From 1dc2b1cf76bed665c460affc66ad7979615a9858 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Wed, 6 Jan 2021 17:38:14 +0100 Subject: [PATCH 01/34] Add migration guide for CIS AWS 1.3.0 --- ...0-12-16-how-to-update-to-terraform-13.adoc | 2 +- .../2021-01-06-how-to-update-to-cis-13.adoc | 107 ++++++++++++++++++ 2 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 _posts/2021-01-06-how-to-update-to-cis-13.adoc diff --git a/_posts/2020-12-16-how-to-update-to-terraform-13.adoc b/_posts/2020-12-16-how-to-update-to-terraform-13.adoc index 335674053..2fcf3167b 100644 --- a/_posts/2020-12-16-how-to-update-to-terraform-13.adoc +++ b/_posts/2020-12-16-how-to-update-to-terraform-13.adoc @@ -33,7 +33,7 @@ and fixes, but it also has a number of backwards incompatibilities that have to === What you'll learn in this guide -This guide consists of three main sections: +This guide consists of two main sections: <>:: An overview of Terraform 0.13 and why it is important to update your code for compatibility. diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc new file mode 100644 index 000000000..da2b595fc --- /dev/null +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -0,0 +1,107 @@ +--- +title: How to update to CIS AWS Foundations Benchmark 1.3 +categories: Upgrades +image: /assets/img/guides/refresh_icon.png +excerpt: Learn how to update to the 1.3.0 version of the CIS AWS Foundations Benchmark +tags: ["aws", "security", "compliance"] +cloud: ["aws"] +redirect_from: /static/guides/upgrades/how-to-update-to-cis-13/ +--- +:page-type: guide +:page-layout: post + +:toc: +:toc-placement!: + +// GitHub specific settings. See https://gist.github.com/dcode/0cfbf2699a1fe9b46ff04c41721dda74 for details. +ifdef::env-github[] +:tip-caption: :bulb: +:note-caption: :information_source: +:important-caption: :heavy_exclamation_mark: +:caution-caption: :fire: +:warning-caption: :warning: +toc::[] +endif::[] + +== Intro + +This guide will walk you through the upgrade process from the 1.2.0 to the 1.3.0 version of the CIS AWS Foundations Benchmark. +If your infrastructure is already compliant with the 1.2.0 version of the Benchmark, and you are looking to upgrade to 1.3, +this guide is for you. + +=== What you'll learn in this guide + +This guide consists of two main sections: + +<>:: + An overview of the CIS AWS Foundations Benchmark 1.3.0 and why it is important to update your code for compatibility. + +<>:: + The steps you need to take to update your code to be compliant with CIS AWS 1.3.0. It includes a + <> you can use as a reference to know which Gruntwork Repo version + tag is compatible with CIS AWS 1.3.0, as well as the manuals step you need to perform to achieve said compliance. + + +[[core_concepts]] +== Core Concepts + +=== Background + +The 1.3.0 version of the CIS AWS Foundations Benchmark was release in July of 2020. You can refer to the +https://www.cisecurity.org/benchmark/amazon_web_services/[CIS website] where you can download the latest version of the +Benchmark (as well as all the previous version). The latest version introduces several new reccomendations, and this guide +will walk you through implementing these new recommendations by utilizing Gruntwork's Infrastructure as Code Library, +so that your code becomes fully compliant with the 1.3.0 version of the framework. + + +[[deployment_walkthrough]] +== Deployment walkthrough + +=== Step 1: Update references to the Gruntwork Infrastructure as Code Library + +In order to take advantage of the CIS AWS 1.3.0, you need to update your references to the Gruntwork +Infrastructure as Code Library to use a compatible version. We (Gruntwork) have gone through all our modules in the +library to test and update the code to be compatible with CIS AWS 1.3.0. As a customer, you need to update to +the proper versions of the Gruntwork library to pick up the fixes/changes that were made to be compatible. Refer to +https://gruntwork.io/guides/foundations/how-to-use-gruntwork-infrastructure-as-code-library/#updating[the +"Updating" section of "How to use the Gruntwork Infrastructure as Code Library"] for instructions on how to update the +versions in your code. + +For the vast majority of the repos, the only change that will be necessary is a version number bump, but several repos +require more extensive code changes and state migrations. To upgrade without downtime and data loss, **you MUST follow +the migration instructions in the release notes in each repo to know what changes need to be made to update to the new +version.** + +[.exceptional] +IMPORTANT: Gruntwork follows +https://gruntwork.io/guides/foundations/how-to-use-gruntwork-infrastructure-as-code-library/#versioning[semantic +versioning]. For any pre-1.0 modules, this means that version updates to the minor version are considered backwards +incompatible releases for any version updates prior to 1.0.0 release. Make sure to read the release notes for the +relevant modules any time you are updating minor versions! Note that you will want to read the release notes for each +minor version that is updated (e.g., if you are going from v0.5.x to v0.9.x, you will want to read the notes for v0.6.0, +v0.7.0, v0.8.0, and v0.9.0 to get the full list of backwards incompatible updates). + +The following table provides a summary of all the relevant Gruntwork AWS modules and the respective versions that are +compatible with CIS AWS 1.3.0: + +TODO: Add all the relevant repos with version numbers + +[[compatibility_table]] +[cols="1,1h,1"] +|=== +|Gruntwork Repo |Minimum version with CIS AWS 1.3.0 support |Corresponding CIS AWS 1.3.0 recommendation + +|module-security +|https://github.com/gruntwork-io/module-security/releases/tag/v0.44.0[v0.44.0] +|1.20 + +|terraform-aws-monitoring +|https://github.com/gruntwork-io/terraform-aws-monitoring/releases/tag/v0.24.0[v0.24.0] +|1.20 + +|=== + + +=== Step 2: Manual steps + +TODO: Add all the relevant manual steps needed From 3aba8182ddfa05a171cadd1c39d27224fd5b09d8 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Wed, 6 Jan 2021 17:44:19 +0100 Subject: [PATCH 02/34] Fix title --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index da2b595fc..725268edf 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -1,5 +1,5 @@ --- -title: How to update to CIS AWS Foundations Benchmark 1.3 +title: How to update to the newest version of CIS AWS Foundations Benchmark categories: Upgrades image: /assets/img/guides/refresh_icon.png excerpt: Learn how to update to the 1.3.0 version of the CIS AWS Foundations Benchmark From 54a97dc3ae7ea69d5c2879211e906870b138c33c Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Wed, 6 Jan 2021 18:21:06 +0100 Subject: [PATCH 03/34] Add relevant repos and manual steps (Ana) --- .../2021-01-06-how-to-update-to-cis-13.adoc | 31 ++++++++++++++----- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 725268edf..ef2e8dc83 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -84,24 +84,41 @@ v0.7.0, v0.8.0, and v0.9.0 to get the full list of backwards incompatible update The following table provides a summary of all the relevant Gruntwork AWS modules and the respective versions that are compatible with CIS AWS 1.3.0: -TODO: Add all the relevant repos with version numbers - [[compatibility_table]] [cols="1,1h,1"] |=== -|Gruntwork Repo |Minimum version with CIS AWS 1.3.0 support |Corresponding CIS AWS 1.3.0 recommendation +|Gruntwork Repo |Minimum version with CIS AWS 1.3.0 support |Corresponding CIS AWS 1.3.0 recommendations |module-security -|https://github.com/gruntwork-io/module-security/releases/tag/v0.44.0[v0.44.0] -|1.20 +|https://github.com/gruntwork-io/module-security/releases/tag/v0.44.5[v0.44.5] +|1.20, 2.1.1, 2.1.2, 3.10, 3.11 |terraform-aws-monitoring |https://github.com/gruntwork-io/terraform-aws-monitoring/releases/tag/v0.24.0[v0.24.0] -|1.20 +|1.20, 2.1.1, 2.1.2 + +|package-zookeeper +|https://github.com/gruntwork-io/package-zookeeper/releases/tag/v0.8.0[v0.8.0] +|1.20, 2.1.1, 2.1.2 + +|terraform-aws-vpc +|https://github.com/gruntwork-io/terraform-aws-vpc/releases/tag/v0.12.0[v0.12.0] +|1.20, 2.1.1, 2.1.2 + +|package-openvpn +|https://github.com/gruntwork-io/package-openvpn/releases/tag/v0.13.0[v0.13.0] +|1.20, 2.1.1, 2.1.2 + +|cis-compliance-aws +|https://github.com/gruntwork-io/cis-compliance-aws/releases/tag/v0.9.2[v0.9.2] +|4.15, 3.10, 3.11 |=== === Step 2: Manual steps -TODO: Add all the relevant manual steps needed +Recommendation 4.15 requires an active subscriber for the SNS topic created by this recommendation (see Audit steps 6 +and 7 for 4.15). As it's impossible to automate creation of this subscriber, you'll have to do so manually. See +https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html[Subscribing to an Amazon SNS topic] +on the AWS website for detailed instructions. From e4d1550a32a25bba668b5f6e4fceaf1dc1aeaaed Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Wed, 6 Jan 2021 18:25:56 +0100 Subject: [PATCH 04/34] Address review comments --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index ef2e8dc83..2274a50d2 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -47,10 +47,10 @@ This guide consists of two main sections: === Background -The 1.3.0 version of the CIS AWS Foundations Benchmark was release in July of 2020. You can refer to the +The 1.3.0 version of the CIS AWS Foundations Benchmark was release in September of 2020. You can refer to the https://www.cisecurity.org/benchmark/amazon_web_services/[CIS website] where you can download the latest version of the -Benchmark (as well as all the previous version). The latest version introduces several new reccomendations, and this guide -will walk you through implementing these new recommendations by utilizing Gruntwork's Infrastructure as Code Library, +Benchmark (as well as all the previous version). The latest version introduces several new recommendations, and this guide +will walk you through implementing these with help from the Gruntwork's Infrastructure as Code Library, so that your code becomes fully compliant with the 1.3.0 version of the framework. @@ -59,9 +59,9 @@ so that your code becomes fully compliant with the 1.3.0 version of the framewor === Step 1: Update references to the Gruntwork Infrastructure as Code Library -In order to take advantage of the CIS AWS 1.3.0, you need to update your references to the Gruntwork -Infrastructure as Code Library to use a compatible version. We (Gruntwork) have gone through all our modules in the -library to test and update the code to be compatible with CIS AWS 1.3.0. As a customer, you need to update to +In order to update to the CIS AWS Foundations Benchmark v1.3.0, you need to update your references to the Gruntwork +Infrastructure as Code Library to use a compatible version. We (Gruntwork) have reviewed and updated all the modules in the +library for compatibility with the new version of the Benchmark. As a customer, you need to update to the proper versions of the Gruntwork library to pick up the fixes/changes that were made to be compatible. Refer to https://gruntwork.io/guides/foundations/how-to-use-gruntwork-infrastructure-as-code-library/#updating[the "Updating" section of "How to use the Gruntwork Infrastructure as Code Library"] for instructions on how to update the From eccee6342058f557725e6bd6939e44fce0028d4d Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Thu, 7 Jan 2021 12:28:10 +0100 Subject: [PATCH 05/34] Fix wording --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 2274a50d2..2b0e963ce 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -26,8 +26,10 @@ endif::[] == Intro This guide will walk you through the upgrade process from the 1.2.0 to the 1.3.0 version of the CIS AWS Foundations Benchmark. -If your infrastructure is already compliant with the 1.2.0 version of the Benchmark, and you are looking to upgrade to 1.3, -this guide is for you. +If your infrastructure is already compliant with the 1.2.0 version of the Benchmark, and you are looking to upgrade to 1.3.0, +this guide is for you. If you are starting to work on compliance with this benchmark from scratch, check out our +https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/[How to achieve compliance with the CIS AWS Foundations Benchmark] +guide instead. === What you'll learn in this guide @@ -47,9 +49,11 @@ This guide consists of two main sections: === Background -The 1.3.0 version of the CIS AWS Foundations Benchmark was release in September of 2020. You can refer to the +TODO: Add a bullet list of new recommendations. + +The 1.3.0 version of the CIS AWS Foundations Benchmark was released in September of 2020. You can refer to the https://www.cisecurity.org/benchmark/amazon_web_services/[CIS website] where you can download the latest version of the -Benchmark (as well as all the previous version). The latest version introduces several new recommendations, and this guide +Benchmark (as well as all the previous versions). The latest version introduces several new recommendations, and this guide will walk you through implementing these with help from the Gruntwork's Infrastructure as Code Library, so that your code becomes fully compliant with the 1.3.0 version of the framework. @@ -60,7 +64,7 @@ so that your code becomes fully compliant with the 1.3.0 version of the framewor === Step 1: Update references to the Gruntwork Infrastructure as Code Library In order to update to the CIS AWS Foundations Benchmark v1.3.0, you need to update your references to the Gruntwork -Infrastructure as Code Library to use a compatible version. We (Gruntwork) have reviewed and updated all the modules in the +Infrastructure as Code Library to use compatible versions. We (Gruntwork) have reviewed and updated all the modules in the library for compatibility with the new version of the Benchmark. As a customer, you need to update to the proper versions of the Gruntwork library to pick up the fixes/changes that were made to be compatible. Refer to https://gruntwork.io/guides/foundations/how-to-use-gruntwork-infrastructure-as-code-library/#updating[the From ad9272c15946cc34f3af855c70ee0d4dc04c0016 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Thu, 7 Jan 2021 14:47:26 +0100 Subject: [PATCH 06/34] Add a bullet list of new recommendations --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 2b0e963ce..ea36d9b23 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -49,14 +49,26 @@ This guide consists of two main sections: === Background -TODO: Add a bullet list of new recommendations. - The 1.3.0 version of the CIS AWS Foundations Benchmark was released in September of 2020. You can refer to the https://www.cisecurity.org/benchmark/amazon_web_services/[CIS website] where you can download the latest version of the Benchmark (as well as all the previous versions). The latest version introduces several new recommendations, and this guide will walk you through implementing these with help from the Gruntwork's Infrastructure as Code Library, so that your code becomes fully compliant with the 1.3.0 version of the framework. +==== New recommendations +These are the new recommendations introduced in the version 1.3.0 of the Benchmark. You can think of these as a "diff" +between versions 1.2.0 and 1.3.0: + +- 1.19: Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed +- 1.20: Ensure that S3 Buckets are configured with ‘Block public access (bucket settings)’ +- 1.21: Ensure that IAM Access analyzer is enabled +- 2.1.1: Ensure all S3 buckets employ encryption-at-rest +- 2.1.2: Ensure S3 Bucket Policy allows HTTPS requests +- 2.2.1: Ensure EBS volume encryption is enabled +- 3.10: Ensure that object-level logging for write events is enabled for (CloudTrail) S3 bucket +- 3.11: Ensure that object-level logging for read events is enabled for (CloudTrail) S3 bucket +- 4.15: Ensure a log metric filter and alarm exists for AWS Organizations changes +- 5.1: Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports [[deployment_walkthrough]] == Deployment walkthrough From c6373e93b18bb2f087edea8462ae1050a780c05f Mon Sep 17 00:00:00 2001 From: Ina Stoyanova Date: Thu, 7 Jan 2021 16:26:12 +0200 Subject: [PATCH 07/34] Updating reference table for IAM Access Analyzer --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index ea36d9b23..51f6b0d98 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -106,8 +106,8 @@ compatible with CIS AWS 1.3.0: |Gruntwork Repo |Minimum version with CIS AWS 1.3.0 support |Corresponding CIS AWS 1.3.0 recommendations |module-security -|https://github.com/gruntwork-io/module-security/releases/tag/v0.44.5[v0.44.5] -|1.20, 2.1.1, 2.1.2, 3.10, 3.11 +|https://github.com/gruntwork-io/module-security/releases/tag/v0.44.6[v0.44.6] +|1.20, 1.21, 2.1.1, 2.1.2, 3.10, 3.11 |terraform-aws-monitoring |https://github.com/gruntwork-io/terraform-aws-monitoring/releases/tag/v0.24.0[v0.24.0] @@ -129,6 +129,10 @@ compatible with CIS AWS 1.3.0: |https://github.com/gruntwork-io/cis-compliance-aws/releases/tag/v0.9.2[v0.9.2] |4.15, 3.10, 3.11 +|aws-service-catalog +|https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4] +|1.21 + |=== From f914505848e2b25cafca2d1b3bd42d3892e6ae07 Mon Sep 17 00:00:00 2001 From: Ina Stoyanova Date: Thu, 7 Jan 2021 17:47:58 +0200 Subject: [PATCH 08/34] Adding steps for deploying the IAM Access Analyzer This will need to be updated once we've updated the ACME repos for the Ref Arch. --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 51f6b0d98..01d37f7cb 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -142,3 +142,21 @@ Recommendation 4.15 requires an active subscriber for the SNS topic created by t and 7 for 4.15). As it's impossible to automate creation of this subscriber, you'll have to do so manually. See https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html[Subscribing to an Amazon SNS topic] on the AWS website for detailed instructions. + + +=== Step 3: Deploy new modules +==== 1. Deploy IAM Access Analyzer module + +As part of CIS 1.3 compliance, the AWS IAM Access Analyzer service is required to be enabled across all active regions in a given AWS account or organization. + +Once enabled and active, this service will examine the trust policies and access to the following resources: + +- Amazon Simple Storage Service buckets; +- AWS Identity and Access Management roles; +- AWS Key Management Service keys; +- AWS Lambda functions and layers; +- Amazon Simple Queue Service queues. + +The IAM Access Analyzer will scan only within the boundaries of the AWS Account or Organization it has been enabled for. The results from this scan will be visible and accessible through the AWS CLI and the AWS Web console. For more information and details on what the AWS IAM Access Analyzer can achieve for your AWS Account and Organization, please refer to the official https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html[AWS docs]. + +To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `aws-service-catalog` repository https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. \ No newline at end of file From 3054a8289541ff10da100e366a54794981c9e3c6 Mon Sep 17 00:00:00 2001 From: Eugene K Date: Mon, 11 Jan 2021 10:44:08 -0500 Subject: [PATCH 09/34] Fixed issue where titles for guides could not have special punctuation like: period, comma, semicolon (etc...) --- pages/guides/_guides.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/guides/_guides.html b/pages/guides/_guides.html index 5ea6a74b5..d147ae0d1 100644 --- a/pages/guides/_guides.html +++ b/pages/guides/_guides.html @@ -19,7 +19,7 @@ {% capture category_name %}{{ category | first }}{% endcapture %}

{{ category_name }}

{% for post in site.categories[category_name] %} -
+
@@ -45,7 +45,7 @@
{{ post.title }}
window.guideEntries = [ {% for post in site.posts %} { - "id" : "{{ post.title | strip_html | downcase | split: ' ' | join: '-' | append: '-card' }}", + "id" : "{{ post.title | slugify | strip_html | downcase | split: ' ' | join: '-' | append: '-card' }}", "title" : "{{ post.title | strip_html | escape | downcase}}", "category" : "{{post.category | downcase | slugify}}", "excerpt" : "{{post.excerpt | strip_html | strip_newlines | escape | downcase}}", From 4cbe2c51409207817388a7f3354447742fe51bfd Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Mon, 11 Jan 2021 17:19:18 +0100 Subject: [PATCH 10/34] Revert "Fix title" This reverts commit 3aba8182ddfa05a171cadd1c39d27224fd5b09d8. --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 01d37f7cb..949fba82e 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -1,5 +1,5 @@ --- -title: How to update to the newest version of CIS AWS Foundations Benchmark +title: How to update to CIS AWS Foundations Benchmark 1.3 categories: Upgrades image: /assets/img/guides/refresh_icon.png excerpt: Learn how to update to the 1.3.0 version of the CIS AWS Foundations Benchmark From 590a10408176ad1cf60469fed209f18d8dcffa6c Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Wed, 13 Jan 2021 12:28:13 +0100 Subject: [PATCH 11/34] Add a paragraph about new vs existing modules Also, add section headings for the remaining 2 new modules. --- .../2021-01-06-how-to-update-to-cis-13.adoc | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 949fba82e..8b41e1055 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -70,6 +70,16 @@ between versions 1.2.0 and 1.3.0: - 4.15: Ensure a log metric filter and alarm exists for AWS Organizations changes - 5.1: Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports +==== New Gruntwork modules vs existing modules +To achieve compliance with the newly added 10 recommendations listed above, we created three new modules in the +Gruntwork's Infrastructure as Code Library, and updated a bunch of existing modules. Namely: recommendations 1.19, 1.21 +and 5.1 required creation of new modules; the rest of recommendations were achieved by updating existing modules. + +To ensure compliance with the version 1.3.0 of the CIS AWS Foundations Benchmark, you'll need to follow all the +instructions in the <> section of this guide; specifically, follow Steps 1 and 2 to ensure that +the existing modules get updated to their CIS 1.3.0 compliant versions, and follow Step 3 to ensure that you install and +configure the newly created modules. + [[deployment_walkthrough]] == Deployment walkthrough @@ -145,11 +155,11 @@ on the AWS website for detailed instructions. === Step 3: Deploy new modules -==== 1. Deploy IAM Access Analyzer module +==== 1. Deploy IAM Access Analyzer module (recommendation 1.21) -As part of CIS 1.3 compliance, the AWS IAM Access Analyzer service is required to be enabled across all active regions in a given AWS account or organization. +As part of CIS 1.3 compliance, the AWS IAM Access Analyzer service is required to be enabled across all active regions in a given AWS account or organization. -Once enabled and active, this service will examine the trust policies and access to the following resources: +Once enabled and active, this service will examine the trust policies and access to the following resources: - Amazon Simple Storage Service buckets; - AWS Identity and Access Management roles; @@ -159,4 +169,10 @@ Once enabled and active, this service will examine the trust policies and access The IAM Access Analyzer will scan only within the boundaries of the AWS Account or Organization it has been enabled for. The results from this scan will be visible and accessible through the AWS CLI and the AWS Web console. For more information and details on what the AWS IAM Access Analyzer can achieve for your AWS Account and Organization, please refer to the official https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html[AWS docs]. -To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `aws-service-catalog` repository https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. \ No newline at end of file +To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `aws-service-catalog` repository https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. + +==== 2. Deploy ... module (recommendation 1.19) +#TODO(Rob) IAC-1606 + +==== 3. Deploy ... module (recommendation 5.1) +#TODO(Marina) IAC-1613 From 4181603bbb6715175818864eed1b1ffdd9ad0da5 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Thu, 14 Jan 2021 16:43:15 +0800 Subject: [PATCH 12/34] add copy for recommendation 1.19 --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 8b41e1055..a207e348c 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -171,8 +171,11 @@ The IAM Access Analyzer will scan only within the boundaries of the AWS Account To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `aws-service-catalog` repository https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. -==== 2. Deploy ... module (recommendation 1.19) -#TODO(Rob) IAC-1606 +==== 2. Deploy the Cleanup Expired Certs module (recommendation 1.19) + +The updated recommendations also require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed +accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. To help you +achieve this recommendation check out the https://github.com/gruntwork-io/cis-compliance-aws/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. ==== 3. Deploy ... module (recommendation 5.1) #TODO(Marina) IAC-1613 From 241d331d8c438b9d20f37db55532d3c5ebc66e44 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Thu, 14 Jan 2021 13:57:14 +0100 Subject: [PATCH 13/34] Fix grammar --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index a207e348c..a55dc2701 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -52,11 +52,11 @@ This guide consists of two main sections: The 1.3.0 version of the CIS AWS Foundations Benchmark was released in September of 2020. You can refer to the https://www.cisecurity.org/benchmark/amazon_web_services/[CIS website] where you can download the latest version of the Benchmark (as well as all the previous versions). The latest version introduces several new recommendations, and this guide -will walk you through implementing these with help from the Gruntwork's Infrastructure as Code Library, -so that your code becomes fully compliant with the 1.3.0 version of the framework. +will walk you through implementing these using Gruntwork's Infrastructure as Code Library, +so that your infrastructure is fully compliant with version 1.3.0 of the framework. ==== New recommendations -These are the new recommendations introduced in the version 1.3.0 of the Benchmark. You can think of these as a "diff" +These are the new recommendations introduced in version 1.3.0 of the Benchmark. You can think of these as a "diff" between versions 1.2.0 and 1.3.0: - 1.19: Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed @@ -73,7 +73,7 @@ between versions 1.2.0 and 1.3.0: ==== New Gruntwork modules vs existing modules To achieve compliance with the newly added 10 recommendations listed above, we created three new modules in the Gruntwork's Infrastructure as Code Library, and updated a bunch of existing modules. Namely: recommendations 1.19, 1.21 -and 5.1 required creation of new modules; the rest of recommendations were achieved by updating existing modules. +and 5.1 required the creation of new modules; the rest of the recommendations were achieved by updating existing modules. To ensure compliance with the version 1.3.0 of the CIS AWS Foundations Benchmark, you'll need to follow all the instructions in the <> section of this guide; specifically, follow Steps 1 and 2 to ensure that From 6a08a831252ee024f43d53120cbed3cd70a1daab Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Thu, 14 Jan 2021 16:30:50 +0100 Subject: [PATCH 14/34] Create section for EBS encryption module --- .../2021-01-06-how-to-update-to-cis-13.adoc | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index a55dc2701..bbc38e43c 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -71,9 +71,9 @@ between versions 1.2.0 and 1.3.0: - 5.1: Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports ==== New Gruntwork modules vs existing modules -To achieve compliance with the newly added 10 recommendations listed above, we created three new modules in the -Gruntwork's Infrastructure as Code Library, and updated a bunch of existing modules. Namely: recommendations 1.19, 1.21 -and 5.1 required the creation of new modules; the rest of the recommendations were achieved by updating existing modules. +To achieve compliance with the newly added 10 recommendations listed above, we created four new modules in the +Gruntwork's Infrastructure as Code Library, and updated a bunch of existing modules. Namely: recommendations 1.19, 1.21, +2.2.1 and 5.1 required the creation of new modules; the rest of the recommendations were achieved by updating existing modules. To ensure compliance with the version 1.3.0 of the CIS AWS Foundations Benchmark, you'll need to follow all the instructions in the <> section of this guide; specifically, follow Steps 1 and 2 to ensure that @@ -155,7 +155,14 @@ on the AWS website for detailed instructions. === Step 3: Deploy new modules -==== 1. Deploy IAM Access Analyzer module (recommendation 1.21) + +==== 1. Deploy the Cleanup Expired Certs module (recommendation 1.19) + +The updated recommendations also require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed +accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. To help you +achieve this recommendation check out the https://github.com/gruntwork-io/cis-compliance-aws/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. + +==== 2. Deploy IAM Access Analyzer module (recommendation 1.21) As part of CIS 1.3 compliance, the AWS IAM Access Analyzer service is required to be enabled across all active regions in a given AWS account or organization. @@ -171,11 +178,8 @@ The IAM Access Analyzer will scan only within the boundaries of the AWS Account To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `aws-service-catalog` repository https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. -==== 2. Deploy the Cleanup Expired Certs module (recommendation 1.19) - -The updated recommendations also require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed -accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. To help you -achieve this recommendation check out the https://github.com/gruntwork-io/cis-compliance-aws/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. +==== 3. Deploy the ebs-encryption-multi-region module (recommendation 2.2.1) +#TODO(Rob) IAC-1610 -==== 3. Deploy ... module (recommendation 5.1) +==== 4. Deploy ... module (recommendation 5.1) #TODO(Marina) IAC-1613 From 6977aaf01fd235977bbb9edf692315b5b7b6ad22 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Fri, 15 Jan 2021 12:35:56 +0800 Subject: [PATCH 15/34] rephrase text due to reordering --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index bbc38e43c..e63752805 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -158,13 +158,13 @@ on the AWS website for detailed instructions. ==== 1. Deploy the Cleanup Expired Certs module (recommendation 1.19) -The updated recommendations also require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed +The new CIS v1.3 recommendations require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. To help you achieve this recommendation check out the https://github.com/gruntwork-io/cis-compliance-aws/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. ==== 2. Deploy IAM Access Analyzer module (recommendation 1.21) -As part of CIS 1.3 compliance, the AWS IAM Access Analyzer service is required to be enabled across all active regions in a given AWS account or organization. +The updated recommendations also require that the AWS IAM Access Analyzer service is enabled across all active regions in a given AWS account or organization. Once enabled and active, this service will examine the trust policies and access to the following resources: From 114b022b741fcfe13b107019656a3558fed26b6c Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Fri, 15 Jan 2021 12:58:15 +0800 Subject: [PATCH 16/34] add ebs volume encryption instructions --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index e63752805..0b705d435 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -179,7 +179,11 @@ The IAM Access Analyzer will scan only within the boundaries of the AWS Account To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `aws-service-catalog` repository https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. ==== 3. Deploy the ebs-encryption-multi-region module (recommendation 2.2.1) -#TODO(Rob) IAC-1610 + +EC2 supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption when creating EBS volumes is supported. Encrypting data at rest reduces the likelihood that it is +unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken. Recommendation 2.2.1 specifies a manual process to encrypt EBS volumes using the AWS Console, however Gruntwork has developed +a module that configures volume encryption by default in all enabled regions. Check out the https://github.com/gruntwork-io/module-security/tree/master/modules/ebs-encryption-multi-region[ebs-encryption-multi-region] to +configure AWS EBS encryption in all enabled regions for an AWS Account. ==== 4. Deploy ... module (recommendation 5.1) #TODO(Marina) IAC-1613 From 1bc5324d9230cf30cb996d6b9989e10ace7c27f2 Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Mon, 18 Jan 2021 15:52:58 +0100 Subject: [PATCH 17/34] Add deploy instructions to vpc-nacls --- .../2021-01-06-how-to-update-to-cis-13.adoc | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 0b705d435..dd43e9187 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -185,5 +185,29 @@ unintentionally exposed and can nullify the impact of disclosure if the encrypti a module that configures volume encryption by default in all enabled regions. Check out the https://github.com/gruntwork-io/module-security/tree/master/modules/ebs-encryption-multi-region[ebs-encryption-multi-region] to configure AWS EBS encryption in all enabled regions for an AWS Account. -==== 4. Deploy ... module (recommendation 5.1) -#TODO(Marina) IAC-1613 +==== 4. Deploy the vpc-app-network-acl and vpc-mgmt-network-acl modules (recommendation 5.1) + +If you are already using the `vpc-app-network-acl` and/or `vpc-mgmt-network-acl` modules, you need to update the +source URL from the https://github.com/gruntwork-io/terraform-aws-vpc[`terraform-aws-vpc` module] (previously known +as `module-vpc`). There is one new required argument, `allow_administrative_remote_access_cidrs`. You will add the +CIDRs from your office! + +``` +module "vpc_app_network_acls" { + source = "git::git@github.com:gruntwork-io/cis-compliance-aws.git//modules/vpc-app-network-acls?ref=v0.9.3" + + # ... the existing variables weren't affected! + + allow_administrative_remote_access_cidrs = { + berlin_office = "1.2.3.4/32" + ny_office = "6.7.8.9/32" + } + +``` + +Note that these new Network ACL Rules exceed the default AWS Quota for NACL Rules. We created a Terraform module +(https://github.com/gruntwork-io/package-terraform-utilities/tree/master/modules/request-quota-increase[`request-quota-increase`]) +where you can request a quota increase. If you use two remote administration ports (the defaults for both modules +are 22 (SSH) and 3389 (Remote Desktop)), you can add up to 10 CIDRs. Check out +https://github.com/gruntwork-io/cis-compliance-aws/tree/v0.9.3/modules/vpc-app-network-acls#calculating-nacl-rules-limits[our +docs] to see how to calculate the maximum number of CIDRs that you can add. From 7d3bea7e2b514fea972581953f03172dbb234466 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Tue, 19 Jan 2021 14:33:35 +0100 Subject: [PATCH 18/34] Fix formatting and update compatibility matrix --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index dd43e9187..c5e11aa06 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -1,5 +1,5 @@ --- -title: How to update to CIS AWS Foundations Benchmark 1.3 +title: How to update to CIS AWS Foundations Benchmark 1.3.0 categories: Upgrades image: /assets/img/guides/refresh_icon.png excerpt: Learn how to update to the 1.3.0 version of the CIS AWS Foundations Benchmark @@ -136,8 +136,8 @@ compatible with CIS AWS 1.3.0: |1.20, 2.1.1, 2.1.2 |cis-compliance-aws -|https://github.com/gruntwork-io/cis-compliance-aws/releases/tag/v0.9.2[v0.9.2] -|4.15, 3.10, 3.11 +|https://github.com/gruntwork-io/cis-compliance-aws/releases/tag/v0.9.3[v0.9.3] +|3.10, 3.11, 4.15, 5.1 |aws-service-catalog |https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4] @@ -192,7 +192,8 @@ source URL from the https://github.com/gruntwork-io/terraform-aws-vpc[`terraform as `module-vpc`). There is one new required argument, `allow_administrative_remote_access_cidrs`. You will add the CIDRs from your office! -``` +[source,hcl] +---- module "vpc_app_network_acls" { source = "git::git@github.com:gruntwork-io/cis-compliance-aws.git//modules/vpc-app-network-acls?ref=v0.9.3" @@ -202,8 +203,8 @@ module "vpc_app_network_acls" { berlin_office = "1.2.3.4/32" ny_office = "6.7.8.9/32" } - -``` +} +---- Note that these new Network ACL Rules exceed the default AWS Quota for NACL Rules. We created a Terraform module (https://github.com/gruntwork-io/package-terraform-utilities/tree/master/modules/request-quota-increase[`request-quota-increase`]) From 354ae23e6fd6be16bd7d256a487f1469b14d8e68 Mon Sep 17 00:00:00 2001 From: Rob Morgan Date: Wed, 20 Jan 2021 15:53:54 +0800 Subject: [PATCH 19/34] Update _posts/2021-01-06-how-to-update-to-cis-13.adoc --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index c5e11aa06..71b6a4b2b 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -183,7 +183,7 @@ To help you achieve CIS 1.3 compliance, you can find examples of how to use the EC2 supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption when creating EBS volumes is supported. Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken. Recommendation 2.2.1 specifies a manual process to encrypt EBS volumes using the AWS Console, however Gruntwork has developed a module that configures volume encryption by default in all enabled regions. Check out the https://github.com/gruntwork-io/module-security/tree/master/modules/ebs-encryption-multi-region[ebs-encryption-multi-region] to -configure AWS EBS encryption in all enabled regions for an AWS Account. +configure AWS EBS encryption in all enabled regions of an AWS Account. ==== 4. Deploy the vpc-app-network-acl and vpc-mgmt-network-acl modules (recommendation 5.1) From 11b69119a303e434156c3ff63e47c062e22ccae2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ana=20Krivokapi=C4=87?= Date: Mon, 25 Jan 2021 12:08:00 +0100 Subject: [PATCH 20/34] Update cis-compliance-aws version Co-authored-by: Yevgeniy Brikman --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 71b6a4b2b..6e2b6628a 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -195,7 +195,7 @@ CIDRs from your office! [source,hcl] ---- module "vpc_app_network_acls" { - source = "git::git@github.com:gruntwork-io/cis-compliance-aws.git//modules/vpc-app-network-acls?ref=v0.9.3" + source = "git::git@github.com:gruntwork-io/cis-compliance-aws.git//modules/vpc-app-network-acls?ref=v0.10.0" # ... the existing variables weren't affected! From c4fecc10e5ea81086861e91f347dd9e08baf5836 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Mon, 25 Jan 2021 12:20:04 +0100 Subject: [PATCH 21/34] Use new repo names --- .../2021-01-06-how-to-update-to-cis-13.adoc | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 6e2b6628a..83c0ee6a4 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -115,32 +115,32 @@ compatible with CIS AWS 1.3.0: |=== |Gruntwork Repo |Minimum version with CIS AWS 1.3.0 support |Corresponding CIS AWS 1.3.0 recommendations -|module-security -|https://github.com/gruntwork-io/module-security/releases/tag/v0.44.6[v0.44.6] +|terraform-aws-security +|https://github.com/gruntwork-io/terraform-aws-security/releases/tag/v0.44.6[v0.44.6] |1.20, 1.21, 2.1.1, 2.1.2, 3.10, 3.11 |terraform-aws-monitoring |https://github.com/gruntwork-io/terraform-aws-monitoring/releases/tag/v0.24.0[v0.24.0] |1.20, 2.1.1, 2.1.2 -|package-zookeeper -|https://github.com/gruntwork-io/package-zookeeper/releases/tag/v0.8.0[v0.8.0] +|terraform-aws-zookeeper +|https://github.com/gruntwork-io/terraform-aws-zookeeper/releases/tag/v0.8.0[v0.8.0] |1.20, 2.1.1, 2.1.2 |terraform-aws-vpc |https://github.com/gruntwork-io/terraform-aws-vpc/releases/tag/v0.12.0[v0.12.0] |1.20, 2.1.1, 2.1.2 -|package-openvpn -|https://github.com/gruntwork-io/package-openvpn/releases/tag/v0.13.0[v0.13.0] +|terraform-aws-openvpn +|https://github.com/gruntwork-io/terraform-aws-openvpn/releases/tag/v0.13.0[v0.13.0] |1.20, 2.1.1, 2.1.2 -|cis-compliance-aws -|https://github.com/gruntwork-io/cis-compliance-aws/releases/tag/v0.9.3[v0.9.3] +|terraform-aws-cis-service-catalog +|https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.9.3[v0.9.3] |3.10, 3.11, 4.15, 5.1 -|aws-service-catalog -|https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4] +|terraform-aws-service-catalog +|https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v0.15.4[v0.15.4] |1.21 |=== @@ -160,7 +160,7 @@ on the AWS website for detailed instructions. The new CIS v1.3 recommendations require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. To help you -achieve this recommendation check out the https://github.com/gruntwork-io/cis-compliance-aws/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. +achieve this recommendation check out the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. ==== 2. Deploy IAM Access Analyzer module (recommendation 1.21) @@ -176,13 +176,13 @@ Once enabled and active, this service will examine the trust policies and access The IAM Access Analyzer will scan only within the boundaries of the AWS Account or Organization it has been enabled for. The results from this scan will be visible and accessible through the AWS CLI and the AWS Web console. For more information and details on what the AWS IAM Access Analyzer can achieve for your AWS Account and Organization, please refer to the official https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html[AWS docs]. -To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `aws-service-catalog` repository https://github.com/gruntwork-io/aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. +To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `terraform-aws-service-catalog` repository https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. ==== 3. Deploy the ebs-encryption-multi-region module (recommendation 2.2.1) EC2 supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption when creating EBS volumes is supported. Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken. Recommendation 2.2.1 specifies a manual process to encrypt EBS volumes using the AWS Console, however Gruntwork has developed -a module that configures volume encryption by default in all enabled regions. Check out the https://github.com/gruntwork-io/module-security/tree/master/modules/ebs-encryption-multi-region[ebs-encryption-multi-region] to +a module that configures volume encryption by default in all enabled regions. Check out the https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ebs-encryption-multi-region[ebs-encryption-multi-region] to configure AWS EBS encryption in all enabled regions of an AWS Account. ==== 4. Deploy the vpc-app-network-acl and vpc-mgmt-network-acl modules (recommendation 5.1) @@ -195,7 +195,7 @@ CIDRs from your office! [source,hcl] ---- module "vpc_app_network_acls" { - source = "git::git@github.com:gruntwork-io/cis-compliance-aws.git//modules/vpc-app-network-acls?ref=v0.10.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/vpc-app-network-acls?ref=v0.10.0" # ... the existing variables weren't affected! @@ -210,5 +210,5 @@ Note that these new Network ACL Rules exceed the default AWS Quota for NACL Rule (https://github.com/gruntwork-io/package-terraform-utilities/tree/master/modules/request-quota-increase[`request-quota-increase`]) where you can request a quota increase. If you use two remote administration ports (the defaults for both modules are 22 (SSH) and 3389 (Remote Desktop)), you can add up to 10 CIDRs. Check out -https://github.com/gruntwork-io/cis-compliance-aws/tree/v0.9.3/modules/vpc-app-network-acls#calculating-nacl-rules-limits[our +https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/v0.9.3/modules/vpc-app-network-acls#calculating-nacl-rules-limits[our docs] to see how to calculate the maximum number of CIDRs that you can add. From 01453ad95c6efbd870380887d62422be3ebdf899 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Mon, 25 Jan 2021 12:24:39 +0100 Subject: [PATCH 22/34] Update versions in compatibility matrix --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 83c0ee6a4..5bd4d99d6 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -128,7 +128,7 @@ compatible with CIS AWS 1.3.0: |1.20, 2.1.1, 2.1.2 |terraform-aws-vpc -|https://github.com/gruntwork-io/terraform-aws-vpc/releases/tag/v0.12.0[v0.12.0] +|https://github.com/gruntwork-io/terraform-aws-vpc/releases/tag/v0.12.4[v0.12.4] |1.20, 2.1.1, 2.1.2 |terraform-aws-openvpn @@ -136,7 +136,7 @@ compatible with CIS AWS 1.3.0: |1.20, 2.1.1, 2.1.2 |terraform-aws-cis-service-catalog -|https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.9.3[v0.9.3] +|https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.10.0[v0.10.0] |3.10, 3.11, 4.15, 5.1 |terraform-aws-service-catalog From 6122278ca959653f59a2ed118f9a4f03db476159 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Mon, 25 Jan 2021 12:28:15 +0100 Subject: [PATCH 23/34] Update another version --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 5bd4d99d6..bb4a09060 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -210,5 +210,5 @@ Note that these new Network ACL Rules exceed the default AWS Quota for NACL Rule (https://github.com/gruntwork-io/package-terraform-utilities/tree/master/modules/request-quota-increase[`request-quota-increase`]) where you can request a quota increase. If you use two remote administration ports (the defaults for both modules are 22 (SSH) and 3389 (Remote Desktop)), you can add up to 10 CIDRs. Check out -https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/v0.9.3/modules/vpc-app-network-acls#calculating-nacl-rules-limits[our +https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/v0.10.0/modules/vpc-app-network-acls#calculating-nacl-rules-limits[our docs] to see how to calculate the maximum number of CIDRs that you can add. From e80a4ee74d6a4d47a44a44fc549cffcc8e65ca65 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Mon, 25 Jan 2021 14:03:30 +0100 Subject: [PATCH 24/34] Mention ACME updates --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index bb4a09060..178dc0483 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -83,6 +83,10 @@ configure the newly created modules. [[deployment_walkthrough]] == Deployment walkthrough +Please follow the steps below to upgrade from the version 1.2.0 to 1.3.0 of the Benchmark. To see the actual relevant code +changes, please refer to the ACME CIS examples https://github.com/gruntwork-io/cis-infrastructure-modules-acme/pull/6[here] +and https://github.com/gruntwork-io/cis-infrastructure-live-acme/pull/8[here]. + === Step 1: Update references to the Gruntwork Infrastructure as Code Library In order to update to the CIS AWS Foundations Benchmark v1.3.0, you need to update your references to the Gruntwork From 957bb167826a633263c83e0dc2615dff71eefb98 Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Mon, 25 Jan 2021 14:08:40 +0100 Subject: [PATCH 25/34] Word improvement + upgrade example for cis nacl --- .../2021-01-06-how-to-update-to-cis-13.adoc | 52 ++++++++++--------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 178dc0483..bfea31e3b 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -26,7 +26,7 @@ endif::[] == Intro This guide will walk you through the upgrade process from the 1.2.0 to the 1.3.0 version of the CIS AWS Foundations Benchmark. -If your infrastructure is already compliant with the 1.2.0 version of the Benchmark, and you are looking to upgrade to 1.3.0, +If your infrastructure is already compliant with the Benchmark's 1.2.0 version, and you are looking to upgrade to 1.3.0, this guide is for you. If you are starting to work on compliance with this benchmark from scratch, check out our https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/[How to achieve compliance with the CIS AWS Foundations Benchmark] guide instead. @@ -51,8 +51,8 @@ This guide consists of two main sections: The 1.3.0 version of the CIS AWS Foundations Benchmark was released in September of 2020. You can refer to the https://www.cisecurity.org/benchmark/amazon_web_services/[CIS website] where you can download the latest version of the -Benchmark (as well as all the previous versions). The latest version introduces several new recommendations, and this guide -will walk you through implementing these using Gruntwork's Infrastructure as Code Library, +Benchmark (as well as all the previous versions). The latest version introduces several new recommendations. This guide +will walk you through implementing these using Gruntwork's Infrastructure as Code Library so that your infrastructure is fully compliant with version 1.3.0 of the framework. ==== New recommendations @@ -60,24 +60,24 @@ These are the new recommendations introduced in version 1.3.0 of the Benchmark. between versions 1.2.0 and 1.3.0: - 1.19: Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed -- 1.20: Ensure that S3 Buckets are configured with ‘Block public access (bucket settings)’ -- 1.21: Ensure that IAM Access analyzer is enabled +- 1.20: Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' +- 1.21: Ensure that the IAM Access analyzer is enabled - 2.1.1: Ensure all S3 buckets employ encryption-at-rest - 2.1.2: Ensure S3 Bucket Policy allows HTTPS requests - 2.2.1: Ensure EBS volume encryption is enabled - 3.10: Ensure that object-level logging for write events is enabled for (CloudTrail) S3 bucket -- 3.11: Ensure that object-level logging for read events is enabled for (CloudTrail) S3 bucket +- 3.11: Ensure that object-level logging for reading events is enabled for (CloudTrail) S3 bucket - 4.15: Ensure a log metric filter and alarm exists for AWS Organizations changes - 5.1: Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports -==== New Gruntwork modules vs existing modules +==== New Gruntwork modules vs. existing modules To achieve compliance with the newly added 10 recommendations listed above, we created four new modules in the Gruntwork's Infrastructure as Code Library, and updated a bunch of existing modules. Namely: recommendations 1.19, 1.21, -2.2.1 and 5.1 required the creation of new modules; the rest of the recommendations were achieved by updating existing modules. +2.2.1 and 5.1 required creating new modules; the rest of the recommendations were achieved by updating existing modules. -To ensure compliance with the version 1.3.0 of the CIS AWS Foundations Benchmark, you'll need to follow all the -instructions in the <> section of this guide; specifically, follow Steps 1 and 2 to ensure that -the existing modules get updated to their CIS 1.3.0 compliant versions, and follow Step 3 to ensure that you install and +To ensure compliance with version 1.3.0 of the CIS AWS Foundations Benchmark, you'll need to follow all the +instructions in the <> section of this guide; precisely, follow Steps 1 and 2 to ensure that +the existing modules get updated to their CIS 1.3.0 compliant versions and follow Step 3 to ensure that you install and configure the newly created modules. [[deployment_walkthrough]] @@ -89,10 +89,9 @@ and https://github.com/gruntwork-io/cis-infrastructure-live-acme/pull/8[here]. === Step 1: Update references to the Gruntwork Infrastructure as Code Library -In order to update to the CIS AWS Foundations Benchmark v1.3.0, you need to update your references to the Gruntwork -Infrastructure as Code Library to use compatible versions. We (Gruntwork) have reviewed and updated all the modules in the -library for compatibility with the new version of the Benchmark. As a customer, you need to update to -the proper versions of the Gruntwork library to pick up the fixes/changes that were made to be compatible. Refer to +To update to the CIS AWS Foundations Benchmark v1.3.0, you need to update your references to the Gruntwork +Infrastructure as Code Library to use compatible versions. We (Gruntwork) have reviewed and updated all the library modules for compatibility with the new version of the Benchmark. As a customer, you need to update to +the proper versions of the Gruntwork library to pick up the fixes/changes made to be compatible. Refer to https://gruntwork.io/guides/foundations/how-to-use-gruntwork-infrastructure-as-code-library/#updating[the "Updating" section of "How to use the Gruntwork Infrastructure as Code Library"] for instructions on how to update the versions in your code. @@ -105,11 +104,11 @@ version.** [.exceptional] IMPORTANT: Gruntwork follows https://gruntwork.io/guides/foundations/how-to-use-gruntwork-infrastructure-as-code-library/#versioning[semantic -versioning]. For any pre-1.0 modules, this means that version updates to the minor version are considered backwards -incompatible releases for any version updates prior to 1.0.0 release. Make sure to read the release notes for the +versioning]. For any pre-1.0 modules, this means that version updates to the minor version are considered backward +incompatible releases for any version updates before the 1.0.0 release. Make sure to read the release notes for the relevant modules any time you are updating minor versions! Note that you will want to read the release notes for each minor version that is updated (e.g., if you are going from v0.5.x to v0.9.x, you will want to read the notes for v0.6.0, -v0.7.0, v0.8.0, and v0.9.0 to get the full list of backwards incompatible updates). +v0.7.0, v0.8.0, and v0.9.0 to get the full list of backward incompatible updates). The following table provides a summary of all the relevant Gruntwork AWS modules and the respective versions that are compatible with CIS AWS 1.3.0: @@ -153,7 +152,7 @@ compatible with CIS AWS 1.3.0: === Step 2: Manual steps Recommendation 4.15 requires an active subscriber for the SNS topic created by this recommendation (see Audit steps 6 -and 7 for 4.15). As it's impossible to automate creation of this subscriber, you'll have to do so manually. See +and 7 for 4.15). As it's impossible to automate this subscriber's creation, you'll have to do so manually. See https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html[Subscribing to an Amazon SNS topic] on the AWS website for detailed instructions. @@ -164,7 +163,7 @@ on the AWS website for detailed instructions. The new CIS v1.3 recommendations require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. To help you -achieve this recommendation check out the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. +achieve this recommendation, check out the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. ==== 2. Deploy IAM Access Analyzer module (recommendation 1.21) @@ -178,16 +177,16 @@ Once enabled and active, this service will examine the trust policies and access - AWS Lambda functions and layers; - Amazon Simple Queue Service queues. -The IAM Access Analyzer will scan only within the boundaries of the AWS Account or Organization it has been enabled for. The results from this scan will be visible and accessible through the AWS CLI and the AWS Web console. For more information and details on what the AWS IAM Access Analyzer can achieve for your AWS Account and Organization, please refer to the official https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html[AWS docs]. +The IAM Access Analyzer will scan only within the AWS Account or Organization boundaries it has been enabled for. The results from this scan will be visible and accessible through the AWS CLI and the AWS Web console. For more information and details on what the AWS IAM Access Analyzer can achieve for your AWS Account and Organization, please refer to the official https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html[AWS docs]. To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `terraform-aws-service-catalog` repository https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. ==== 3. Deploy the ebs-encryption-multi-region module (recommendation 2.2.1) EC2 supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption when creating EBS volumes is supported. Encrypting data at rest reduces the likelihood that it is -unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken. Recommendation 2.2.1 specifies a manual process to encrypt EBS volumes using the AWS Console, however Gruntwork has developed +unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken. Recommendation 2.2.1 specifies a manual process to encrypt EBS volumes using the AWS Console; however, Gruntwork has developed a module that configures volume encryption by default in all enabled regions. Check out the https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ebs-encryption-multi-region[ebs-encryption-multi-region] to -configure AWS EBS encryption in all enabled regions of an AWS Account. +configure AWS EBS encryption in all allowed regions of an AWS Account. ==== 4. Deploy the vpc-app-network-acl and vpc-mgmt-network-acl modules (recommendation 5.1) @@ -203,15 +202,18 @@ module "vpc_app_network_acls" { # ... the existing variables weren't affected! - allow_administrative_remote_access_cidrs = { + allow_administrative_remote_access_cidrs_public_subnets = { berlin_office = "1.2.3.4/32" ny_office = "6.7.8.9/32" } + + allow_administrative_remote_access_cidrs_private_app_subnets = { app_vpc_cidrs = module.app_vpc.vpc_cidr_block } + allow_administrative_remote_access_cidrs_private_persistence_subnets = { app_vpc_cidrs = module.app_vpc.vpc_cidr_block } } ---- Note that these new Network ACL Rules exceed the default AWS Quota for NACL Rules. We created a Terraform module -(https://github.com/gruntwork-io/package-terraform-utilities/tree/master/modules/request-quota-increase[`request-quota-increase`]) +(https://github.com/gruntwork-io/terraform-aws-utilities/tree/master/modules/request-quota-increase[`request-quota-increase`]) where you can request a quota increase. If you use two remote administration ports (the defaults for both modules are 22 (SSH) and 3389 (Remote Desktop)), you can add up to 10 CIDRs. Check out https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/v0.10.0/modules/vpc-app-network-acls#calculating-nacl-rules-limits[our From 70264d78eeb19a071b35bdc8514614c3d626a459 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Mon, 25 Jan 2021 14:12:14 +0100 Subject: [PATCH 26/34] s/ACME/Acme --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index bfea31e3b..88df737fe 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -84,7 +84,7 @@ configure the newly created modules. == Deployment walkthrough Please follow the steps below to upgrade from the version 1.2.0 to 1.3.0 of the Benchmark. To see the actual relevant code -changes, please refer to the ACME CIS examples https://github.com/gruntwork-io/cis-infrastructure-modules-acme/pull/6[here] +changes, please refer to the Acme CIS examples https://github.com/gruntwork-io/cis-infrastructure-modules-acme/pull/6[here] and https://github.com/gruntwork-io/cis-infrastructure-live-acme/pull/8[here]. === Step 1: Update references to the Gruntwork Infrastructure as Code Library From 71af098c7b2017d965a8d5732ea9532c36b254de Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Tue, 26 Jan 2021 10:22:18 +0100 Subject: [PATCH 27/34] Update wording around |v|version --- .../2021-01-06-how-to-update-to-cis-13.adoc | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 88df737fe..6c95f0c50 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -1,8 +1,8 @@ --- -title: How to update to CIS AWS Foundations Benchmark 1.3.0 +title: How to update to CIS AWS Foundations Benchmark v1.3.0 categories: Upgrades image: /assets/img/guides/refresh_icon.png -excerpt: Learn how to update to the 1.3.0 version of the CIS AWS Foundations Benchmark +excerpt: Learn how to update to the version 1.3.0 of the CIS AWS Foundations Benchmark tags: ["aws", "security", "compliance"] cloud: ["aws"] redirect_from: /static/guides/upgrades/how-to-update-to-cis-13/ @@ -25,8 +25,8 @@ endif::[] == Intro -This guide will walk you through the upgrade process from the 1.2.0 to the 1.3.0 version of the CIS AWS Foundations Benchmark. -If your infrastructure is already compliant with the Benchmark's 1.2.0 version, and you are looking to upgrade to 1.3.0, +This guide will walk you through the upgrade process from the 1.2.0 to the version 1.3.0 of the CIS AWS Foundations Benchmark. +If your infrastructure is already compliant with the Benchmark's version 1.2.0, and you are looking to upgrade to v1.3.0, this guide is for you. If you are starting to work on compliance with this benchmark from scratch, check out our https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/[How to achieve compliance with the CIS AWS Foundations Benchmark] guide instead. @@ -36,12 +36,12 @@ guide instead. This guide consists of two main sections: <>:: - An overview of the CIS AWS Foundations Benchmark 1.3.0 and why it is important to update your code for compatibility. + An overview of the CIS AWS Foundations Benchmark v1.3.0 and why it is important to update your code for compatibility. <>:: - The steps you need to take to update your code to be compliant with CIS AWS 1.3.0. It includes a + The steps you need to take to update your code to be compliant with CIS AWS v1.3.0. It includes a <> you can use as a reference to know which Gruntwork Repo version - tag is compatible with CIS AWS 1.3.0, as well as the manuals step you need to perform to achieve said compliance. + tag is compatible with CIS AWS v1.3.0, as well as the manuals step you need to perform to achieve said compliance. [[core_concepts]] @@ -49,7 +49,7 @@ This guide consists of two main sections: === Background -The 1.3.0 version of the CIS AWS Foundations Benchmark was released in September of 2020. You can refer to the +The version 1.3.0 of the CIS AWS Foundations Benchmark was released in September of 2020. You can refer to the https://www.cisecurity.org/benchmark/amazon_web_services/[CIS website] where you can download the latest version of the Benchmark (as well as all the previous versions). The latest version introduces several new recommendations. This guide will walk you through implementing these using Gruntwork's Infrastructure as Code Library @@ -77,13 +77,13 @@ Gruntwork's Infrastructure as Code Library, and updated a bunch of existing modu To ensure compliance with version 1.3.0 of the CIS AWS Foundations Benchmark, you'll need to follow all the instructions in the <> section of this guide; precisely, follow Steps 1 and 2 to ensure that -the existing modules get updated to their CIS 1.3.0 compliant versions and follow Step 3 to ensure that you install and +the existing modules get updated to their CIS AWS v1.3.0 compliant versions and follow Step 3 to ensure that you install and configure the newly created modules. [[deployment_walkthrough]] == Deployment walkthrough -Please follow the steps below to upgrade from the version 1.2.0 to 1.3.0 of the Benchmark. To see the actual relevant code +Please follow the steps below to upgrade from the version 1.2.0 to version 1.3.0 of the Benchmark. To see the actual relevant code changes, please refer to the Acme CIS examples https://github.com/gruntwork-io/cis-infrastructure-modules-acme/pull/6[here] and https://github.com/gruntwork-io/cis-infrastructure-live-acme/pull/8[here]. @@ -111,12 +111,12 @@ minor version that is updated (e.g., if you are going from v0.5.x to v0.9.x, you v0.7.0, v0.8.0, and v0.9.0 to get the full list of backward incompatible updates). The following table provides a summary of all the relevant Gruntwork AWS modules and the respective versions that are -compatible with CIS AWS 1.3.0: +compatible with CIS AWS v1.3.0: [[compatibility_table]] [cols="1,1h,1"] |=== -|Gruntwork Repo |Minimum version with CIS AWS 1.3.0 support |Corresponding CIS AWS 1.3.0 recommendations +|Gruntwork Repo |Minimum version with CIS AWS v1.3.0 support |Corresponding CIS AWS v1.3.0 recommendations |terraform-aws-security |https://github.com/gruntwork-io/terraform-aws-security/releases/tag/v0.44.6[v0.44.6] From 2201b069e49c391df7b3653575aaa6e34c0978c9 Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Tue, 26 Jan 2021 10:44:47 +0100 Subject: [PATCH 28/34] Fix the version/version --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 6c95f0c50..22dfeec90 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -2,7 +2,7 @@ title: How to update to CIS AWS Foundations Benchmark v1.3.0 categories: Upgrades image: /assets/img/guides/refresh_icon.png -excerpt: Learn how to update to the version 1.3.0 of the CIS AWS Foundations Benchmark +excerpt: Learn how to update to version 1.3.0 of the CIS AWS Foundations Benchmark tags: ["aws", "security", "compliance"] cloud: ["aws"] redirect_from: /static/guides/upgrades/how-to-update-to-cis-13/ @@ -25,7 +25,7 @@ endif::[] == Intro -This guide will walk you through the upgrade process from the 1.2.0 to the version 1.3.0 of the CIS AWS Foundations Benchmark. +This guide will walk you through the upgrade process from the 1.2.0 to version 1.3.0 of the CIS AWS Foundations Benchmark. If your infrastructure is already compliant with the Benchmark's version 1.2.0, and you are looking to upgrade to v1.3.0, this guide is for you. If you are starting to work on compliance with this benchmark from scratch, check out our https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/[How to achieve compliance with the CIS AWS Foundations Benchmark] @@ -83,7 +83,7 @@ configure the newly created modules. [[deployment_walkthrough]] == Deployment walkthrough -Please follow the steps below to upgrade from the version 1.2.0 to version 1.3.0 of the Benchmark. To see the actual relevant code +Please follow the steps below to upgrade from version 1.2.0 to version 1.3.0 of the Benchmark. To see the actual relevant code changes, please refer to the Acme CIS examples https://github.com/gruntwork-io/cis-infrastructure-modules-acme/pull/6[here] and https://github.com/gruntwork-io/cis-infrastructure-live-acme/pull/8[here]. From a8f9b6fcf7aec065cbc66ad4267890cc78084866 Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Tue, 26 Jan 2021 10:55:15 +0100 Subject: [PATCH 29/34] Fix the CIS/CIS AWS --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 22dfeec90..1ac1e1469 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -161,7 +161,7 @@ on the AWS website for detailed instructions. ==== 1. Deploy the Cleanup Expired Certs module (recommendation 1.19) -The new CIS v1.3 recommendations require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed +The new CIS AWS v1.3 recommendations require that all expired SSL/TLS certificates stored in AWS IAM are automatically removed. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. To help you achieve this recommendation, check out the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. @@ -179,7 +179,7 @@ Once enabled and active, this service will examine the trust policies and access The IAM Access Analyzer will scan only within the AWS Account or Organization boundaries it has been enabled for. The results from this scan will be visible and accessible through the AWS CLI and the AWS Web console. For more information and details on what the AWS IAM Access Analyzer can achieve for your AWS Account and Organization, please refer to the official https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html[AWS docs]. -To help you achieve CIS 1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `terraform-aws-service-catalog` repository https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. +To help you achieve CIS AWS v1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `terraform-aws-service-catalog` repository https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. ==== 3. Deploy the ebs-encryption-multi-region module (recommendation 2.2.1) From 801a74358dd3232cf824e34e20ac221860b3d364 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Tue, 26 Jan 2021 15:58:49 +0100 Subject: [PATCH 30/34] Put Acme examples in a NOTE block --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 1ac1e1469..ce0e3a7ff 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -83,10 +83,14 @@ configure the newly created modules. [[deployment_walkthrough]] == Deployment walkthrough +[NOTE] +==== Please follow the steps below to upgrade from version 1.2.0 to version 1.3.0 of the Benchmark. To see the actual relevant code -changes, please refer to the Acme CIS examples https://github.com/gruntwork-io/cis-infrastructure-modules-acme/pull/6[here] -and https://github.com/gruntwork-io/cis-infrastructure-live-acme/pull/8[here]. +changes, please refer to the Acme CIS examples: +* https://github.com/gruntwork-io/cis-infrastructure-modules-acme/pull/6[cis-infrastructure-modules-acme] +* https://github.com/gruntwork-io/cis-infrastructure-live-acme/pull/8[cis-infrastructure-live-acme] +==== === Step 1: Update references to the Gruntwork Infrastructure as Code Library To update to the CIS AWS Foundations Benchmark v1.3.0, you need to update your references to the Gruntwork From cc6d5efceccb440d87fa13e2a84a5b026d81d6e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ana=20Krivokapi=C4=87?= Date: Tue, 2 Feb 2021 12:07:17 +0100 Subject: [PATCH 31/34] Update version of terraform-aws-vpc Co-authored-by: Ina Stoyanova --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index ce0e3a7ff..9f3b87a64 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -135,7 +135,7 @@ compatible with CIS AWS v1.3.0: |1.20, 2.1.1, 2.1.2 |terraform-aws-vpc -|https://github.com/gruntwork-io/terraform-aws-vpc/releases/tag/v0.12.4[v0.12.4] +|https://github.com/gruntwork-io/terraform-aws-vpc/releases/tag/v0.13.0[v0.13.0] |1.20, 2.1.1, 2.1.2 |terraform-aws-openvpn From ded36fac37ee3cc7ec98b7c918cf3c378f9c25f4 Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Tue, 2 Feb 2021 17:32:24 +0100 Subject: [PATCH 32/34] NACL rules docs fixes --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index 9f3b87a64..b254af62b 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -194,10 +194,13 @@ configure AWS EBS encryption in all allowed regions of an AWS Account. ==== 4. Deploy the vpc-app-network-acl and vpc-mgmt-network-acl modules (recommendation 5.1) -If you are already using the `vpc-app-network-acl` and/or `vpc-mgmt-network-acl` modules, you need to update the +To help us achieve CIS 1.3 compliance, we've also created the `vpc-app-network-acl` module in our https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/modules/vpc-app-network-acls[dedicated CIS service catalog]. This module is designed to follow CIS 1.3 recommendations - restrict access by default, but only allow explicitly listed SSH and RDP connections and hosts. To be compliant, you'll need to deploy the new module. For more details, please refer to the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/modules/vpc-app-network-acls/README.md[dedicated module README] and https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/examples/vpc-network-acls[the relevant example]. + +If you are already using the `vpc-app-network-acl` or `vpc-mgmt-network-acl` modules, you need to update the source URL from the https://github.com/gruntwork-io/terraform-aws-vpc[`terraform-aws-vpc` module] (previously known -as `module-vpc`). There is one new required argument, `allow_administrative_remote_access_cidrs`. You will add the -CIDRs from your office! +as `module-vpc`). To make sure you won't delete your existing Network ACL rules, you need to follow our https://github.com/gruntwork-io/cis-infrastructure-modules-acme/blob/migration-nacl/networking/vpc-app/migration-guides/migrating_to_cis_v13.md[migration guide] that uses `terragrunt state mv` to update the state. + +The new required arguments are `allow_administrative_remote_access_cidrs`, for your office CIDRs, `allow_administrative_remote_access_cidrs_private_app_subnets` and `allow_administrative_remote_access_cidrs_private_persistence_subnets`, for the private subnets, with the CIDRs of the VPC or specific subnets within that VPC. [source,hcl] ---- @@ -216,9 +219,14 @@ module "vpc_app_network_acls" { } ---- -Note that these new Network ACL Rules exceed the default AWS Quota for NACL Rules. We created a Terraform module +===== 4.1 Network ACL Rules Quota limit + +The new Network ACL Rules exceed the default AWS Quota for NACL Rules. To solve this issue, we created a Terraform module (https://github.com/gruntwork-io/terraform-aws-utilities/tree/master/modules/request-quota-increase[`request-quota-increase`]) -where you can request a quota increase. If you use two remote administration ports (the defaults for both modules +to request a quota increase! You can see a terragrunt example in the https://github.com/gruntwork-io/cis-infrastructure-live-acme/tree/master/prod/_global/request-quota-increase[cis-infrastructure-live-acme repository]. + + +After increase to the AWS maximum quota, when you use two remote administration ports (the defaults for both modules are 22 (SSH) and 3389 (Remote Desktop)), you can add up to 10 CIDRs. Check out https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/v0.10.0/modules/vpc-app-network-acls#calculating-nacl-rules-limits[our docs] to see how to calculate the maximum number of CIDRs that you can add. From 7bd245b35077a5b2b84c6dead5ed83fb74cc04b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ana=20Krivokapi=C4=87?= Date: Wed, 3 Feb 2021 12:26:01 +0100 Subject: [PATCH 33/34] Apply suggestions from code review Co-authored-by: Yevgeniy Brikman --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index b254af62b..d64cbe886 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -25,7 +25,7 @@ endif::[] == Intro -This guide will walk you through the upgrade process from the 1.2.0 to version 1.3.0 of the CIS AWS Foundations Benchmark. +This guide will walk you through how to update from version 1.2.0 to version 1.3.0 of the CIS AWS Foundations Benchmark. If your infrastructure is already compliant with the Benchmark's version 1.2.0, and you are looking to upgrade to v1.3.0, this guide is for you. If you are starting to work on compliance with this benchmark from scratch, check out our https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/[How to achieve compliance with the CIS AWS Foundations Benchmark] @@ -49,7 +49,7 @@ This guide consists of two main sections: === Background -The version 1.3.0 of the CIS AWS Foundations Benchmark was released in September of 2020. You can refer to the +Version 1.3.0 of the CIS AWS Foundations Benchmark was released in September of 2020. You can refer to the https://www.cisecurity.org/benchmark/amazon_web_services/[CIS website] where you can download the latest version of the Benchmark (as well as all the previous versions). The latest version introduces several new recommendations. This guide will walk you through implementing these using Gruntwork's Infrastructure as Code Library @@ -85,8 +85,8 @@ configure the newly created modules. [NOTE] ==== -Please follow the steps below to upgrade from version 1.2.0 to version 1.3.0 of the Benchmark. To see the actual relevant code -changes, please refer to the Acme CIS examples: +Please follow the steps below to upgrade from version 1.2.0 to version 1.3.0 of the Benchmark. To see examples of what the relevant code +changes look like, please refer to these pull requests in the Acme CIS Reference Architecture: * https://github.com/gruntwork-io/cis-infrastructure-modules-acme/pull/6[cis-infrastructure-modules-acme] * https://github.com/gruntwork-io/cis-infrastructure-live-acme/pull/8[cis-infrastructure-live-acme] From 8ada2d539f0d5988ff84905101214d750accfb40 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Wed, 3 Feb 2021 12:41:01 +0100 Subject: [PATCH 34/34] Add links to the main guide --- _posts/2021-01-06-how-to-update-to-cis-13.adoc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/_posts/2021-01-06-how-to-update-to-cis-13.adoc b/_posts/2021-01-06-how-to-update-to-cis-13.adoc index d64cbe886..cf0af9905 100644 --- a/_posts/2021-01-06-how-to-update-to-cis-13.adoc +++ b/_posts/2021-01-06-how-to-update-to-cis-13.adoc @@ -169,6 +169,10 @@ The new CIS AWS v1.3 recommendations require that all expired SSL/TLS certificat accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates. To help you achieve this recommendation, check out the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/examples/cleanup-expired-certs/terraform[example] of the ready-made `cleanup-expired-certs` module. +For the code examples of deploying this module, see the +link:https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/#cleanup_expired_certs_deployment[relevant section] +of our "How to achieve compliance with the CIS AWS Foundations Benchmark" guide. + ==== 2. Deploy IAM Access Analyzer module (recommendation 1.21) The updated recommendations also require that the AWS IAM Access Analyzer service is enabled across all active regions in a given AWS account or organization. @@ -185,6 +189,10 @@ The IAM Access Analyzer will scan only within the AWS Account or Organization bo To help you achieve CIS AWS v1.3 compliance, you can find examples of how to use the ready-made module as part of the `landingzone` module in the `terraform-aws-service-catalog` repository https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v0.15.4[v0.15.4], and specifically the `account-baseline-root` and `account-baseline-security` https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v0.15.4/examples/for-learning-and-testing/landingzone[examples]. +For the code examples of deploying this module, see the +link:https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/#iam_access_analyzer_deployment[relevant section] +of our "How to achieve compliance with the CIS AWS Foundations Benchmark" guide. + ==== 3. Deploy the ebs-encryption-multi-region module (recommendation 2.2.1) EC2 supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption when creating EBS volumes is supported. Encrypting data at rest reduces the likelihood that it is @@ -192,6 +200,10 @@ unintentionally exposed and can nullify the impact of disclosure if the encrypti a module that configures volume encryption by default in all enabled regions. Check out the https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ebs-encryption-multi-region[ebs-encryption-multi-region] to configure AWS EBS encryption in all allowed regions of an AWS Account. +For the code examples of deploying this module, see the +link:https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/#encrypt_ebs_volumes[relevant section] +of our "How to achieve compliance with the CIS AWS Foundations Benchmark" guide. + ==== 4. Deploy the vpc-app-network-acl and vpc-mgmt-network-acl modules (recommendation 5.1) To help us achieve CIS 1.3 compliance, we've also created the `vpc-app-network-acl` module in our https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/modules/vpc-app-network-acls[dedicated CIS service catalog]. This module is designed to follow CIS 1.3 recommendations - restrict access by default, but only allow explicitly listed SSH and RDP connections and hosts. To be compliant, you'll need to deploy the new module. For more details, please refer to the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/modules/vpc-app-network-acls/README.md[dedicated module README] and https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/examples/vpc-network-acls[the relevant example]. @@ -219,6 +231,10 @@ module "vpc_app_network_acls" { } ---- +For the code examples of deploying this module, see the +link:https://gruntwork.io/guides/compliance/how-to-achieve-cis-benchmark-compliance/#configure_networking[relevant section] +of our "How to achieve compliance with the CIS AWS Foundations Benchmark" guide. + ===== 4.1 Network ACL Rules Quota limit The new Network ACL Rules exceed the default AWS Quota for NACL Rules. To solve this issue, we created a Terraform module