips】 Investigating security check tools that support CIS AWS Foundations Benchmark v3.0.0 (Security Hub, CFn Guard, Prowler)


Created date: 2025/02/11, Update date: 2025/02/11

CIS AWS Foundations Benchmark is a benchmark for checking AWS security settings. In this article, we investigated security checking tools that support CIS AWS Foundations Benchmark v3.0.0. The security checking tools we investigated were Security Hub, CFn Guard, and Prowler. We investigated the security check items that each security check tool supports.
CIS AWS Foundations Benchmark is a benchmark for checking AWS security settings.
In this article, we investigated security checking tools that support CIS AWS Foundations Benchmark v3.0.0.
The security checking tools we investigated were Security Hub, CFn Guard, and Prowler.
We investigated the security check items that each security check tool supports.

Table of contents


  1. Conclusion: Prowler is the most comprehensive security check tool
  2. CIS AWS Foundations Benchmark v3.0 Check Item Support Status
    1. 1 Identity and Access Management
    2. 2 Storage
      1. 2.1 Simple Storage Service (S3)
      2. 2.2 Elastic Compute Cloud (EC2)
      3. 2.3 Relational Database Service (RDS)
      4. 2.4 Elastic File System (EFS)
    3. 3 Logging
    4. 4 Monitoring
    5. 5 Networking
  3. References

Conclusion: Prowler is the most comprehensive security check tool

  • The versions of the CIS AWS Foundations Benchmark that each check tool supports are as follows:
    • It took about 1.5 years for Security Hub to support v1.4.0. It is expected that it will soon support v1.5.0.


Version (Release Date) Security Hub (Release Date) CFn Guard Prowler
1.2.0 (2018/5/23) Supported (2019/6/25) - -
1.4.0 (2021/5/28) Supported (2022/11/9) Supported Supported
1.5.0 (2022/8/12) - - Supported
2.0 (2023/6/28) - - Supported
3.0 (2024/1/30) - - Supported


  • Although comparisons with older versions are not possible, due to the nature of Security Hub and CFn Guard, even if additional supported versions are added in the future, Prowler is considered to be the most comprehensive security check tool.
    • Security Hub seems to focus on “security checks that can be automated,” and does not support checks that are difficult to automate for some reason.
      • Reference: CIS AWS Foundations Benchmark - AWS Security Hub
    • CFn Guard is “only applicable to AWS CloudFormation templates,” and the scope of security checks is limited. It cannot perform security checks at the account level, so it does not support some check items.


CIS AWS Foundations Benchmark v3.0 Check Item Support Status

  • The only tool that supports v3.0 is Prowler, but older versions also support some of the check items in v3.0.
  • Below is a list of check items in v3.0 that can also be checked in older versions.


1 Identity and Access Management

Id Description Level Security Hub CFn Guard Prowler
1.1 Maintain current contact details (Manual) 1 - - Supported
1.2 Ensure security contact information is registered (Manual) 1 - - Supported
1.3 Ensure security questions are registered in the AWS account (Manual) 1 - - Supported
1.4 Ensure no ‘root’ user account access key exists (Automated) 1 Supported (CIS v1.4 - 1.4) - Supported
1.5 Ensure MFA is enabled for the ‘root’ user account (Automated) 1 Supported (CIS v1.4 - 1.5) - Supported
1.6 Ensure hardware MFA is enabled for the ‘root’ user account (Manual) 1 Supported (CIS v1.4 - 1.6) - Supported
1.7 Eliminate use of the ‘root’ user for administrative and daily tasks (Manual) 1 Supported (CIS v1.4 - 1.7) - Supported
1.8 Ensure IAM password policy requires minimum length of 14 or greater (Automated) 1 Supported (CIS v1.4 - 1.8) - Supported
1.9 Ensure IAM password policy prevents password reuse (Automated) 1 Supported (CIS v1.4 - 1.9) - Supported
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated) 1 Supported (CIS v1.4 - 1.10) - Supported
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password (Manual) 1 - - Supported
1.12 Ensure credentials unused for 45 days or greater are disabled (Automated) 1 Supported (CIS v1.4 - 1.12) - Supported
1.13 Ensure there is only one active access key available for any single IAM user (Automated) 1 - - Supported
1.14 Ensure access keys are rotated every 90 days or less (Automated) 1 Supported (CIS v1.4 - 1.14) - Supported
1.15 Ensure IAM Users Receive Permissions Only Through Groups (Automated) 1 - Supported (CIS v1.4 - 1.15) Supported
1.16 Ensure IAM policies that allow full “ : ” administrative privileges are not attached (Automated) 1 Supported (CIS v1.4 - 1.16) Supported (CIS v1.4 - 1.16) Supported
1.17 Ensure a support role has been created to manage incidents with AWS Support (Automated) 1 - - Supported
1.18 Ensure IAM instance roles are used for AWS resource access from instances (Automated) 1 - Supported (CIS v1.4 - 1.18) Supported
1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated) 1 - - Supported
1.20 Ensure that IAM Access analyzer is enabled for all regions (Automated) 1 - - Supported
1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual) 1 - - Supported
1.22 Ensure access to AWSCloudShellFullAccess is restricted (Manual) 1 - - Supported

2 Storage

2.1 Simple Storage Service (S3)

Id Description Level Security Hub CFn Guard Prowler
2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated) 1 Supported (CIS v1.4 - 2.1.1) Supported (CIS v1.4 - 2.1.1) Supported
2.1.2 Ensure MFA Delete is enabled on S3 buckets (Manual) 1 Supported (CIS v1.4 - 2.1.3) - Supported
2.1.3 Ensure all data in Amazon S3 has been discovered, classified and secured when required. (Manual) 2 - - Supported
2.1.4 Ensure that S3 Buckets are configured with ‘Block public access (bucket settings)’ (Automated) 1 Supported (CIS v1.4 - 2.1.5) Supported (CIS v1.4 - 2.1.5) Supported

2.2 Elastic Compute Cloud (EC2)

Id Description Level Security Hub CFn Guard Prowler
2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions (Automated) 1 - Supported (CIS v1.4 - 2.2.1) Supported

2.3 Relational Database Service (RDS)

Id Description Level Security Hub CFn Guard Prowler
2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances (Automated) 1 Supported (CIS v1.4 - 2.3.1) Supported (CIS v1.4 - 2.3.1) Supported
2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances (Automated) 1 - - Supported
2.3.3 Ensure that public access is not given to RDS Instance (Automated) 1 - - Supported

2.4 Elastic File System (EFS)

Id Description Level Security Hub CFn Guard Prowler
2.4.1 Ensure that encryption is enabled for EFS file systems (Automated) 1 - - Supported

3 Logging

Id Description Level Security Hub CFn Guard Prowler
3.1 Ensure CloudTrail is enabled in all regions (Automated) 1 Supported (CIS v1.4 - 3.1) - Supported
3.2 Ensure CloudTrail log file validation is enabled (Automated) 2 Supported (CIS v1.4 - 3.2) Supported (CIS v1.4 - 3.2) Supported
3.3 Ensure AWS Config is enabled in all regions (Automated) 2 Supported (CIS v1.4 - 3.5) - Supported
3.4 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Automated) 1 Supported (CIS v1.4 - 3.6) Supported (CIS v1.4 - 3.6) Supported
3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated) 2 Supported (CIS v1.4 - 3.7) Supported (CIS v1.4 - 3.7) Supported
3.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated) 2 Supported (CIS v1.4 - 3.8) Supported (CIS v1.4 - 3.8) Supported
3.7 Ensure VPC flow logging is enabled in all VPCs (Automated) 2 Supported (CIS v1.4 - 3.9) - Supported
3.8 Ensure that Object-level logging for write events is enabled for S3 bucket (Automated) 2 - - Supported
3.9 Ensure that Object-level logging for read events is enabled for S3 bucket (Automated) 2 - - Supported

4 Monitoring

Id Description Level Security Hub CFn Guard Prowler
4.1 Ensure unauthorized API calls are monitored (Manual) 2 - - Supported
4.2 Ensure management console sign-in without MFA is monitored (Manual) 1 - - Supported
4.3 Ensure usage of ‘root’ account is monitored (Manual) 1 - - Supported
4.4 Ensure IAM policy changes are monitored (Manual) 1 Supported (CIS v1.4 - 4.4) - Supported
4.5 Ensure CloudTrail configuration changes are monitored (Manual) 1 Supported (CIS v1.4 - 4.5) - Supported
4.6 Ensure AWS Management Console authentication failures are monitored (Manual) 2 Supported (CIS v1.4 - 4.6) - Supported
4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored (Manual) 2 Supported (CIS v1.4 - 4.7) - Supported
4.8 Ensure S3 bucket policy changes are monitored (Manual) 1 Supported (CIS v1.4 - 4.8) - Supported
4.9 Ensure AWS Config configuration changes are monitored (Manual) 2 Supported (CIS v1.4 - 4.9) - Supported
4.10 Ensure security group changes are monitored (Manual) 2 Supported (CIS v1.4 - 4.10) - Supported
4.11 Ensure Network Access Control Lists (NACL) changes are monitored (Manual) 2 Supported (CIS v1.4 - 4.11) - Supported
4.12 Ensure changes to network gateways are monitored (Manual) 1 Supported (CIS v1.4 - 4.12) - Supported
4.13 Ensure route table changes are monitored (Manual) 1 Supported (CIS v1.4 - 4.13) - Supported
4.14 Ensure VPC changes are monitored (Manual) 1 Supported (CIS v1.4 - 4.14) - Supported
4.15 Ensure AWS Organizations changes are monitored (Manual) 1 - - Supported
4.16 Ensure AWS Security Hub is enabled (Automated) 2 - - Supported

5 Networking

Id Description Level Security Hub CFn Guard Prowler
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated) 1 Supported (CIS v1.4 - 5.1) - Supported
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated) 1 - Supported (CIS v1.4 - 5.2) Supported
5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports (Automated) 1 Supported (CIS v1.4 - 5.3) - Supported
5.4 Ensure the default security group of every VPC restricts all traffic (Automated) 2 - - Supported
5.5 Ensure routing tables for VPC peering are “least access” (Manual) 2 - - Supported
5.6 Ensure that EC2 Metadata Service only allows IMDSv2 (Automated) 1 - - Supported

References

  • CIS Amazon Web Services Benchmarks
  • CIS AWS Foundations Benchmark - AWS Security Hub
  • aws-guard-rules-registry/mappings/rule_set_cis_aws_benchmark_level_2.json at main · aws-cloudformation/aws-guard-rules-registry · GitHub
  • prowler/prowler/compliance/aws/cis_3.0_aws.json at master · prowler-cloud/prowler



©2025 ContAID