Add AWS benchmark cis_v600 #941
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds the AWS CIS (Center for Internet Security) v6.0.0 benchmark implementation, establishing a comprehensive security compliance framework for AWS services. The benchmark provides prescriptive guidance for configuring security options across various AWS services with emphasis on foundational, testable, and architecture-agnostic settings.
Key Changes:
- Implements CIS v6.0.0 benchmark structure with 5 main sections (Identity & Access Management, Storage, Logging, Monitoring, Networking)
- Adds 96 individual security controls across AWS services including IAM, S3, RDS, EFS, EC2, VPC, CloudTrail, CloudWatch, and Security Hub
- Provides comprehensive documentation with remediation steps for each control
Reviewed Changes
Copilot reviewed 79 out of 80 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| cis_v600/cis.pp | Main benchmark definition and structure |
| cis_v600/section_*.pp | Section implementations for Identity & Access Management, Storage, Logging, Monitoring, and Networking |
| cis_v600/docs/*.md | Comprehensive documentation including remediation procedures and default value explanations for all controls |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
cis_v600/docs/cis_v600_5_13.md
Outdated
| If you are using CloudTrail trails and CloudWatch, perform the following steps to set up the metric filter, alarm, SNS topic, and subscription: | ||
|
|
||
| 1. Create a metric filter based on the provided filter pattern that checks for route table changes and uses the `<trail-log-group-name>` taken from audit step 1: | ||
| 2. aws logs put-metric-filter --log-group-name <trail-log-group-name> --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' |
There was a problem hiding this comment.
Command is missing required parameters --filter-name and --metric-transformations that are present in other similar commands in the codebase.
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
@khushboo9024 please take a look at the review comments, thanks!!
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 80 out of 80 changed files in this pull request and generated 6 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
cis_v600/docs/cis_v600_4_4.md
Outdated
| aws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName | ||
| ``` | ||
|
|
||
| 2. Copy and add the target bucket name at `<bucket-name>`, the prefix for the log file at `<log-file-prefix>, `and optionally add an email address in the following template, then save it as` <file-name>.json:` |
There was a problem hiding this comment.
The sentence has inconsistent backtick usage and formatting. The backticks around text should be consistent and there's an extra backtick before '.json:'.
| 2. Copy and add the target bucket name at `<bucket-name>`, the prefix for the log file at `<log-file-prefix>, `and optionally add an email address in the following template, then save it as` <file-name>.json:` | |
| 2. Copy and add the target bucket name at `<bucket-name>`, the prefix for the log file at `<log-file-prefix>`, and optionally add an email address in the following template, then save it as `<file-name>.json`: |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 79 out of 80 changed files in this pull request and generated 8 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
cis_v600/docs/cis_v600_5_2.md
Outdated
|
|
||
| **Note**: Capture the `TopicArn` that is displayed when creating the SNS topic in step 2. | ||
|
|
||
| 2. Create an SNS subscription for the topic created in step 2: |
There was a problem hiding this comment.
Step numbering is incorrect. The second instance of step '2' should be step '4' to maintain proper sequence in the remediation instructions.
Copilot uses AI. Check for mistakes.
| 5. Implement logging and alerting mechanisms: | ||
|
|
||
| ```bash | ||
| aws sns create-topic --name NetworkGatewayChangesAlerts | ||
| ``` | ||
|
|
||
| ```bash | ||
| aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <email-address> | ||
| ``` | ||
|
|
||
| ```bash | ||
| aws cloudwatch put-metric-alarm --alarm-name NetworkGatewayChangesAlarm --metric-name GatewayChanges --namespace AWS/EC2 --statistic Sum --period 300 --threshold 1 --comparisonoperator GreaterThanOrEqualToThreshold --evaluation-periods 1 --alarmactions <sns-topic-arn> | ||
| ``` | ||
|
|
There was a problem hiding this comment.
This section appears to be duplicated content that doesn't match the established pattern of the document. The step numbering continues from 4 to 5, and the commands seem to be additional examples rather than part of the main remediation flow.
| 5. Implement logging and alerting mechanisms: | |
| ```bash | |
| aws sns create-topic --name NetworkGatewayChangesAlerts | |
| ``` | |
| ```bash | |
| aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <email-address> | |
| ``` | |
| ```bash | |
| aws cloudwatch put-metric-alarm --alarm-name NetworkGatewayChangesAlarm --metric-name GatewayChanges --namespace AWS/EC2 --statistic Sum --period 300 --threshold 1 --comparisonoperator GreaterThanOrEqualToThreshold --evaluation-periods 1 --alarmactions <sns-topic-arn> | |
| ``` |
Copilot uses AI. Check for mistakes.
cis_v600/docs/cis_v600_5_14.md
Outdated
| aws logs put-metric-filter --log-group-name <trail-log-group-name> --filter-name <vpc-changes-metric> --metric-transformations metricName=<vpc-changesmetric>,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' | ||
| ``` | ||
|
|
||
| **Note**:: You can choose your own `metricName` and `metricNamespace` strings. Using the same `metricNamespace` for all Foundations Benchmark metrics will group them together. |
There was a problem hiding this comment.
Corrected double colon after 'Note' to single colon.
| **Note**:: You can choose your own `metricName` and `metricNamespace` strings. Using the same `metricNamespace` for all Foundations Benchmark metrics will group them together. | |
| **Note**: You can choose your own `metricName` and `metricNamespace` strings. Using the same `metricNamespace` for all Foundations Benchmark metrics will group them together. |
Copilot uses AI. Check for mistakes.
Checklist