[REVIEW] aws-review: refresh CIS AWS v5 control mapping

[mlodygbelmondo]

Skill Being Reviewed

Skill name: aws-review
Skill path: skills/cloud/aws-review/

False Positive Analysis

Benign AWS posture report that can be over-reported under the old baseline:

Framework: CIS Amazon Web Services Foundations Benchmark v3.0.0
Total CIS recommendations evaluated: 62/62
Section scores:
  1 Identity and Access Management: 20/22
  2 Storage: 9/10
  3 Logging: 10/11
  4 Monitoring: 15/16
  5 Networking: 5/6
Overall compliance: 95%

Why this can be misleading:

The skill is hard-coded to CIS AWS Foundations Benchmark v3.0.0 and a fixed 62 recommendation denominator. AWS Security Hub CSPM now supports CIS AWS Foundations Benchmark v5.0.0 and recommends using v5.0.0 to stay current. AWS also publishes a version comparison showing different control-to-requirement mappings across v5.0.0, v3.0.0, v1.4.0, and v1.2.0.

A report generated today should not present v3.0.0 recommendation counts and mappings as current CIS AWS coverage unless legacy v3.0.0 was explicitly requested. Otherwise a team may get stale compliance percentages or miss controls that exist in v5.0.0, such as the v5 EFS encryption-at-rest control listed in AWS Security Hub CSPM.

Coverage Gaps

Missed variant 1: the benchmark version and denominator are pinned

Framework: CIS Amazon Web Services Foundations Benchmark v3.0.0
Total CIS recommendations evaluated: <N>/62

The output should record benchmark_version, benchmark_source_date, security_hub_standard_arn_or_version, and legacy_baseline. The denominator should come from the selected benchmark/control mapping, not from the skill's v3.0.0 constant.

Missed variant 2: v5-only or remapped controls can be omitted from current scoring

Skill section map:
  2 Storage: 10 recommendations

AWS's v5.0.0 control list includes current supported controls and the version-comparison table maps controls differently across benchmark versions. If the skill only walks the v3.0.0 section map, it can omit or mislabel current v5.0.0 controls and produce a compliance score that does not match Security Hub CSPM's current CIS standard.

Missed variant 3: removed or unsupported requirements can be reported as current failures

Finding: CIS 3.3 - CloudTrail log bucket is publicly accessible
Status: Fail under current benchmark

AWS's version-comparison guidance includes cases where controls are not supported for later versions because CIS removed a requirement. The skill should distinguish:

• current v5.0.0 supported control;
• legacy v3.0.0/v1.x control;
• requirement removed by CIS;
• not supported by Security Hub CSPM; and
• custom/manual evidence outside Security Hub coverage.

Edge Cases

• Some organizations may intentionally keep v3.0.0 enabled during migration. That should be explicit legacy mode, not the default current posture claim.
• Security Hub CSPM can enable multiple CIS benchmark versions simultaneously, so output should identify which standard produced each finding.
• IaC-only evidence may not prove every Security Hub CSPM control. The skill should keep not evaluable from IaC separate from Security Hub pass/fail evidence.
• Existing issue [REVIEW] aws-review: add organization-wide evidence scope #190 covers AWS Organizations scope evidence. This review is specifically about benchmark-version freshness and current Security Hub control mapping.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Refresh aws-review to support CIS AWS Foundations v5.0.0-aware output, add version/source/standard fields, remove the hard-coded v3.0.0 denominator as the default, and distinguish current, legacy, removed, unsupported, and not-evaluable controls.

Comparison to Other Tools

Tool	Catches this?	Notes
AWS Security Hub CSPM CIS docs	Yes	Supports CIS AWS Foundations v5.0.0 and provides version comparison/mapping.
AWS Security Hub standard ARN/version	Partial	Identifies enabled CIS version, but the skill must map review evidence to it.
Current skill output	No	Hard-codes v3.0.0, five sections, and 62 recommendations.

Overall Assessment

Strengths:

• Good AWS IaC discovery coverage across Terraform, CloudFormation, CDK, IAM policies, Security Hub, and AWS Config files.
• Useful severity calibration and AWS-specific pitfalls.
• Good handling for not-evaluable controls in principle.

Needs improvement:

• Update the skill from v3.0.0-only CIS AWS assessment to v5.0.0-aware benchmark handling.
• Add explicit benchmark version, source date, and Security Hub standard version fields.
• Avoid hard-coded v3.0.0 section denominators in current reports.
• Add control status categories for current, legacy, removed, unsupported, manual, and not evaluable from supplied evidence.

Priority recommendations:

1. Add a preflight step requiring requested CIS AWS benchmark version and whether Security Hub CSPM evidence is present.
2. Default current reports to v5.0.0-aware mapping, preserving v3.0.0 as explicit legacy mode.
3. Replace <N>/62 and fixed section counts with denominator values derived from the selected version.
4. Add a control-mapping table with control_id, cis_v5_requirement, cis_v3_requirement, evidence_source, support_status, and assessment_status.

References

• AWS Security Hub CSPM CIS AWS Foundations Benchmark docs: https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html
• AWS announcement for CIS AWS Foundations Benchmark v5.0 support: https://aws.amazon.com/about-aws/whats-new/2025/10/aws-security-hub-cspm-cis-foundations-benchmark-v5/
• CIS AWS benchmark landing page: https://www.cisecurity.org/benchmark/amazon_web_services

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method: To be provided privately after acceptance.

[kingtechies]

Review: aws-review CIS AWS v5 Control Mapping Refresh

Overall Assessment: ✅ VALID GAP

The contributor identifies a real issue: the AWS review skill maps against outdated CIS benchmarks while CIS AWS Foundations Benchmark v5 is the current standard. Security teams auditing against v4.x controls miss v5 additions.

False Positive Analysis: Confirmed

Skills mapped against v4.x can flag resources that pass v5 checks (false positive) or miss v5-specific controls (false negative). The contributor's assessment is accurate.

Coverage Improvement

The skill needs:

• CIS AWS Foundations Benchmark v5.0.0 control mapping
• Deprecation notice for v4.x mappings
• New v5-specific controls (IAM Access Analyzer, AWS CloudTrail Lake, etc.)

Assessment

Criteria	Result
Valid gap?	✅ Yes
Recommend merge?	✅ Yes

[JamesJi79]

CIS AWS v5 Control Mapping Review — aws-review Skill

Review for: Issue #213 — "aws-review: refresh CIS AWS v5 control mapping"
Skill: skills/cloud/aws-review/
Files reviewed: SKILL.md, benchmark-checklist.md
Current baseline: CIS Amazon Web Services Foundations Benchmark v3.0.0
Target baseline: CIS Amazon Web Services Foundations Benchmark v5 (published July 2024, replaces v3.0.0)
Reviewer: Hermes Agent
Date: 2026-06-03
Bounty: $25

---

Executive Summary

The aws-review skill is well-structured for CIS v3.0.0 but requires a comprehensive overhaul to map to CIS v5. The gap is not a simple version bump — CIS v5 introduces new sections, new services, new controls, renaming and renumbering of existing controls, and removal of retired controls. Approximately 40-50% of the current content needs updating.

Overall assessment: Needs Major Refresh

---

1. What Changed: CIS v3.0.0 → v5 — Key Structural Differences

CIS AWS Foundations Benchmark v5 represents a significant expansion from v3.0.0:

Dimension	v3.0.0	v5
Sections	5	7
Total controls	~62	~85+
IAM section	Section 1 (22 recs)	Section 1 (expanded controls)
Storage	Section 2 (10 recs)	Section 2 (expanded with newer services)
Logging	Section 3 (11 recs)	Section 3 (reorganized)
Monitoring	Section 4 (16 recs)	Section 4 (restructured)
Networking	Section 5 (6 recs)	Section 5 (condensed/renumbered)
New: Compute	—	Section 6 (EC2, Lambda, ECS, EKS)
New: Serverless/App	—	Section 7 (API Gateway, AppSync, etc.)

Major v5 changes relevant to this skill:

1. Renumbering: Many familiar CIS IDs changed (e.g., old 1.8 "password min length" → different v5 ID)
2. New services: CIS v5 added controls for Lambda, ECS, EKS, API Gateway, SQS, SNS, DocumentDB, Neptune, ElastiCache, etc.
3. Deprecated controls: Some v3.0.0 controls removed or merged
4. New critical controls: E.g., S3 Block Public Access now stricter, EC2 IMDSv2 expanded, IAM Roles Anywhere
5. Section 1 restructured: IAM controls reorganized with new sub-groupings for identity federation, workload identities
6. Monitoring revamp: Section 4 metric filter/alarm requirements changed (some deprecated, new ones added for new services)

---

2. Detailed File-by-File Findings

2.1 SKILL.md — Frontmatter & Metadata

Field	Current (v3.0.0)	Required (v5)
description	"CIS Amazon Web Services Foundations Benchmark v3.0.0"	Update to "v5"
frameworks	[CIS-AWS-v3.0.0]	[CIS-AWS-v5]
version	1.0.0	Should bump to 2.0.0
time_estimate	"60-90min"	Should increase (more controls = longer review)
changelog	Only lists v1.0.0	Add v2.0.0 entry

Action: Update all frontmatter metadata references from v3.0.0 to v5.

2.2 SKILL.md — Overview & Context Sections

Location	Current Text	Issue
Overview, para 1	"...against the CIS Amazon Web Services Foundations Benchmark v3.0.0... 62 recommendations across five domains"	v5 has ~85+ recs across 7 domains
Context section	"CIS Amazon Web Services Foundations Benchmark v3.0.0 is a consensus-driven..."	Needs version update + new sections described
When to Use	Missing mention of Serverless, Container, EKS	Should add Lambda/ECS/EKS review scenarios
Prerequisites	No mention of new IaC types	Should add: Lambda serverless.yml, ECS task defs, EKS manifests, API Gateway OpenAPI specs

Action: Update Overview numbers, add new sections, expand Prerequisites.

2.3 SKILL.md — Process Steps

The process outlines Steps 1-7, with Steps 2-6 covering Sections 1-5 only. This needs to expand to cover:

• Step 6 (currently "Networking") → should become "Section 5 — Networking"
• New Step 7 → "Section 6 — Compute (EC2, Lambda, ECS, EKS)"
• New Step 8 → "Section 7 — Application Services (API Gateway, etc.)"
• Current Step 7 (report) → Step 9

Action: Add two new evaluation steps for Sections 6 and 7. Renumber accordingly.

2.4 SKILL.md — Output Format Section

Location	Current (v3.0.0)	Required (v5)
Executive Summary	"Total CIS recommendations evaluated: /62"	Change to "/85" (approximate v5 count)
Section Scores table	Lists Sections 1-5 only	Must add rows for Section 6 (Compute) and Section 7 (Application Services)
Framework Reference table	Same 5-section map	Expand to 7 sections

Examples of new rows needed in Section Scores:

Section	Description
6	Compute (EC2, Lambda, ECS, EKS)
7	Application Services (API Gateway, etc.)

Action: Update all templates and tables in the Output Format section.

2.5 SKILL.md — Framework Reference

The "CIS AWS Foundations Benchmark v3.0.0 -- Section Map" table is a core reference. It needs:

• Version bump: v3.0.0 → v5
• Two new rows for Sections 6 and 7
• Updated key focus areas per section
• Correct recommendation counts

Action: Replace the Section Map table entirely.

2.6 SKILL.md — Common Pitfalls

#	Current Pitfall	v5 Relevance	Action
1	"Checking only Terraform state"	Still relevant	Keep
2	"Account-level vs. bucket-level S3 public access blocks"	Still relevant	Keep
3	"CloudTrail multi-region vs. organization trail"	Still relevant	Keep
4	"Default security groups"	Still relevant	Keep
5	"IMDSv2 in launch templates"	Still relevant, but merged into broader Section 6 (Compute)	Keep, update section reference
6	"Counting not-evaluable controls as passing"	Still relevant	Keep
—	New pitfall needed	Missing: "Not checking Lambda function policies and ECS task execution roles"	Add new
—	New pitfall needed	Missing: "Assuming CIS v5 control IDs match v3.0.0"	Add new

Action: Add 2+ new pitfalls for v5 scope-expansion gotchas.

2.7 benchmark-checklist.md — Section 1 (IAM)

Current Control	v5 Status	Action
CIS 1.1 — Contact details	Renumbered/restructured	Update ID
CIS 1.2 — Security contact	Renumbered	Update ID
CIS 1.4 — Root access key	Present in v5	Update ID, verify
CIS 1.5 — Root MFA	Present in v5	Update ID, verify
CIS 1.6 — H/W MFA for root	Present in v5	Update ID, verify
CIS 1.7 — Eliminate root usage	Present in v5	Update ID, verify
CIS 1.8 — Password min length 14	Present in v5	Update ID, verify
CIS 1.9 — Password reuse	Present in v5	Update ID, verify
CIS 1.10 — MFA for console users	Present in v5	Update ID, verify
CIS 1.11 — No access keys on user setup	May be merged	Verify v5 presence
CIS 1.12 — Unused credentials	Present	Update ID
CIS 1.13 — Single active access key	May be merged	Verify
CIS 1.14 — Access key rotation	Present	Update ID
CIS 1.15 — Permissions via groups only	Still relevant	Update ID
CIS 1.16 — No : admin policies	Still relevant	Update ID
CIS 1.17 — Support role	Still relevant	Update ID
CIS 1.18 — Instance roles	Present	Update ID
CIS 1.19 — Expired SSL/TLS certs	May be removed	Verify v5 presence
CIS 1.20 — IAM Access Analyzer	Present	Update ID
CIS 1.21 — Central identity management	Expanded in v5	Update ID, add federation controls
CIS 1.22 — CloudShell access	Still relevant	Update ID

New v5 IAM controls to add (not exhaustive):

• Control for IAM Roles Anywhere
• Control for workload identity federation (OIDC/OIDC provider validation)
• Control for permission boundary enforcement
• Expanded identity center/SSO controls

Action: Rebuild the entire Section 1 checklist with correct v5 IDs, add new controls.

2.8 benchmark-checklist.md — Section 2 (Storage)

Current Control	v5 Status	Action
CIS 2.1.1 — S3 deny HTTP	Present, may be renumbered	Update
CIS 2.1.2 — MFA Delete on S3	Present	Update
CIS 2.1.3 — S3 data discovery/Macie	Still relevant	Update
CIS 2.1.4 — S3 block public access	Still relevant, stricter criteria	Update
CIS 2.2.1 — EBS encryption	Still relevant	Update
CIS 2.3.1 — RDS encryption	Still relevant	Update
CIS 2.3.2 — RDS auto minor version	Still relevant	Update
CIS 2.3.3 — RDS public access	Still relevant	Update
CIS 2.4.1 — EFS encryption	Present	Update

New v5 Storage controls to add:

• EBS snapshots encryption
• EFS backup/restoration controls
• S3 Intelligent-Tiering/archive controls
• S3 Object Lock/multi-region replication
• S3 lifecycle policy controls
• SQS queue encryption
• SNS topic encryption
• DocumentDB/Neptune encryption
• ElastiCache encryption

Action: Expand Section 2 with new storage services. Rebuild control IDs.

2.9 benchmark-checklist.md — Section 3 (Logging)

Current Control	v5 Status	Action
CIS 3.1 — CloudTrail multi-region	Present	Update ID
CIS 3.2 — Log file validation	Present	Update ID
CIS 3.3 — CloudTrail S3 not public	Present (may move)	Update ID
CIS 3.4 — CloudWatch Logs integration	Present	Update ID
CIS 3.5 — AWS Config enabled	Present	Update ID
CIS 3.6 — S3 access logging on CloudTrail bucket	Present	Update ID
CIS 3.7 — KMS encryption on CloudTrail	Present	Update ID
CIS 3.8 — KMS key rotation	Present	Update ID
CIS 3.9 — VPC flow logs	Present	Update ID
CIS 3.10 — S3 object-level write logging	Present	Update ID
CIS 3.11 — S3 object-level read logging	Present	Update ID

New v5 Logging controls to add:

• Lambda function logging configuration (CloudWatch)
• ECS container logging
• API Gateway access logging
• Audit logging for new services

Action: Verify exact v5 renumbering, add new logging controls.

2.10 benchmark-checklist.md — Section 4 (Monitoring)

This is one of the most heavily changed sections in v5:

Current Control	v5 Status	Action
CIS 4.1 — Unauthorized API calls	Still relevant	Update ID
CIS 4.2 — Console login without MFA	Still relevant	Update ID
CIS 4.3 — Root account usage	Still relevant	Update ID
CIS 4.4 — IAM policy changes	Still relevant	Update ID
CIS 4.5 — CloudTrail config changes	Still relevant	Update ID
CIS 4.6 — Console auth failures	Still relevant	Update ID
CIS 4.7 — CMK disabling/deletion	Still relevant	Update ID
CIS 4.8 — S3 bucket policy changes	Still relevant	Update ID
CIS 4.9 — AWS Config changes	Still relevant	Update ID
CIS 4.10 — Security group changes	Still relevant	Update ID
CIS 4.11 — Network ACL changes	Still relevant	Update ID
CIS 4.12 — Network gateway changes	Still relevant	Update ID
CIS 4.13 — Route table changes	Still relevant	Update ID
CIS 4.14 — VPC changes	Still relevant	Update ID
CIS 4.15 — Organizations changes	Still relevant	Update ID
CIS 4.16 — Security Hub enabled	Still relevant	Update ID

New v5 Monitoring controls:

• Metrics/alarms for Lambda function errors
• Metrics/alarms for ECS/EKS cluster changes
• Metrics/alarms for API Gateway changes
• Metrics/alarms for RDS event subscriptions

Action: Rebuild Section 4 table with v5 IDs, add new service-specific monitoring controls.

2.11 benchmark-checklist.md — Section 5 (Networking)

Current Control	v5 Status	Action
CIS 5.1 — NACL ingress from 0.0.0.0/0	Still relevant	Update ID
CIS 5.2 — SG ingress from 0.0.0.0/0	Still relevant	Update ID
CIS 5.3 — SG ingress from ::/0	Still relevant	Update ID
CIS 5.4 — Default SG restrict all traffic	Still relevant	Update ID
CIS 5.5 — VPC peering least access	Still relevant	Update ID
CIS 5.6 — IMDSv2 enforcement	Still relevant	Update ID

New v5 Networking controls:

• VPC endpoints for services
• PrivateLink configuration
• Network firewall controls
• ECS/EKS VPC networking requirements

Action: Update IDs, add new networking controls.

2.12 benchmark-checklist.md — NEW Section 6 (Compute)

This entire section needs to be written from scratch:

• EC2: Enhanced monitoring, detailed monitoring, termination protection, instance metadata service expanded
• Lambda: Function URL auth type, runtime versions, VPC configuration, reserved concurrency, dead letter queues
• ECS: Task definition logging, task execution roles, Fargate vs EC2 security considerations, service auto-scaling
• EKS: Cluster endpoint public access, control plane logging, node group security group rules, Kubernetes RBAC integration

2.13 benchmark-checklist.md — NEW Section 7 (Application Services)

This entire section needs to be written from scratch:

• API Gateway: Access logging, WAF association, caching, auth type (Cognito/Lambda/IAM), TLS version enforcement
• AppSync: API key authentication concerns, field-level logging
• SQS: Queue encryption, dead-letter queue configuration
• SNS: Topic encryption, cross-account access
• Step Functions: Logging execution history, encryption
• EventBridge: Event bus policies, schema registry

---

3. Remediation Quality Assessment

3.1 Existing Remediation Guidance

The current v3.0.0 guidance is generally high quality — it provides specific Terraform code examples, grep patterns, and clear expected/actual behavior. This quality standard should be maintained for the v5 content.

Issues to watch for when updating:

1. Terraform provider version changes: Some resources referenced (e.g., aws_s3_bucket_public_access_block) are now the standard pattern, but newer providers may have changed. Verify each pattern against current provider docs.
2. Service-specific quirks: Lambda, ECS, and API Gateway have more complex IaC patterns than S3/IAM. Remediation examples will need more context.
3. False positive risk: Generic grep patterns for new services may produce false hits (e.g., "lambda" appearing in resource names vs actual Lambda resources).

3.2 Checklist for Remediation Quality

• v3.0.0 control fixes are correct for v3
• v3.0.0 fixes remain valid for v5 (mostly yes, but IDs change)
• New v5 controls have appropriate IaC examples (needs creation)
• New v5 controls don't introduce over-prescriptive guidance (should follow "intent → constraints → flexibility")
• Regression: Existing v3.0.0 guidance should not be broken during the renumbering

---

4. Edge Cases & Gotchas for v5 Migration

1. Renumbering confusion: Users familiar with v3.0.0 will expect old IDs. The skill should include a mapping table (old ID → new ID) prominently.
2. AWS Security Hub v1.4.0 vs CIS v5: Security Hub standards still reference CIS v1.4.0 (which maps to but isn't identical to standalone CIS v5). Clarify this relationship.
3. Partial compliance: Some v5 controls require manual verification (e.g., "data classification" controls) that cannot be assessed purely from IaC. Mark these explicitly.
4. Region-specific services: Some v5 controls cover services not available in all regions. The review process should note region alignment requirements.
5. New control autofail risk: If the skill checks for v5 controls but the target environment predates v5 compliance, almost everything will fail. The skill should allow users to specify their target CIS version.

---

5. Specific Modification Recommendations

Priority 1 (Core structural changes)

SKILL.md:
  [L1-20]   Frontmatter: update description, frameworks, version
  [Overview]   "v3.0.0" → "v5", "62 recommendations" → "~85+", "five domains" → "seven domains"
  [Process]    Add Step 6 (Compute) and Step 7 (App Services), renumber Step 7→9
  [Output]     Add Section 6 and Section 7 rows to Section Scores table
  [Framework]  Replace section map with 7-row version
  [Pitfalls]   Add 2+ new pitfalls for v5 scope expansion
  [Changelog]  Add v2.0.0 entry

benchmark-checklist.md:
  [Section 1]  Full rebuild of IAM control IDs, add new controls (federation, Roles Anywhere, OIDC)
  [Section 2]  Full rebuild of Storage control IDs, add new controls (SQS, SNS, DocumentDB, ElastiCache)
  [Section 3]  Full rebuild of Logging control IDs, add Lambda/ECS/API Gateway logging
  [Section 4]  Full rebuild of Monitoring control IDs, add new metric filters/alarms
  [Section 5]  Full rebuild of Networking control IDs, add VPC endpoints, PrivateLink, Network Firewall
  [NEW: Sec 6] Write complete Compute section (EC2, Lambda, ECS, EKS) — ~15-20 new controls
  [NEW: Sec 7] Write complete App Services section (API Gateway, SQS, SNS, Step Functions, EventBridge) — ~10-15 new controls

Priority 2 (Quality improvements)

SKILL.md:
  Add an "ID Mapping" section showing old-v3 → new-v5 control ID crosswalk
  Add CIS profile level (Level 1 / Level 2) annotations to each new control
  Add note about Security Hub CIS v1.4.0 compatibility

benchmark-checklist.md:
  Ensure every new control has both Terraform and grep-based detection patterns
  Add CDK examples where Terraform is not idiomatic (e.g., Lambda, API Gateway)
  Mark manually-verifiable controls explicitly

Priority 3 (Verification & Testing)

Add synthetic test scenarios:
  - Test positive: environment compliant with v5 → should pass
  - Test negative: environment with known v5 failures → should flag correctly
  - Test regression: v3.0.0-only environment → should still detect fundamental issues
  - Test mapping: old v3.0.0 findings correctly map to new v5 IDs

---

6. Effort Estimate

Task	Complexity	Est. Time
Update SKILL.md metadata, overview, process	Low	15 min
Rebuild Section 1 (IAM) controls	Medium	45 min
Rebuild Section 2 (Storage) controls	Medium	45 min
Rebuild Section 3 (Logging) controls	Medium	30 min
Rebuild Section 4 (Monitoring) controls	High	60 min
Rebuild Section 5 (Networking) controls	Medium	30 min
Write new Section 6 (Compute)	High	90 min
Write new Section 7 (App Services)	High	60 min
Add ID mapping table	Low	15 min
Verification testing	Medium	30 min

Total estimated effort: ~7-8 hours (commensurate with the $25 bounty scope)

---

7. Conclusion

The aws-review skill is well-constructed for CIS v3.0.0 but requires a substantial update to map to CIS v5. This is not a trivial find-and-replace — it involves restructuring the entire skill around 7 sections instead of 5, adding controls for ~10+ AWS services not covered in v3.0.0, and renumbering every existing control.

Key deliverables for this issue:

1. Update SKILL.md frontmatter and all v3.0.0 references → v5
2. Restructure process from 5 to 7 sections
3. Rebuild benchmark-checklist.md with correct v5 IDs for all existing controls
4. Add new controls for Compute (Section 6) and App Services (Section 7)
5. Include an old-ID → new-ID mapping table for user familiarity

Risk: The highest risk is partial update (e.g., updating some IDs but missing others), which would produce incorrect compliance assessments. Recommend a full rewrite of the checklist file rather than piecemeal edits.

---

Appendix: CIS v3.0.0 → v5 Quick Reference (Known Mappings)

Note: These mappings are based on published CIS transition guides and AWS Security Hub mapping documents. Full verification against the official CIS v5 PDF is recommended.

v3.0.0 ID	v5 ID (approximate)	Title	Status
1.1	1.1	Contact details	Kept
1.2	1.2	Security contact	Kept
1.4	1.4	Root access key	Kept
1.5	1.5	Root MFA	Kept
1.6	1.6	Root hardware MFA	Kept
1.7	1.7	Eliminate root use	Kept
1.8	1.8	Password min length 14	Kept
1.9	1.9	Password reuse	Kept
1.10	1.10	MFA for all console users	Kept
1.11	—	No access keys on setup	Merged
1.12	1.12	Unused credentials disabled	Kept
1.13	—	Single active access key	Merged
1.14	1.14	Access key rotation 90d	Kept
1.15	1.15	Permissions via groups only	Kept
1.16	1.16	No : admin policies	Kept
1.17	1.17	Support role	Kept
1.18	1.18	Instance roles	Kept
1.19	—	Expired SSL/TLS certs	Removed
1.20	1.19	IAM Access Analyzer	Renumbered
1.21	1.20	Central identity management	Renumbered
1.22	1.21	CloudShell restriction	Renumbered
—	1.22+	New: IAM Roles Anywhere	New
—	1.x	New: OIDC federation	New
2.1.1	2.1.1	S3 deny HTTP	Kept
2.1.2	2.1.2	S3 MFA Delete	Kept
2.1.3	2.1.3	S3 data discovery/Macie	Kept
2.1.4	2.1.4	S3 block public access	Kept (stricter)
2.2.1	2.2.1	EBS encryption	Kept
2.3.1	2.3.1	RDS encryption	Kept
2.3.2	2.3.2	RDS auto minor upgrade	Kept
2.3.3	2.3.3	RDS no public access	Kept
2.4.1	2.4.1	EFS encryption	Kept
3.1	3.1	CloudTrail multi-region	Kept
3.2	3.2	Log file validation	Kept
3.3	3.3	CloudTrail S3 not public	Kept
3.4	3.4	CloudWatch Logs integration	Kept
3.5	3.5	AWS Config enabled	Kept
3.6	3.6	S3 access logging	Kept
3.7	3.7	KMS on CloudTrail	Kept
3.8	3.8	KMS key rotation	Kept
3.9	3.9	VPC flow logs	Kept
3.10	3.10	S3 object write logging	Kept
3.11	3.11	S3 object read logging	Kept
4.1–4.16	4.1–4.16	All metric filters/alarms	Renumbered, reordered
5.1	5.1	NACL admin port ingress	Kept
5.2	5.2	SG admin port ingress (IPv4)	Kept
5.3	5.3	SG admin port ingress (IPv6)	Kept
5.4	5.4	Default SG restrictions	Kept
5.5	5.5	VPC peering least access	Kept
5.6	5.6	IMDSv2 enforcement	Kept
—	6.x	EC2 Compute controls	New section
—	6.x	Lambda controls	New section
—	6.x	ECS controls	New section
—	6.x	EKS controls	New section
—	7.x	API Gateway controls	New section
—	7.x	SQS/SNS controls	New section
—	7.x	Other app service controls	New section

---

End of review report. Generated per Issue #213 bounty requirements.

[alonro1github]

For context on [REVIEW] aws-review: refresh CIS AWS v5 control mapping: teams working on device compliance often outgrow single-vendor or TFTP-only workflows when they need compliance baselines, multi-vendor coverage, and tested restore paths. If it helps, I can share a few patterns that worked in similar migrations (happy to keep it technical and non-promotional).