M365 CIS Benchmark and Microsoft Zero Trust Security Model
Organizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read MoreAlmost all CIS tests are automated with SmartProfiler for Amazon Web Services CIS Assessment.
Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.
Performs complete assessment of Amazon Services including other AWS CIS Assessments in a single AWS Assessment Package. Also includes RDS tests recommended by AWS Experts.
SmartProfiler for Microsoft Azure includes assessment tests for Azure-Infra and Azure Entra ID to ensure all aspects of Azure is covered and tested.
SmartProfiler for Amazon CIS Assessment is a comprehensive, automated solution designed to help organizations enhance their security posture within Amazon Web Services (AWS). By following the Center for Internet Security (CIS) Benchmarks, SmartProfiler simplifies and streamlines the process of conducting in-depth risk and compliance assessments for AWS environments.
Unlike other tools, SmartProfiler includes assessments across multiple categories, ensuring a holistic approach to security. It covers essential CIS controls for Web Services (CIS 3.0.0), Compute Services (CIS 1.0.0), Database Services (CIS 1.0.0), and Storage Services (CIS 1.0.0), offering tailored tests created by AWS experts to ensure thorough compliance across all key service areas.
With SmartProfiler, businesses can significantly improve their AWS security, mitigate risks, and ensure compliance with industry standards, all through a single, automated solution.
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SmartProfiler for Microsoft Azure CIS requires a Service Principal Account with necessary read-only permissions to execute all tests.
SmartProfiler needs to use an IAM Role with necessary permissions assigned to the Amazon Region. The permissions need to be defined in a policy and Access Token and Access IDs will be required to perform the assessment.
Please check permissions required for AWS Assessment here:
.
AWS CLI is required to perform assessment. The AWS CLI is available for download on Amazon website.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for Amazon CIS Assessment is simple to use and execute in four-steps.
It depends on the number of resources in the Tenant. It typically takes 1-2 hours to perform CIS Assessment for a Tenant having 800 resources.
SmartProfiler for Azure CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft Azure Tenants. You can add unlimited Azure Tenants in the tool. However, each Azure Tenant requires a license before the assessment can be done.
Here is the list of tests included with SmartProfiler for Amazon CIS Assessment. SmartProfiler offers additional tests which are not included in CIS V3.0.0 list.
| Category | CISWB | Test |
| Identity and Access Management | CIS v3.0.0 | Maintain current contact details |
| Identity and Access Management | CIS v3.0.0 | Ensure security contact information is registered |
| Identity and Access Management | CIS v3.0.0 | Ensure security questions are registered in the AWS account |
| Identity and Access Management | CIS v3.0.0 | Ensure no root user account access key exists |
| Identity and Access Management | CIS v3.0.0 | Ensure MFA is enabled for the root user account |
| Identity and Access Management | CIS v3.0.0 | Ensure hardware MFA is enabled for the root user account |
| Identity and Access Management | CIS v3.0.0 | Eliminate use of the root user for administrative and daily tasks |
| Identity and Access Management | CIS v3.0.0 | Ensure IAM password policy requires minimum length of 14 or greater |
| Identity and Access Management | CIS v3.0.0 | Ensure IAM password policy prevents password reuse |
| Identity and Access Management | CIS v3.0.0 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
| Identity and Access Management | CIS v3.0.0 | Do not setup access keys during initial user setup for all IAM users that have a console password |
| Identity and Access Management | CIS v3.0.0 | Ensure credentials unused for 45 days or greater are disabled |
| Identity and Access Management | CIS v3.0.0 | Ensure there is only one active access key available for any single IAM user |
| Identity and Access Management | CIS v3.0.0 | Ensure access keys are rotated every 90 days or less |
| Identity and Access Management | CIS v3.0.0 | Ensure IAM Users Receive Permissions Only Through Groups |
| Identity and Access Management | CIS v3.0.0 | Ensure IAM policies that allow full *-* administrative privileges are not attached |
| Identity and Access Management | CIS v3.0.0 | Ensure a support role has been created to manage incidents with AWS Support |
| Identity and Access Management | CIS v3.0.0 | Ensure IAM instance roles are used for AWS resource access from instances |
| Identity and Access Management | CIS v3.0.0 | Ensure that all the expired SSL-TLS certificates stored in AWS IAM are removed |
| Identity and Access Management | CIS v3.0.0 | Ensure that IAM Access analyzer is enabled for all regions |
| Identity and Access Management | CIS v3.0.0 | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments |
| Identity and Access Management | CIS v3.0.0 | Ensure access to AWSCloudShellFullAccess is restricted |
| Simple Storage Service (S3) | CIS v3.0.0 | Ensure S3 Bucket Policy is set to deny HTTP requests |
| Simple Storage Service (S3) | CIS v3.0.0 | Ensure MFA Delete is enabled on S3 buckets |
| Simple Storage Service (S3) | CIS v3.0.0 | Ensure all data in Amazon S3 has been discovered- classified and secured when required |
| Simple Storage Service (S3) | CIS v3.0.0 | Ensure that S3 Buckets are configured with Block public access (bucket settings) |
| Elastic Compute Cloud (EC2) | CIS v3.0.0 | Ensure EBS Volume Encryption is Enabled in all Regions |
| Amazon RDS | CIS v3.0.0 | Ensure that encryption-at-rest is enabled for RDS Instances |
| Amazon RDS | CIS v3.0.0 | Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances |
| Amazon RDS | CIS v3.0.0 | Ensure that public access is not given to RDS Instance |
| Elastic File System (EFS) | CIS v3.0.0 | Ensure that encryption is enabled for EFS file systems |
| Logging | CIS v3.0.0 | Ensure CloudTrail is enabled in all regions |
| Logging | CIS v3.0.0 | Ensure CloudTrail log file validation is enabled |
| Logging | CIS v3.0.0 | Ensure AWS Config is enabled in all regions |
| Logging | CIS v3.0.0 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
| Logging | CIS v3.0.0 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| Logging | CIS v3.0.0 | Ensure rotation for customer-created symmetric CMKs is enabled |
| Logging | CIS v3.0.0 | Ensure VPC flow logging is enabled in all VPCs |
| Logging | CIS v3.0.0 | Ensure that Object-level logging for write events is enabled for S3 bucket |
| Logging | CIS v3.0.0 | Ensure that Object-level logging for read events is enabled for S3 bucket |
| Monitoring | CIS v3.0.0 | Ensure unauthorized API calls are monitored |
| Monitoring | CIS v3.0.0 | Ensure management console sign-in without MFA is monitored |
| Monitoring | CIS v3.0.0 | Ensure usage of root account is monitored |
| Monitoring | CIS v3.0.0 | Ensure IAM policy changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure CloudTrail configuration changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure AWS Management Console authentication failures are monitored |
| Monitoring | CIS v3.0.0 | Ensure disabling or scheduled deletion of customer created CMKs is monitored |
| Monitoring | CIS v3.0.0 | Ensure S3 bucket policy changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure AWS Config configuration changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure security group changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure Network Access Control Lists (NACL) changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure changes to network gateways are monitored |
| Monitoring | CIS v3.0.0 | Ensure route table changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure VPC changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure AWS Organizations changes are monitored |
| Monitoring | CIS v3.0.0 | Ensure AWS Security Hub is enabled |
| Networking | CIS v3.0.0 | Ensure no Network ACLs allow ingress from 0000-0 to remote server administration ports |
| Networking | CIS v3.0.0 | Ensure no security groups allow ingress from 0000-0 to remote server administration ports |
| Networking | CIS v3.0.0 | Ensure no security groups allow ingress from —0 to remote server administration ports |
| Networking | CIS v3.0.0 | Ensure the default security group of every VPC restricts all traffic |
| Networking | CIS v3.0.0 | Ensure routing tables for VPC peering are least access |
| Networking | CIS v3.0.0 | Ensure that EC2 Metadata Service only allows IMDSv2 |
| Amazon Machine Images (AMI) | CIS v1.0.0 | Ensure Consistent Naming Convention is used for Organizational AMI |
| Amazon Machine Images (AMI) | CIS v1.0.0 | Ensure Images (AMIs) are encrypted |
| Amazon Machine Images (AMI) | CIS v1.0.0 | Ensure Only Approved AMIs (Images) are Used |
| Amazon Machine Images (AMI) | CIS v1.0.0 | Ensure Images (AMI) are not older than 90 days |
| Amazon Machine Images (AMI) | CIS v1.0.0 | Ensure Images are not Publicly Available |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure EBS volume encryption is enabled |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure Public Access to EBS Snapshots is Disabled |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure EBS volume snapshots are encrypted |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure unused EBS volumes are removed |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure Tag Policies are Enabled |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure an Organizational EC2 Tag Policy has been Created |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure no AWS EC2 Instances are Older than 180 days |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure detailed monitoring is enable for production EC2 Instances |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure Default EC2 Security groups are not being used |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure the Use of IMDSv2 is Enforced on All Existing Instances |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure use of AWS Systems Manager to manage EC2 instances |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure unused ENIs are removed |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure instances stopped for over 90 days are removed |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure Secrets and Sensitive Data are not stored directly in EC2 User Data |
| Elastic Block Storage (EBS) | CIS v1.0.0 | Ensure EC2 Auto Scaling Groups Propagate Tags to EC2 Instances that it launches |
| Lightsail | CIS v1.0.0 | Apply updates to any apps running in Lightsail |
| Lightsail | CIS v1.0.0 | Change default Administrator login names and passwords for applications |
| Lightsail | CIS v1.0.0 | Disable SSH and RDP ports for Lightsail instances when not needed |
| Lightsail | CIS v1.0.0 | Ensure SSH is restricted to only IP address that should have this access |
| Lightsail | CIS v1.0.0 | Ensure RDP is restricted to only IP address that should have this access |
| Lightsail | CIS v1.0.0 | Disable IPv6 Networking if not in use within your organization |
| Lightsail | CIS v1.0.0 | Ensure you are using an IAM policy to manage access to buckets in Lightsail |
| Lightsail | CIS v1.0.0 | Ensure Lightsail instances are attached to the buckets |
| Lightsail | CIS v1.0.0 | Ensure that your Lightsail buckets are not publicly accessible |
| Lightsail | CIS v1.0.0 | Enable storage bucket access logging |
| Lightsail | CIS v1.0.0 | Ensure your Windows Server based lightsail instances are updated with the latest security patches |
| Lightsail | CIS v1.0.0 | Change the auto-generated password for Windows based instances |
| Lambda | CIS v1.0.0 | Ensure AWS Config is Enabled for Lambda and Serverless |
| Lambda | CIS v1.0.0 | Ensure Cloudwatch Lambda insights is enabled |
| Lambda | CIS v1.0.0 | Ensure AWS Secrets manager is configured and being used by Lambda for databases |
| Lambda | CIS v1.0.0 | Ensure least privilege is used with Lambda function access |
| Lambda | CIS v1.0.0 | Ensure every Lambda function has its own IAM Role |
| Lambda | CIS v1.0.0 | Ensure Lambda functions are not exposed to everyone |
| Lambda | CIS v1.0.0 | Ensure Lambda functions are referencing active execution roles |
| Lambda | CIS v1.0.0 | Ensure that Code Signing is enabled for Lambda functions |
| Lambda | CIS v1.0.0 | Ensure there are no Lambda functions with admin privileges within your AWS account |
| Lambda | CIS v1.0.0 | Ensure Lambda functions do not allow unknown cross account access via permission policies |
| Lambda | CIS v1.0.0 | Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates |
| Lambda | CIS v1.0.0 | Ensure encryption is enabled for Lambda function variables |
| Batch | CIS v1.0.0 | Ensure AWS Batch is configured with AWS Cloudwatch Logs |
| Batch | CIS v1.0.0 | Ensure Batch roles are configured for cross-service confused deputy prevention |
| Elastic Beanstalk | CIS v1.0.0 | Ensure Managed Platform updates is configured |
| Elastic Beanstalk | CIS v1.0.0 | Ensure Persistent logs is setup and configured to S3 |
| Elastic Beanstalk | CIS v1.0.0 | Ensure access logs are enabled |
| Elastic Beanstalk | CIS v1.0.0 | Ensure that HTTPS is enabled on load balancer |
| AWS App Runner | CIS v1.0.0 | Ensure you are using VPC Endpoints for source code access |
| AWS SimSpace Weaver | CIS v1.0.0 | Ensure communications between your applications and clients is encrypted |
| Introduction | CIS v1.0.0 | AWS Storage Backups |
| Introduction | CIS v1.0.0 | Ensure securing AWS Backups |
| Introduction | CIS v1.0.0 | Ensure to create backup template and name |
| Introduction | CIS v1.0.0 | Ensure to create AWS IAM Policies |
| Introduction | CIS v1.0.0 | Ensure to create IAM roles for Backup |
| Introduction | CIS v1.0.0 | Ensure AWS Backup with Service Linked Roles |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure creating EC2 instance with EBS |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure configuring Security Groups |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure the proper configuration of EBS storage |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure the creation of a new volume |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure creating snapshots of EBS volumes |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure Proper IAM Configuration for EC2 Instances |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure creating IAM User |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure the Creation of IAM Groups |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure Granular Policy Creation |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure Resource Access via Tag-based Policies |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure Secure Password Policy Implementation |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure Monitoring EC2 and EBS with CloudWatch |
| Elastic Block Store (EBS) | CIS v1.0.0 | Ensure creating an SNS subscription |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure Implementation of EFS |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure EFS and VPC Integration |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure controlling Network access to EFS Services |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure using Security Groups for VPC |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure Secure Ports |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure File-Level Access Control with Mount Targets |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure managing mount target security groups |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure using VPC endpoints – EFS |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure managing AWS EFS access points |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure accessing Points and IAM Policies |
| Elastic File System (EFS) | CIS v1.0.0 | Ensure configuring IAM for AWS Elastic Disaster Recovery |
| FSx | CIS v1.0.0 | FSX (AWS Elastic File Cache) |
| FSx | CIS v1.0.0 | Amazon Elastic File Cache |
| FSx | CIS v1.0.0 | Ensure the creation of an FSX Bucket |
| FSx | CIS v1.0.0 | Ensure the creation of Elastic File Cache |
| FSx | CIS v1.0.0 | Ensure installation and configuration of Lustre Client |
| FSx | CIS v1.0.0 | Ensure EC2 Kernel compatibility with Lustre |
| FSx | CIS v1.0.0 | Ensure mounting FSx cache |
| FSx | CIS v1.0.0 | Ensure exporting cache to S3 |
| FSx | CIS v1.0.0 | Ensure cleaning up FSx Resources |
| Simple Storage Service (S3) | CIS v1.0.0 | Amazon Simple Storage Service |
| Simple Storage Service (S3) | CIS v1.0.0 | Ensure direct data addition to S3 |
| Simple Storage Service (S3) | CIS v1.0.0 | Ensure Storage Classes are Configured |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure Elastic Disaster Recovery is Configured |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure AWS Disaster Recovery Configuration |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure functionality of Endpoint Detection and Response (EDR) |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure configuration of replication settings |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure proper IAM configuration for AWS Elastic Disaster Recovery |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure installation of the AWS Replication Agent |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure proper configuration of the Launch Settings |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure execution of a recovery drill |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure Continuous Disaster Recovery Operations |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure execution of a Disaster Recovery Failover |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure execution of a failback |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure CloudWatch Metrics for AWS EDR |
| Elastic Disaster Recovery (EDR) | CIS v1.0.0 | Ensure working of EDR |
| Amazon Aurora | CIS v1.0.0 | Ensure Amazon VPC (Virtual Private Cloud) has been created |
| Amazon Aurora | CIS v1.0.0 | Ensure the Use of Security Groups |
| Amazon Aurora | CIS v1.0.0 | Ensure Data at Rest is Encrypted |
| Amazon Aurora | CIS v1.0.0 | Ensure Data in Transit is Encrypted |
| Amazon Aurora | CIS v1.0.0 | Ensure IAM Roles and Policies are Created |
| Amazon Aurora | CIS v1.0.0 | Ensure Database Audit Logging is Enabled |
| Amazon Aurora | CIS v1.0.0 | Ensure Passwords are Regularly Rotated |
| Amazon Aurora | CIS v1.0.0 | Ensure Access Keys are Regularly Rotated |
| Amazon Aurora | CIS v1.0.0 | Ensure Least Privilege Access |
| Amazon Aurora | CIS v1.0.0 | Ensure Automatic Backups and Retention Policies are configured |
| Amazon Aurora | CIS v1.0.0 | Ensure Multi-Factor Authentication (MFA) is in use |
| Amazon RDS | CIS v1.0.0 | Ensure to Choose the Appropriate Database Engine |
| Amazon RDS | CIS v1.0.0 | Ensure to Create The Appropriate Deployment Configuration |
| Amazon RDS | CIS v1.0.0 | Ensure to Create a Virtual Private Cloud (VPC) |
| Amazon RDS | CIS v1.0.0 | Ensure to Configure Security Groups |
| Amazon RDS | CIS v1.0.0 | Enable Encryption at Rest |
| Amazon RDS | CIS v1.0.0 | Enable Encryption in Transit |
| Amazon RDS | CIS v1.0.0 | Ensure to Implement Access Control and Authentication |
| Amazon RDS | CIS v1.0.0 | Ensure to Regularly Patch Systems |
| Amazon RDS | CIS v1.0.0 | Ensure Monitoring and Logging is Enabled |
| Amazon RDS | CIS v1.0.0 | Ensure to Enable Backup and Recovery |
| Amazon RDS | CIS v1.0.0 | Ensure to Regularly Review Security Configuration |
| Amazon RDS | SP v1.0 | Ensure no Underutilized RDS Instances |
| Amazon RDS | SP v1.0 | Amazon RDS Public Snapshots |
| Amazon RDS | SP v1.0 | Ensure that Amazon Aurora clusters are configured to use database activity streams |
| Amazon RDS | SP v1.0 | Ensure that all database instances within an Amazon Aurora cluster have the same accessibility |
| Amazon RDS | SP v1.0 | Enable Amazon Aurora Backtrack |
| Amazon RDS | SP v1.0 | Enable AWS RDS Cluster Deletion Protection |
| Amazon RDS | SP v1.0 | Ensure you always use the latest generation of DB instances to get better performance with lower cost |
| Amazon RDS | SP v1.0 | Ensure AWS RDS SQL Server and Postgre instances have Transport Encryption feature enabled |
| Amazon RDS | SP v1.0 | Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled |
| Amazon RDS | SP v1.0 | Ensure that the Deletion Protection feature is enabled for your Aurora Serverless clusters |
| Amazon RDS | SP v1.0 | Ensure that the Storage AutoScaling feature is enabled to support unpredictable database workload |
| Amazon RDS | SP v1.0 | Ensure that AWS RDS snapshots are encrypted to meet security and compliance requirements |
| Amazon RDS | SP v1.0 | Ensure Log Exports feature is enabled for your Amazon Aurora Serverless databases |
| Amazon RDS | SP v1.0 | Enable IAM Database Authentication |
| Amazon RDS | SP v1.0 | Identify idle AWS RDS database instances and terminate them to optimize AWS costs |
| Amazon RDS | SP v1.0 | Enable AWS RDS Instance Deletion Protection |
| Amazon RDS | SP v1.0 | Enable Event Subscriptions for Instance Level Events |
| Amazon RDS | SP v1.0 | Enable AWS RDS Log Exports |
| Amazon RDS | SP v1.0 | Identify overutilized RDS instances and upgrade them in order to optimize database workload and response time |
| Amazon RDS | SP v1.0 | Enable AWS RDS Performance Insights |
| Amazon RDS | SP v1.0 | Ensure Auto Minor Version Upgrade is enabled for RDS to automatically receive minor engine upgrades during the maintenance window |
| Amazon RDS | SP v1.0 | Ensure automated backups are enabled for RDS instances |
| Amazon RDS | SP v1.0 | Enable RDS Copy Tags to Snapshots |
| Amazon RDS | SP v1.0 | Ensure Amazon RDS database instances are not using the default ports |
| Amazon RDS | SP v1.0 | Ensure fewer Amazon RDS instances than the established limit in your AWS account |
| Amazon RDS | SP v1.0 | Ensure RDS instances are encrypted with CMKs to have full control over encrypting and decrypting data |
| Amazon RDS | SP v1.0 | Ensure encryption is setup for RDS instances to fulfill compliance requirements for data-at-rest encryption |
| Amazon RDS | SP v1.0 | Enable event notifications for RDS |
| Amazon RDS | SP v1.0 | Identify RDS instances with low free storage space and scale them in order to optimize their performance |
| Amazon RDS | SP v1.0 | Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs |
| Amazon RDS | SP v1.0 | Ensure fewer Amazon RDS instances than the established limit in your AWS account |
| Amazon RDS | SP v1.0 | Ensure that no AWS RDS database instances are provisioned inside VPC public subnets |
| Amazon RDS | SP v1.0 | Ensure AWS RDS instances are using secure and unique master usernames for their databases |
| Amazon RDS | SP v1.0 | Ensure RDS instances are launched into Multi-AZ |
| Amazon RDS | SP v1.0 | Ensure RDS instances are not public facing to minimise security risks |
| Amazon RDS | SP v1.0 | Ensure Amazon RDS Reserved Instances (RI) are renewed before expiration |
| Amazon RDS | SP v1.0 | Ensure AWS RDS Reserved Instance purchases have not failed |
| Amazon RDS | SP v1.0 | Ensure Amazon RDS Reserved Instance purchases are not pending |
| Amazon RDS | SP v1.0 | Ensure RDS Reserved Instance purchases are regularly reviewed for cost optimization (informational) |
| Amazon RDS | SP v1.0 | Ensure RDS instances have sufficient backup retention period for compliance purposes |
| Amazon RDS | SP v1.0 | Ensure that SSL/TLS certificates for RDS database instances are rotated according to the AWS schedule |
| Amazon RDS | SP v1.0 | Enable Event Subscriptions for DB Security Groups Events |
| Amazon RDS | SP v1.0 | Ensure there are not any unrestricted DB security groups assigned to your RDS instances |
| Amazon RDS | SP v1.0 | Ensure that Amazon Backup service is used to manage AWS RDS database snapshots |
| Amazon DynamoDB | CIS v1.0.0 | Ensure AWS Identity and Access Management (IAM) is in use |
| Amazon DynamoDB | CIS v1.0.0 | Ensure Fine-Grained Access Control is implemented |
| Amazon DynamoDB | CIS v1.0.0 | Ensure DynamoDB Encryption at Rest |
| Amazon DynamoDB | CIS v1.0.0 | Ensure DynamoDB Encryption in Transit |
| Amazon DynamoDB | CIS v1.0.0 | Ensure VPC Endpoints are configured |
| Amazon DynamoDB | CIS v1.0.0 | Ensure DynamoDB Streams and AWS Lambda for Automated Compliance Checking is Enabled |
| Amazon DynamoDB | CIS v1.0.0 | Ensure Monitor and Audit Activity is enabled |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Secure Access to ElastiCache |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Network Security is Enabled |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Encryption at Rest and in Transit is configured |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Automatic Updates and Patching are Enabled |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Virtual Private Cloud (VPC) is Enabled |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Monitoring and Logging is Enabled |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Security Configurations are Reviewed Regularly |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Authentication and Access Control is Enabled |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Audit Logging is Enabled |
| Amazon ElastiCache | CIS v1.0.0 | Ensure Security Configurations are Reviewed Regularly |
| Amazon MemoryDB for Redis | CIS v1.0.0 | Ensure Network Security is Enabled |
| Amazon MemoryDB for Redis | CIS v1.0.0 | Ensure Data at Rest and in Transit is Encrypted |
| Amazon MemoryDB for Redis | CIS v1.0.0 | Ensure Authentication and Access Control is Enabled |
| Amazon MemoryDB for Redis | CIS v1.0.0 | Ensure Audit Logging is Enabled |
| Amazon MemoryDB for Redis | CIS v1.0.0 | Ensure Security Configurations are Reviewed Regularly |
| Amazon MemoryDB for Redis | CIS v1.0.0 | Ensure Monitoring and Alerting is Enabled |
| Amazon DocumentDB | CIS v1.0.0 | Ensure Network Architecture Planning |
| Amazon DocumentDB | CIS v1.0.0 | Ensure VPC Security is Configured |
| Amazon DocumentDB | CIS v1.0.0 | Ensure Encryption at Rest is Enabled |
| Amazon DocumentDB | CIS v1.0.0 | Ensure Encryption in Transit is Enabled |
| Amazon DocumentDB | CIS v1.0.0 | Ensure to Implement Access Control and Authentication |
| Amazon DocumentDB | CIS v1.0.0 | Ensure Audit Logging is Enabled |
| Amazon DocumentDB | CIS v1.0.0 | Ensure Regular Updates and Patches |
| Amazon DocumentDB | CIS v1.0.0 | Ensure to Implement Monitoring and Alerting |
| Amazon DocumentDB | CIS v1.0.0 | Ensure to Implement Backup and Disaster Recovery |
| Amazon DocumentDB | CIS v1.0.0 | Ensure to Configure Backup Window |
| Amazon DocumentDB | CIS v1.0.0 | Ensure to Conduct Security Assessments |
| Amazon Keyspaces (formerly Amazon Managed Apache Cassandra Service) | CIS v1.0.0 | Ensure Keyspace Security is Configured |
| Amazon Keyspaces (formerly Amazon Managed Apache Cassandra Service) | CIS v1.0.0 | Ensure Network Security is Enabled |
| Amazon Keyspaces (formerly Amazon Managed Apache Cassandra Service) | CIS v1.0.0 | Ensure Data at Rest and in Transit is Encrypted |
| Amazon Neptune | CIS v1.0.0 | Ensure Network Security is Enabled |
| Amazon Neptune | CIS v1.0.0 | Ensure Data at Rest is Encrypted |
| Amazon Neptune | CIS v1.0.0 | Ensure Data in Transit is Encrypted |
| Amazon Neptune | CIS v1.0.0 | Ensure Authentication and Access Control is Enabled |
| Amazon Neptune | CIS v1.0.0 | Ensure Audit Logging is Enabled |
| Amazon Neptune | CIS v1.0.0 | Ensure Security Configurations are Reviewed Regularly |
| Amazon Neptune | CIS v1.0.0 | Ensure Monitoring and Alerting is Enabled |
| Amazon Timestream | CIS v1.0.0 | Ensure Data Ingestion is Secure |
| Amazon Timestream | CIS v1.0.0 | Ensure Data at Rest is Encrypted |
| Amazon Timestream | CIS v1.0.0 | Ensure Encryption in Transit is Configured |
| Amazon Timestream | CIS v1.0.0 | Ensure Access Control and Authentication is Enabled |
| Amazon Timestream | CIS v1.0.0 | Ensure Fine-Grained Access Control is Enabled |
| Amazon Timestream | CIS v1.0.0 | Ensure Audit Logging is Enabled |
| Amazon Timestream | CIS v1.0.0 | Ensure Regular Updates and Patches are Installed |
| Amazon Timestream | CIS v1.0.0 | Ensure Monitoring and Alerting is Enabled |
| Amazon Timestream | CIS v1.0.0 | Ensure to Review and Update the Security Configuration |
| Amazon Ledger Database Services (QLDB) | CIS v1.0.0 | Ensure to Implement Identity and Access Management (IAM) |
| Amazon Ledger Database Services (QLDB) | CIS v1.0.0 | Ensure Network Access is Secure |
| Amazon Ledger Database Services (QLDB) | CIS v1.0.0 | Ensure Data at Rest is Encrypted |
| Amazon Ledger Database Services (QLDB) | CIS v1.0.0 | Ensure Data in Transit is Encrypted |
| Amazon Ledger Database Services (QLDB) | CIS v1.0.0 | Ensure to Implement Access Control and Authentication |
| Amazon Ledger Database Services (QLDB) | CIS v1.0.0 | Ensure Monitoring and Logging is Enabled |
| Amazon Ledger Database Services (QLDB) | CIS v1.0.0 | Ensure to Enable Backup and Recovery |
| Amazon Simple Notification Service (SNS) | SP v1.0 | Ensure appropriate subscribers to all your AWS Simple Notification Service (SNS) topics |
| Amazon Simple Notification Service (SNS) | SP v1.0 | Ensure Amazon SNS topics do not allow unknown cross account access |
| Amazon Simple Notification Service (SNS) | SP v1.0 | Ensure SNS topics do not allow Everyone to publish |
| Amazon Simple Notification Service (SNS) | SP v1.0 | Ensure SNS topics do not allow Everyone to subscribe |
| Amazon Simple Notification Service (SNS) | SP v1.0 | Enable Server-Side Encryption for AWS SNS Topics |
| Amazon Simple Notification Service (SNS) | SP v1.0 | Ensure that Amazon SNS topics are encrypted with KMS Customer Master Keys |
| Amazon Simple Notification Service (SNS) | SP v1.0 | Ensure SNS topics are not exposed to everyone |
| AWS CloudFormation | SP v1.0 | Ensure a deletion policy is used for your Amazon CloudFormation stacks |
| AWS CloudFormation | SP v1.0 | Ensure that Amazon CloudFormation stacks have not been drifted |
| AWS CloudFormation | SP v1.0 | Ensure CloudFormation service is in use for defining your cloud architectures on Amazon Web Services |
| AWS CloudFormation | SP v1.0 | Ensure CloudFormation stack policies are set to prevent accidental updates to stack resources |
| AWS CloudFormation | SP v1.0 | Ensure CloudFormation stacks are integrated with SNS to receive notifications about stack events |
| AWS CloudFormation | SP v1.0 | Ensure Termination Protection feature is enabled for your AWS CloudFormation stacks |
| AWS CloudFormation | SP v1.0 | Ensure that IAM role associated with CloudFormation stacks adheres to the principle of least privilege in order avoid unwanted privilege escalation |
| AWS CloudFormation | SP v1.0 | Ensure AWS CloudFormation stacks are not in Failed mode for more than 6 hours |
| Amazon CloudFront | SP v1.0 | Ensure CloudFront distributions are configured to automatically compress content |
| Amazon CloudFront | SP v1.0 | Ensure Geo Restriction is enabled for CloudFront CDN distributions |
| Amazon CloudFront | SP v1.0 | Ensure CloudFront global content delivery network (CDN) service is in use |
| Amazon CloudFront | SP v1.0 | Ensure CloudFront origins dont use insecure SSL protocols |
| Amazon CloudFront | SP v1.0 | Ensure CloudFront is integrated with WAF to protect web applications from exploit attempts |
| Amazon CloudFront | SP v1.0 | Ensure CloudFront logging is enabled |
| Amazon CloudFront | SP v1.0 | Ensure AWS CloudFront distributions are using improved security policies for HTTPS connections |
| Amazon CloudFront | SP v1.0 | Ensure traffic between a CloudFront distribution and the origin is encrypted |
| Amazon CloudFront | SP v1.0 | Ensure CloudFront Viewer Protocol Policy enforces encryption |
| Amazon CloudFront | SP v1.0 | Ensure that CloudFront distributions are configured to use a default root object |
| Amazon CloudFront | SP v1.0 | Ensure that CloudFront distributions are using an origin access control configuration for their origin S3 buckets |
| Amazon CloudFront | SP v1.0 | Ensure that CloudFront distributions are using the Origin Failover feature to maintain high availability |
| Amazon CloudFront | SP v1.0 | Ensure that Amazon CloudFront distributions are using the Origin Shield feature |
| Amazon CloudFront | SP v1.0 | Ensure that CloudFront distributions are using the Real-Time Logging feature |
| Amazon CloudFront | SP v1.0 | Enable Field-Level Encryption for CloudFront Distributions |
| Amazon CloudFront | SP v1.0 | Ensure that CloudFront distributions do not point to non-existent S3 origins |
| Amazon CloudFront | SP v1.0 | Ensure to Use Amazon CloudFront Content Distribution Network for secure web content delivery |
| Amazon CloudFront | SP v1.0 | Ensure that CloudFront distributions are configured to use a custom SSL-TLS certificate |
| Amazon CloudFront | SP v1.0 | Ensure that CloudFront distributions are configured to use Server Name Indication (SNI) |
| Amazon Web Application Firewall | SP v1.0 | Ensure AWS WAF is in use to protect your web applications from common web exploits |
| Amazon Web Application Firewall | SP v1.0 | Ensure that logging is enabled for Amazon WAF Web Access Control Lists |
Below tests, as recommended by Microsoft Azure globally, are not included in the Azure CIS Version 2.1.0 tests list. We recommend executing below tests as part of Microsoft Azure security & Compliance Assessment.
| Azure-Infra | SP v1.0 | Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID |
| Azure-Infra | SP v1.0 | Ensure Azure Administrative Units are used |
| Azure-Infra | SP v1.0 | Ensure Azure Guests cannot invite other Guests |
| Azure-Infra | SP v1.0 | Ensure privileged accounts have MFA Configured |
| Azure-Infra | SP v1.0 | Ensure non-Admins cannot register custom applications |
| Azure-Infra | SP v1.0 | Ensure no Guest Accounts in Azure Privileged groups |
| Azure-Infra | SP v1.0 | Ensure Security Defaults is enabled |
| Azure-Infra | SP v1.0 | Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent |
| Azure-Infra | SP v1.0 | Ensure Conditional Access Policy with signin user-risk location as Factor |
| Azure-Infra | SP v1.0 | Ensure no Guest accounts that are inactive for more than 45 days |
| Azure-Infra | SP v1.0 | Conditional Access policy with Continuous Access Evaluation disabled |
| Azure-Infra | SP v1.0 | AAD Connect sync account password reset |
| Azure-Infra | SP v1.0 | Ensure Guest users are restricted |
| Azure-Infra | SP v1.0 | Ensure user are configured with MFA |
| Azure-Infra | SP v1.0 | Conditional Access Policy that disables admin token persistence |
| Azure-Infra | SP v1.0 | Conditional Access Policy that does not require a password change from high risk users |
| Azure-Infra | SP v1.0 | Conditional Access Policy that does not require MFA when sign-in risk has been identified |
| Azure-Infra | SP v1.0 | Ensure Guest invites not accepted in last 30 days are identified |
| Azure-Infra | SP v1.0 | Ensure Synced AAD Users not privileged Users in Azure |
| Azure-Infra | SP v1.0 | Ensure No Private IP Addresses in Conditional Access policies |
| Azure-Infra | SP v1.0 | Ensure Number Matching enabled in MFA |
| Azure-Infra | SP v1.0 | Ensure AD privileged users are not synced to AAD |
| Azure-Infra | SP v1.0 | Ensure no more than 5 Global Administrators |
| Azure-Infra | SP v1.0 | Ensure SSO computer account with latest password |
| Azure-Infra | SP v1.0 | Ensure RBCD is not applied to AZUREADSSOACC account |
| Azure Entra ID | SP v1.0 | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra |
| Azure Entra ID | SP v1.0 | Ensure Phishing-resistant MFA strength is required for Administrators |
| Azure Entra ID | SP v1.0 | Ensure custom banned passwords lists are used |
| Azure Entra ID | SP v1.0 | Ensure Restrict non-admin users from creating tenants is set to Yes |
| Azure Entra ID | SP v1.0 | Ensure a dynamic group for guest users is created |
| Azure Entra ID | SP v1.0 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue |
| Azure Entra ID | SP v1.0 | Ensure that password hash sync is enabled for hybrid deployments |
| Azure Entra ID | SP v1.0 | Ensure Privileged Identity Management is used to manage roles |
| Azure Entra ID | SP v1.0 | Ensure Security Defaults is disabled on Azure Active Directory |
| Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection user risk policies |
| Azure Entra ID | SP v1.0 | Ensure the admin consent workflow is enabled |
| Azure Entra ID | SP v1.0 | Ensure Microsoft Azure Management is limited to administrative roles |
| Azure Entra ID | SP v1.0 | Ensure LinkedIn account connections is disabled |
| Azure Entra ID | SP v1.0 | Ensure password protection is enabled for on-prem Active Directory |
| Azure Entra ID | SP v1.0 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users |
| Azure Entra ID | SP v1.0 | Ensure third party integrated applications are not allowed |
| Azure Entra ID | SP v1.0 | Ensure user consent to apps accessing company data on their behalf is not allowed |
| Azure Entra ID | SP v1.0 | Enable Conditional Access policies to block legacy authentication |
| Azure Entra ID | SP v1.0 | Ensure Self service password reset enabled is set to All |
| Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection sign-in risk policies |
| Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users in administrative roles |
| Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users |
| Database Services-SQL Server – MySQL Database | SP v1.0 | Ensure to Enable In-Transit Encryption for MySQL Servers |
| Virtual Machines | SP v1.0 | Approved Azure Machine Image in Use |
| Virtual Machines | SP v1.0 | Azure Disk Encryption for Boot Disk Volumes |
| Virtual Machines | SP v1.0 | Azure Disk Encryption for Non-Boot Disk Volumes |
| Virtual Machines | SP v1.0 | Ensure Associated Load Balancers are configured |
| Virtual Machines | SP v1.0 | Ensure Desired VM SKU Size are configured |
| Virtual Machines | SP v1.0 | Ensure Virtual Machine Scale Sets are not empty |
| Virtual Machines | SP v1.0 | Ensure Virtual Machines are configured with SSH Authentication Type |
| Virtual Machines | SP v1.0 | Ensure Sufficient Daily Backup Retention Period is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Sufficient Instant Restore Retention Period is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure No Unused Load Balancers are identified to reduce cost |
| Virtual Machines | SP v1.0 | Ensure No Zone-Redundant Virtual Machine Scale Sets are present |
| Virtual Machines | SP v1.0 | Ensure Premium SSD are disabled to reduce cost |
| Virtual Machines | SP v1.0 | Ensure Accelerated Networking for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Auto-Shutdown of Virtual Machine is enabled to reduce cost |
| Virtual Machines | SP v1.0 | Ensure Automatic Instance Repairs is enabled for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Automatic OS Upgrades is enabled for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Autoscale Notifications are configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Backups for Azure Virtual Machines are configured |
| Virtual Machines | SP v1.0 | Ensure Encryption for App-Tier Disk Volumes are configured |
| Virtual Machines | SP v1.0 | Ensure Encryption for Web-Tier Disk Volumes are configured |
| Virtual Machines | SP v1.0 | Ensure Guest-Level Diagnostics for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Instance Termination Notifications for Virtual Machine Scale Sets is configured |
| Virtual Machines | SP v1.0 | Ensure Just-In-Time Access for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Performance Diagnostics for Azure Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure System-Assigned Managed Identities are enabled |
| Virtual Machines | SP v1.0 | Ensure Virtual Machine Boot Diagnostics is enabled |
| Virtual Machines | SP v1.0 | Ensure Health Monitoring is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Old Virtual Machine Disk Snapshots are removed |
| Virtual Machines | SP v1.0 | Ensure Unattached Virtual Machine Disk Volumes are removed from Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure BYOK for Disk Volumes Encryption is used |
| Virtual Machines | SP v1.0 | Enable Virtual Machine Access using Microsoft Entra ID Authentication |
| Azure Subscription | SP v1.0 | Ensure Basic and Consumption SKU Should are not Used in Production |
| Azure Subscription | SP v1.0 | Ensure Azure Cloud Budget Alerts are configured |
| Azure Subscription | SP v1.0 | Ensure more than one Subscription Owners are assigned |
| Azure Subscription | SP v1.0 | Ensure Not Allowed Resource Types Policy Assignment is in Use |
| Azure Subscription | SP v1.0 | Ensure Tags are configured on the Resources |
| Azure Subscription | SP v1.0 | Ensure to remove Custom Owner Roles from Subscriptions |
| Azure Subscription | SP v1.0 | Ensure Resource Locking Administrator Role is configured |
| Azure Subscription | SP v1.0 | Ensure no Subscription Administrator Custom Role are not configured |
Instead of manually gathering data, which could take a significant amount of time, SmartProfiler for AWS CIS Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
Organizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read MoreAD Smart Queries ship as part of the Active Directory Assessment License. The AD Smart
Read MoreBefore you can start performing Active Directory security assessment you are required to perform an
Read More