CloudGuard Compliance Print Result

CloudGuard
adidas Custom Compliance Ruleset - CIS

Nov 11, 2022 1:19 PM
This Compliance Bundle is a combination of AWS CIS Foundation Framework 1.2.0

and adidas created Custom S3 Bucket and ElasticSearch Services. S3 Buckets
service as a data wharehouse either static or dynamic, these data need protection
depending on the data classification which can be verified by the data classification
policy. Elasticsearch services make storing, searching and analyzing large volumes
of data simple, but that’s what makes them prime targets for cybercriminals.
ElasticSearch domains have a “public” mode that leaves data exposed to unsigned
requests made to these resources (ES clusters) by attackers if proper
resource/endpoint policies not configured or not created inside a vpc
Cloud Account
adidas-linked-einvoice-cn (642660452893) , All Regions
TABLE OF CONTENTS
Executive Summary
Failed Tests
Passed Tests
EXECUTIVE SUMMARY
SUMMARY OF TESTS PERFORMED

Tests Performed Passed Failed
108 68.52% (74) 31.48% (34)
FAILED TESTS BY SEVERITY

Critical High Medium Low Informational
0 5 25 4 0
SUMMARY OF RULES TESTED

Rules Performed Passed Failed
103 69.90% (72) 30.10% (31)
Entities by type, Pass Vs Fail
Entity Type Passed Failed

ApplicationLoadBalancer (1) 0 1
IamUser (2) 0 2
Iam (1) 0 1
SecurityGroup (4) 3 1
NetworkLoadBalancer (0) 0 0
Route53Domain (0) 0 0
SageMakerNotebook (0) 0 0
Redshift (0) 0 0
ElasticSearchDomain (0) 0 0
CloudTrail (0) 0 0
Lambda (0) 0 0
List<CloudTrail> (1) 0 1
EcsService (0) 0 0
RDS (1) 0 1
S3Bucket (4) 4 0
Instance (2) 2 0
AMI (28) 28 0
EcsCluster (0) 0 0
Entity Type Passed Failed
EksCluster (0) 0 0
DynamoDbTable (0) 0 0
Route53HostedZone (0) 0 0
IamPolicy (508) 506 2
IamRole (15) 12 3
List<Lambda> (1) 1 0
KMS (0) 0 0
Region (2) 0 2
VPC (1) 1 0
Failed Tests Summary
Non
Rule Name Severity Tested Relevant Compliant
Enforce Password Policy High 1 1 1
ALB-WAF High 1 1 1
Ensure multi-factor authentication (MFA) is enabled for High 2 1 1
all IAM users that have a console password
Ensure IAM policies that allow full "*:*" administrative High 508 1 1
privileges are not created
Ensure the default security group of every VPC restricts High 4 1 1
all traffic
Iam roles with managed admin priviledges Medium 15 15 3
Ensure CloudTrail is enabled in all regions Medium 2 2 2
Ensure first access key is rotated every 90 days or less Medium 2 1 1
Ensure a log metric filter and alarm exist for changes to Medium 1 1 1
network gateways
IAM User with All Access Medium 2 2 1
Ensure IAM password policy require at least one symbol Medium 1 1 1
Ensure a log metric filter and alarm exist for AWS Medium 1 1 1
Management Console authentication failures
Ensure a log metric filter and alarm exist for IAM policy Medium 1 1 1
changes
Ensure IAM password policy requires at least one Medium 1 1 1
uppercase letter
Password Policy must require at least one number Medium 1 1 1
Ensure a log metric filter and alarm exist for Medium 1 1 1
Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for route table Medium 1 1 1
changes
Non
Rule Name Severity Tested Relevant Compliant
Ensure IAM password policy requires minimum length of Medium 1 1 1

10 or greater
Ensure a log metric filter and alarm exist for Medium 1 1 1
unauthorized API calls
Ensure a log metric filter and alarm exist for VPC changes Medium 1 1 1
Credentials (with password enabled) unused for 90 days Medium 2 1 1
or more should be disabled
Ensure a log metric filter and alarm exist for security Medium 1 1 1
group changes
RDS not encrypted Medium 1 1 1
Ensure a log metric filter and alarm exist for usage of Medium 1 1 1
'root' account
Ensure a log metric filter and alarm exist for S3 bucket Medium 1 1 1
policy changes
Ensure a log metric filter and alarm exist for changes to Medium 1 1 1
Network Access Control Lists (NACL)
Ensure IAM password policy require at least one Medium 1 1 1
lowercase letter
Ensure IAM password policy expires passwords within 90 Low 1 1 1
days or less
Default-SG Not to be Used Low 4 1 1
Ensure IAM password policy prevents password reuse Low 1 1 1
Ensure a support role has been created to manage Low 508 1 1
incidents with AWS Support
FAILED TESTS
FAILED
High
Enforce Password Policy
Description:
Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be
used to ensure password are comprised of different character sets, have minimal length, rotation and history
restrictions.
1 TESTED 1 RELEVANT 1 NON COMPLIANT
D9_PR_2
Remediation:
Refer to IAM Best Practices at:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
(http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Failed Entities
ID Name Region VPC
642660452893 Account Summary Global (global) -
FAILED
ALB-WAF High
Description:
Ensure that all your public AWS ALB are integrated with the Web Application Firewall (AWS WAF) service to protect
against application-layer attacks .
CIS-Adv-Control
Failed Entities
ID Name Region VPC
arn:aws- BJI-PRD-EIN-ALB Beijing (cn_north_1) vpc-04013d3a487d91ab8
cn:elasticloadbalancing:cn-
north-
1:642660452893:loadbalancer
/app/BJI-PRD-EIN-
ALB/ba8ba461c444968f
FAILED
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console High
password
Description:
Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA
enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as
for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that
have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a
device that emits a time-sensitive key and have knowledge of a credential.
1.2
Remediation:
Perform the following to enable MFA:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
(https://console.aws.amazon.com/iam/)
2. In the navigation pane, choose Users.
3. In the User Name list, choose the name of the intended MFA user.
4. Choose the Security Credentials tab, and then choose Manage MFA Device.
5. In the Manage MFA Device wizard, choose A virtual MFA device, and then choose Next Step.
IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The
graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not
support QR codes.
6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual
MFA Applications.) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose
the option to create a new account (a new virtual MFA device).
7. Determine whether the MFA app supports QR codes, and then do one of the following:
7.1 Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to
Scan code, and then use the device's camera to scan the code.
7.2 In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret
configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords.
8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently
appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then
type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.
Additional Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-
iam-user (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-
mfa-for-iam-user)
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
IAM Best Practices at the following link:
Virtual MFA Applications guidance by AWS:
https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications
(https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications)
Failed Entities
ID Name Region VPC
AIDAZLIMMJIOSULFRKPF4 china-super-user Global (global) -
FAILED
Ensure IAM policies that allow full "*:*" administrative privileges are not created High
Description:
It is recommended and considered a standard security advice to grant least privileges that is, granting only the
permissions required to perform a task. IAM policies are the means by which privileges are granted to users,
groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only
those tasks, instead of granting full administrative privileges.

1.22
Remediation:
Using the GUI, perform the following to detach the policy that has full administrative privileges:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
(https://console.aws.amazon.com/iam/.)
2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
3. Select the policy that needs to be deleted.
4. In the policy action menu, select first Detach
5. Select all Users, Groups, Roles that have this policy attached
6. Click Detach Policy
7. In the policy action menu, select Detach
Failed Entities
ID Name Region VPC
ANPAPHSCJ455ZCEVGVPWA AdministratorAccess Global (global) -
FAILED
High
Ensure the default security group of every VPC restricts all traffic
Description:
A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic,
and allow all traffic between instances assigned to the security group. If you don't specify a security group when you
launch an instance, the instance is automatically assigned to this default security group. Security groups provide
stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security
group restrict all traffic.
The default VPC in every region should have its default security group updated to comply. Any newly created VPCs
will automatically contain a default security group that will need remediation to comply with this recommendation.
NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege
port access required by systems to work properly because it can log all packet acceptances and rejections occurring
under the current security groups. This dramatically reduces the primary barrier to least privilege engineering -
discovering the minimum ports required by systems in the environment. Even if the VPC flow logging
recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any
period of discovery and engineering for least privileged security groups.
4.3
Remediation:
Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as
resources outside of these routes are inaccessible to the peered VPC.
Security Group Members Perform the following to implement the prescribed state:
1. Identify AWS resources that exist within the default security group
2. Create a set of least privilege security groups for those resources
3. Place the resources in those security groups
4. Remove the resources noted in #1 from the default security group
Security Group State
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
(https://console.aws.amazon.com/vpc/home)
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, click Security Groups
4. For each default security group, perform the following:
5. Select the default security group
6. Click the Inbound Rules tab
7. Remove any inbound rules
8. Click the Outbound Rules tab
9. Remove any inbound rules
Recommended: IAM groups allow you to edit the "name" field. After remediating default groups rules for all VPCs in
all regions, edit this field to add text similar to "DO NOT USE. DO NOT ADD RULES"
Failed Entities
ID Name Region VPC
sg-0805e4ab3ca7fb59e default Beijing (cn_north_1) vpc-04013d3a487d91ab8
FAILED
Iam roles with managed admin priviledges Medium

Description:
Multiple admin roles should be avoided
CIS-Adv-Control
Failed Entities
ID Name Region VPC
AROAZLIMMJIO7U7ASQVBT AAD-EInvoice-AWSAdmins Global (global) -

AROAZLIMMJIOW3DZ5T6IS OrganizationAccountAccessRol Global (global) -
e
AROAZLIMMJIOW5U6UYEZ2 AAD-EInvoice-Admins Global (global) -
FAILED
Medium
Ensure CloudTrail is enabled in all regions
Description:
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The
recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API
caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a
history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line
tools, and higher-level AWS services (such as CloudFormation).

2.1
Remediation:
Perform the following to enable global (Multi-region) CloudTrail logging: Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
(https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click Get Started Now , if presented
3.1 Click Add new trail
3.2 Enter a trail name in the Trail name box
3.3 Set the Apply trail to all regions option to Yes
3.4 Specify an S3 bucket name in the S3 bucket box and Click Create
4. If 1 or more trails already exist, select the target trail to enable for global logging
5. Click the edit icon (pencil) next to Apply trail to all regions , Click Yes and Click Save.
6. Click the edit icon (pencil) next to Management Events click All for setting Read/Write Events and Click Save.
Failed Entities
ID Name Region VPC
cn-north-1 Beijing Beijing (cn_north_1) -

cn-northwest-1 Ningxia Ningxia (cn_northwest_1) -
FAILED
Medium
Ensure first access key is rotated every 90 days or less
Description:
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that
you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS
Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs
for individual AWS services. It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised
or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an
old key which might have been lost, cracked, or stolen.

1.4
Remediation:
1. Login to the AWS Management Console:
2. Click Services
3. Click IAM
4. Click on Users
5. Click on Security Credentials
6. As an Administrator
- Click on Make Inactive for keys that have not been rotated in 90 Days
7. As an IAM User
- Click on Make Inactive or Delete for keys which have not been rotated or used in 90 Days
8. Click on `` Create Access Key
9. Update programmatic call with new Access Key credentials
For Additional Reference:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-
keys.html#Using_CreateAccessKey_CLIAPI
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-
keys.html#Using_CreateAccessKey_CLIAPI)
IAM Best Practices: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Failed Entities
ID Name Region VPC
AIDAZLIMMJIOSUJBTDYZJ CloudGuardConnect Global (global) -
FAILED
Medium
Ensure a log metric filter and alarm exist for changes to network gateways
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination
outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via
a controlled path.
3.12
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Failed Entities
ID Name Region VPC
N/A List<CloudTrail> N/A -
FAILED
Medium
IAM User with All Access
Description:
There should not be any iam user with admin access

CIS-Adv-Control
Failed Entities
ID Name Region VPC

FAILED
Medium
Ensure IAM password policy require at least one symbol
Description:
It is recommended that the password policy require at least one symbol. Password policies are, in part, used to
enforce password complexity requirements. IAM password policies can be used to ensure passwords consist of
different character sets. Setting a password complexity policy increases account resiliency against brute force login
attempts.

1.7
Remediation:
Perform the following to set the password policy as prescribed:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Check "Require at least one non-alphanumeric character"
5. Click "Apply password policy"
IAM Best Practices:
Failed Entities
ID Name Region VPC
FAILED
Ensure a log metric filter and alarm exist for AWS Management Console authentication Medium
failures
Description:
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed
console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may
provide an indicator, such as source IP, that can be used in other event correlation.

3.6
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Ensure a log metric filter and alarm exist for IAM policy changes Medium
Description:
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes
made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.
3.4
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure IAM password policy requires at least one uppercase letter
Description:
It is recommended that the password policy require at least one uppercase letter. Password policies are, in part,
used to enforce password complexity requirements. IAM password policies can be used to ensure passwords
consist of different character sets. Setting a password complexity policy increases account resiliency against brute
force login attempts.
1.5
Remediation:
Perform the following to set the password policy as prescribed: Via AWS Console
4. Check "Requires at least one uppercase letter"
Refer to IAM Best Practices at the following link:
Failed Entities
ID Name Region VPC
FAILED
Medium
Password Policy must require at least one number
Description:
It is recommended that the password policy require at least one number. Password policies are, in part, used to
enforce password complexity requirements. IAM password policies can be used to ensure passwords consist of
different character sets. Setting a password complexity policy increases account resiliency against brute force login
attempts.
1.8
Remediation:
Setting a password complexity policy increases account resiliency against brute force login attempts.
4. Check "Require at least one number"
IAM Best Practices:
Failed Entities
ID Name Region VPC
FAILED
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Medium
Description:
corresponding metric filters and alarms.
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.
3.2
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for route table changes
Description:
corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to
network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.
3.13
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure IAM password policy requires minimum length of 10 or greater
Description:
Set the IAM password policy to ensure passwords consist of at least 10 characters. Password policies are, in part,
used to enforce password complexity requirements. Setting a password complexity policy increases account
resiliency against brute force login attempts.
1.9
Remediation:
Setting a password complexity policy increases account resiliency against brute force login attempts.
3. Click on Account Settings on the Left Pane 4. Set "Minimum password length" to 10 or greater.
IAM Best Practices:
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for unauthorized API calls
Description:
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for
unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious
activity.
3.1
Remediation:
created in step 2
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CountingLogEventsExample.html
(https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CountingLogEventsExample.html)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for VPC changes
Description:
corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is
also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is
recommended that a metric filter and alarm be established for changes made to VPCs.

3.14
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Medium
Credentials (with password enabled) unused for 90 days or more should be disabled
Description:
It is recommended that all credentials that have been unused for 90 or more days be removed or deactivated. AWS
IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated
with a compromised or abandoned account to be used.

1.3
Remediation:
Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click Services
3. Click IAM
4. Click on Users
5. Click on Security Credentials
6. As an Administrator
- Click on Make Inactive for credentials that have not been used in 90 Days
7. As an IAM User
- Click on Make Inactive or Delete for credentials which have not been used in 90
Days

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-
keys.html#Using_CreateAccessKey_CLIAPI
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-
keys.html#Using_CreateAccessKey_CLIAPI)
IAM Best Practices: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for security group changes
Description:
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.
3.10
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Medium
RDS not encrypted
Description:
RDS Database should be encrypted at rest

CIS-Adv -Control
Failed Entities
ID Name Region VPC
db- prdeinsqlbji2a Beijing (cn_north_1) vpc-04013d3a487d91ab8

PSPNCI4JRUYKSTYVFSGTRG5Z
QU
FAILED
Medium
Ensure a log metric filter and alarm exist for usage of 'root' account
Description:
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root
login attempts.
Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity
to reduce the use of it.
3.3
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Description:
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for
changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3
buckets.

3.8
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Description:
corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress
traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made
to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.
3.11
Remediation:
created in step 2
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure IAM password policy require at least one lowercase letter
Description:
It is recommended that the password policy require at least one lowercase letter. Password policies are, in part,
used to enforce password complexity requirements. IAM password policies can be used to ensure passwords
consist of different character sets. Setting a password complexity policy increases account resiliency against brute
force login attempts.
1.6
Remediation:
Perform the following to set the password policy as prescribed: Via the AWS Console
4. Check "Requires at least one lowercase letter"
IAM Best Practices:
Failed Entities
ID Name Region VPC
FAILED
Low
Ensure IAM password policy expires passwords within 90 days or less
Description:
IAM password policies can require passwords to be rotated or expired after a given number of days. It is
recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally,
requiring regular password changes help in the following scenarios:
- Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system
compromise, software vulnerability, or internal threat.
- Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even
if it's encrypted.
- Many people use the same password for many systems such as work, email, and personal.
- Compromised end user workstations might have a keystroke logger.
1.11
Remediation:
Perform the following to set the password policy as prescribed: Via AWS Console:
4. Check "Enable password expiration"
5. Set "Password expiration period (in days):" to 90 or less
Failed Entities
ID Name Region VPC
FAILED
Low
Default-SG Not to be Used
Description:
Security Group should be custom created and applied in production
Failed Entities
ID Name Region VPC
sg-0805e4ab3ca7fb59e default Beijing (cn_north_1) vpc-04013d3a487d91ab8
FAILED
Ensure IAM password policy prevents password reuse Low

Description:
IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the
password policy prevent the reuse of passwords.
Preventing password reuse increases account resiliency against brute force login attempts.

1.10
Remediation:
Perform the following to set the password policy as prescribed:
Via AWS Console

1. Login to AWS Console (with appropriate permissions to View Identity Access
Management Account Settings)
4. Check "Prevent password reuse"
5. Set "Number of passwords to remember" is set to 24
IAM Best Practices:

Failed Entities
ID Name Region VPC
FAILED
Ensure a support role has been created to manage incidents with AWS Support Low
Description:
AWS provides a support center that can be used for incident notification and response, as well as technical support
and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow
Support Center Access in order to manage Incidents with AWS Support.
1.20
Remediation:
For each account that failed this rule, on the IAM console.Navigate to Roles, and create a new role (assign it any
name, but it should suggest the Support role). Assign the AWSSupportAccess policy to this role.
Alternatively, instead of a Role, define a Group with the support policy.
https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html#accessing-support
(https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html#accessing-support)
Failed Entities
ID Name Region VPC
ANPAOGSLPX3QHBYLVUS2S AWSSupportAccess Global (global) -
PASSED TESTS
PASSED
ALB-with-Netbios-Datagram High
Description:
Public ApplicationLoadBalancer with service 'NetBIOS Datagram Service' (TCP:138) is exposed to the entire internet
CIS-Adv-Control
PASSED
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) High
Description:
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that
no security group allows unrestricted ingress access to port 3389.
4.2
PASSED
High
NLB with Telnet
CIS-Adv-Control
PASSED
High
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
Description:
no security group allows unrestricted ingress access to port 22.
4.1
PASSED
Redshift Non default public access High

Description:
Redshift cluster accessible from internet but does not have default public access
CIS-Basic-Control
PASSED
High
Lambda With User Credential
Description:
Lambda can be run with either user credentials or IAM Role. User credentials are not a good way to run lambda as
they need credentials to be stored in the code or in environmental variables.
CIS-Adv-Control
PASSED
High
ECS Service with Admin Roles
Description:
ECS clusters are launched with admin Privilege
PASSED
High
s3-public-available
PASSED
ALB with SMB High

CIS-Adv-Control
PASSED
High
ALB-with-RDP
Description:
ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the
public internet
CIS-Adv-Control
PASSED
High
ALB with Oracle
CIS-Adv-Control
PASSED
EKS Open Internet Accessible Cluster Endpoints High
Description:
Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet
in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API
server endpoints depends on your EKS application use cases, however, for most use cases Cloud Conformity
recommends that the API server endpoints should be accessible only from within your AWS Virtual Private Cloud
(VPC).
CIS-Basic Control
PASSED
High
Ensure no root account access key exists
Description:
The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a
given AWS account. It is recommended that all access keys associated with the root account be removed. Removing
access keys associated with the root account limits vectors by which the account can be compromised. Additionally,
removing the root access keys encourages the creation and use of role based accounts that are least privileged.
1.12
PASSED
NLB witm SMB High

Description:
Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
CIS-Adv-Control
PASSED
ALB-with-Telnet High
CIS-Adv-Control
PASSED
ALB with VNC High
CIS-Adv-Control
PASSED
ALB-Ldap-without-SSL High
Description:
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems
Interconnection (OSI) model. A load balancer serves as the single point of contact for clients. ALB should not be
exposed for unencrypted ldap endpoints

CIS-Adv-Control
PASSED
DynamoDB Encryption High

Description:
DynamoDB without encryption should not be put in production
CIS-Adv-Control
PASSED
Telnet Public -SG High
PASSED
ALB with SSH High

PASSED
Security Groups - with remote ports too exposed to the public internet High
Description:
no security group allows unrestricted ingress access to administrative ports ports.

CIS-Basic-Control
PASSED
IAM User with 2 Access Keys High

Description:
Each IAM user can have up to two access keys. Having two access keys (instead of one), increases the risk of
unauthorized access and compromise of credentials. It is also recommended to delete unused access keys.

CIS-Basic-Control
PASSED
NLB with SSH High

Description:
NetworkLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
CIS-Adv-Control
PASSED
RDS Not in VPC High

Description:
RDS cluster is launched outside a vpc
CIS-Basic Control
PASSED
ECS In VPC High

Description:
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration
service that supports Docker containers and allows you to easily run and scale containerized applications on AWS.
Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage
and scale a cluster of virtual machines, or schedule containers on those virtual machines.
ECS should always be launched within a custom vpc network
CIS- Basic Control
PASSED
Ensure rotation for customer created CMKs is enabled High
Description:
AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within
the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is
used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently
retains all prior backing keys so that decryption of encrypted data can take place transparently.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key
cannot be accessed with a previous key that may have been exposed.
2.8
PASSED
High
ALB-with-CIFS
Description:
Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
CIS-Adv-Control
PASSED
High
Complete-internet exposed ElasticSearch Domain
Description:
ElasticSearch domain completely exposed to public and attacker can access it without any login and there is no ip
address restriction/whitelisting.
PASSED
Expired domain High
Description:
Valid Domains are published via Route53
CIS-Adv-Control
PASSED
RDS Allowed Big Public Ip Scope High

Description:
RDS should not be open to a large scope. Firewall and router configurations should be used to restrict connections
between untrusted networks and any system components in the cloud environment.
CIS-Basic-Control
PASSED
internet exposed Redshift cluster within a VPC High

Description:
Redshift clusters are accessible with default public ip
CIS-Basic-Control
PASSED
ALB-ldap access unencrypted High

Description:
ldap protocol exposed to internet over default ip address

CIS-Adv-Control
PASSED
NLB with VNC High

Description:
VNC ports exposed over default internet
CIS-Adv-Control
PASSED
Lambda With full Resource & Action Priviledge High
Description:
Determine the specific permissions needed by your Lambda Functions, and then craft IAM policies for these
permissions only, instead of full administrative privileges.There should not be any policies that grant blanket
permissions ('*') to resources. It is recommended and considered a standard security best practice to grant least
privileges that is, granting only the permissions required to perform a task.
CIS-Adv-Control
PASSED
High
ECS Ingress Access Default Internet
Description:
ECS cluster is accessible over default inbound rule
PASSED
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible High
Description:
CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is
recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to
prevents public access
2.3
PASSED
Public Redshift outside of VPC High
Description:
Redshift is publicly accessible and also not inside a VPC
CIS-Basic-Control
PASSED
Default public access RDS High

Description:
When the VPC security group associated with an RDS instance allows unrestricted access (0.0.0.0/0), everyone and
everything on the Internet can establish a connection to your database and this can increase the opportunity for
malicious activities such as brute force attacks, SQL injections or DoS/DDoS attacks.
PASSED
ALB-MsSql High
Description:
Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
PASSED
ECS Cluster At-Rest Encryption High

CIS- Adv control
PASSED
High
ALB-with-Netbios-NameService
Description:
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
CIS-Adv-Control
PASSED
ALB-with-Netbios High
Description:
Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
PASSED
Redshift-without-Encryption High
Description:
In Amazon Redshift, you can enable database encryption for your clusters to help protect data at rest. When you
enable encryption for a cluster, the data blocks and system metadata are encrypted for the cluster and its
snapshots.
CIS-Adv-Control
PASSED
Ensure IAM policies are attached only to groups or roles Medium
Description:
It is recommended that IAM policies be applied directly to groups and roles but not to users. IAM policies are the
means by which privileges are granted to users, groups, or roles. By default, IAM users, groups, and roles have no
access to AWS resources.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users
grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently
receive or retain excessive privileges.
1.16
PASSED
Medium
Sagemaker outside vpc
Description:
A SageMaker notebook instance is a Machine Learning (ML) compute instance running on Jupyter Notebook
software. You can connect to your notebook instance from your VPC through an interface endpoint in your Virtual
Private Cloud (VPC), instead of connecting over the internet. Ensure that your AWS SageMaker notebook instances
placed in the VPC, to only access VPC resources for. AWS VPCs provides the controls to facilitate a formal process
for approving and testing all network connections and changes to the firewall and router configurations.

CIS-Adv-Control
PASSED
NLB -with-Oracle Medium

Description:
Oracle ports over internet
PASSED
Medium
ElasticSearch without any access control
Description:
This ElasticSearch Domain have been build inside a aws VPC but the access to that Elasticsearch domain is without
any access control via resource policies or login requirement
PASSED
Medium
Ensure multi-regions trail exists for each AWS CloudTrail
Description:
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The
recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API
caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a
history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line
tools, and higher-level AWS services (such as CloudFormation).

2.1
PASSED
RDS not with DB Ports Medium

Description:
RDS database need to be opened only with database ports in security group
CIS-Basic-Control
PASSED
UnEncrypted Filetransfer Medium
CIS-Adv-Control
PASSED
Medium
AMI-Public-snapshot
Description:
This check some thing we can look into once we provide golden images
CIS-Adv-Control
PASSED
ECS with Unconnected Agents Medium
Description:
The Amazon ECS container agent associates container instances to your cluster and tells Docker when to start, stop,
and query the containers you have specified to run. If the agent is unable to access the service, the container
instance is not able to operate as a member of your ECS cluster.
PASSED
Ensure second access key is rotated every 90 days or less Medium
Description:
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that
you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS
Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs
for individual AWS services. It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised
or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an
old key which might have been lost, cracked, or stolen.
1.4
PASSED
Empty record set Medium

Description:
Use Route53 for scalable, secure DNS service in AWS.
CIS-Adv-Control
PASSED
Medium
ECS Cluster Idle
Description:
Amazon ECS allows you to run and maintain a specified number of instances of a task definition simultaneously in
an Amazon ECS cluster. Idle ECS services should be removed to reduce container attack surface
CIS-Basic control
PASSED
Medium
ElasticSearch not inside VPC
Description:
ElasticSearch domain is exposed via public ES endpoint and should have proper resource access policies. Not a
recommended practice to have elastic search domain outside of vpc

PASSED
Medium
SagemakerNotebook Internet Access with Root
Description:
SagemakerNotebook Internet Access with Root
PASSED
ECS With Empty Role Medium

Description:
ECS Cluster should not have empty roles for service task definitions. Instead of creating and distributing your AWS
credentials to the containers or using the EC2 instance’s role, you can associate an IAM role with an ECS task
definition or RunTask API operation.
CIS-Adv Control
PASSED
Medium
Credentials (with first activated accessKey) unused for 90 days or more should be disabled
Description:
1.3
PASSED
Medium
Ensure VPC flow logging is enabled in all VPCs
Description:
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network
interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch
Logs.
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous
traffic or insight during security workflows.
2.9
PASSED
Credentials (with second activated accessKey) unused for 90 days or more should be Medium
disabled
Description:
1.3
PASSED
ECS Without ActiveService Medium
Description:
Amazon ECS uses services: run and maintain number of instances of a task definition simultaneously in an ECS
cluster. Idle ECS clusters running services should be removed to reduce container attack surface
PASSED
ECS No Inline Policy Low

Description:
ECS service should be launched with role with custom plicies
PASSED
Low
lambda without Tags
Description:
All resources should have appropriate tags
PASSED
Low
adidas s3 redirect
PASSED
One-IAM Role per lambda Low

Description:
It is recommended to have one IAM role per each Lambda function in order to follow the Principle of Least Privilege.
This way you can ensure that your Lambda functions will have the minimum privileges needed to perform the
required tasks.
PASSED
Low
DynamoDB encrypted adidasOwned Key
Description:
DynamoDB should be encrypted with adidas managed KMS keys
CIS-Adv-Control
PASSED
Low
Register-lock
Description:
Ensure that your AWS Route 53 registered domains are locked to prevent any unauthorized transfers to another
domain name registrar
CIS-Adv-Control
PASSED
Low
Sagemaker Internet access without Root
PASSED
Auto Renew-domain Informational
PASSED
Redshift custom inbound port access Informational
Description:
The aws redshift cluster by default need access at port 5439
PASSED
Internal-Hosted-Zone Informational
Description:
This check is just informational to verify private hosted zone in Route53

CloudGuard Compliance Print Result

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CloudGuard Compliance Print Result

Uploaded by

Copyright:

Available Formats

CloudGuard

adidas Custom Compliance Ruleset - CIS

This Compliance Bundle is a combination of AWS CIS Foundation Framework 1.2.0

SUMMARY OF TESTS PERFORMED

108 68.52% (74) 31.48% (34)

FAILED TESTS BY SEVERITY

SUMMARY OF RULES TESTED

103 69.90% (72) 30.10% (31)

Entities by type, Pass Vs Fail

Entity Type Passed Failed

Failed Tests Summary

Ensure IAM password policy requires minimum length of Medium 1 1 1

1 TESTED 1 RELEVANT 1 NON COMPLIANT

642660452893 Account Summary Global (global) -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

2 TESTED 1 RELEVANT 1 NON COMPLIANT

AIDAZLIMMJIOSULFRKPF4 china-super-user Global (global) -

508 TESTED 1 RELEVANT 1 NON COMPLIANT

Iam roles with managed admin priviledges Medium

15 TESTED 15 RELEVANT 3 NON COMPLIANT

AROAZLIMMJIO7U7ASQVBT AAD-EInvoice-AWSAdmins Global (global) -

2 TESTED 2 RELEVANT 2 NON COMPLIANT

cn-north-1 Beijing Beijing (cn_north_1) -

2 TESTED 1 RELEVANT 1 NON COMPLIANT

For Additional Reference:

AIDAZLIMMJIOSUJBTDYZJ CloudGuardConnect Global (global) -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

2 TESTED 2 RELEVANT 1 NON COMPLIANT

AIDAZLIMMJIOSULFRKPF4 china-super-user Global (global) -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

642660452893 Account Summary Global (global) -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

642660452893 Account Summary Global (global) -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

2 TESTED 1 RELEVANT 1 NON COMPLIANT

CIS Amazon Web Services Foundations Benchmark v1.1.2

AIDAZLIMMJIOSULFRKPF4 china-super-user Global (global) -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

db- prdeinsqlbji2a Beijing (cn_north_1) vpc-04013d3a487d91ab8

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

N/A List<CloudTrail> N/A -

1 TESTED 1 RELEVANT 1 NON COMPLIANT

1 TESTED 1 RELEVANT 1 NON COMPLIANT

4 TESTED 1 RELEVANT 1 NON COMPLIANT

sg-0805e4ab3ca7fb59e default Beijing (cn_north_1) vpc-04013d3a487d91ab8

Ensure IAM password policy prevents password reuse Low