Table of Contents generated with DocToc

• InSpec AWS Baseline Profile
  • Usage
    • IAM Permissions
    • Profile Execution - variant A
    • Profile Execution - variant B
    • Re-Vendor Dependencies
  • AWS Organizations
  • Local execution of tests with Docker
  • Further Information
    • The Importance of Compliance Results

InSpec AWS Baseline Profile

This profile covers some parts of the "CIS Amazon Web Services Foundations Benchmark (v1.2.0)".

Batteries included:

• IAM
  • MFA for root account ✅
  • Password Policy ✅
  • all your Access Keys - Expiration ✅
• Logging
  • AWS Config is active ✅
  • CloudTrail is enabled ✅
• Networking
  • Security Groups for SSH are restricted ✅
  • Security Groups for Remote Desktop (RDP) are restricted ✅
• additional best-practices not covered by the CIS Benchmark:
  • all your S3 Buckets are not public and encrypted (per Region) ✅
  • Organizations ✅
  • all your EBS volumes should be encrypted (per region) ✅
  • ECR: Test that images are scanned for vulnerabilities at a push to repository ✅

Usage

Please make sure you have InSpec version >= 4 installed, e.g. with bundle install (see Gemfile for details).

We recommend the usage of aws-vault.

IAM Permissions

Make sure your Auditor IAM User has the following managed policy attached:

arn:aws:iam::aws:policy/SecurityAudit

It is also possible to use higher privileged policies, such as arn:aws:iam::aws:policy/ReadOnlyAccess.

Profile Execution - variant A

You can easily use this InSpec profile from Github:

  ## the "-n" instructs aws-vault not to use AWS STS session tokens:
  aws-vault exec -n <YOURNAMEDPROFILEHERE> -- inspec exec \
    -t aws:// --show-progress \
    https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz

Profile Execution - variant B

Call InSpec with AWS region + your local configured Profile:

  inspec exec -t aws://eu-central-1/my-named-profile --show-progress \
    https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz
  

Re-Vendor Dependencies

  inspec vendor --overwrite . 

AWS Organizations

You can also check if a given account is part of AWS Organizations (Master or Member). This feature is disabled by default. You can enable it by providing variables given as an InSpec Input File.

See example configurations here.

  aws-vault exec -n <YOURNAMEDPROFILEHERE> -- inspec exec \
    https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz \
    -t aws:// --show-progress \
    --input-file enable-aws-organizations-checks.yml

Local execution of tests with Docker

  git clone https://github.com/centriascolocation/inspec-aws-baseline.git
  
  make build-docker-images
  aws-vault exec -n <YOURNAMEDPROFILEHERE> -- make test
  

Further Information

The Importance of Compliance Results

These values are based off CVSS 3.0:

numeric value	impact, importance
0.0 to <0.01	none - they only provide information
0.01 to <0.4	low
0.4 to <0.7	medium
0.7 to <0.9	high
0.9 to 1.0	critical