You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: 'AWS CIS 1.1 Maintain current contact details',
4
+
5
+
description: `Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.
6
+
7
+
An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.`,
8
+
9
+
audit: `This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing )
10
+
11
+
1. Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/.
12
+
2. On the navigation bar, choose your account name, and then choose My Account.
13
+
3. On the Account Settings page, review and verify the current details.
14
+
4. Under Contact Information, review and verify the current details.`,
15
+
16
+
rationale: 'If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers\' and AWS\' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.',
17
+
18
+
remediation: `This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ).
19
+
20
+
1. Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/.
21
+
2. On the navigation bar, choose your account name, and then choose My Account.
22
+
3. On the Account Settings page, next to Account Settings, choose Edit.
23
+
4. Next to the field that you need to update, choose Edit.
24
+
5. After you have entered your changes, choose Save changes.
25
+
6. After you have made your changes, choose Done.
26
+
7. To edit your contact information, under Contact Information, choose Edit.
27
+
8. For the fields that you want to change, type your updated information, and then choose Update.`,
title: 'AWS CIS 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password',
5
+
6
+
description: 'Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.',
7
+
8
+
audit: `Perform the following to determine if a MFA device is enabled for all IAM users having a console password:
9
+
10
+
**From Console:**
11
+
12
+
1. Open the IAM console at https://console.aws.amazon.com/iam/.
13
+
2. In the left pane, select *Users*
14
+
3. If the *MFA* or *Password age* columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click *Close*.
15
+
4. Ensure that for each user where the *Password age* column shows a password age, the MFA column shows *Virtual*, *U2F Security Key*, or *Hardware*.
16
+
17
+
**From Command Line:**
18
+
19
+
1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status:
20
+
21
+
aws iam generate-credential-report
22
+
23
+
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8
24
+
25
+
2. The output of this command will produce a table similar to the following:
26
+
27
+
user,password_enabled,mfa_active
28
+
elise,false,false
29
+
brandon,true,true
30
+
rakesh,false,false
31
+
helene,false,false
32
+
paras,true,true
33
+
anitha,false,false
34
+
35
+
3. For any column having *password_enabled* set to *true*, ensure *mfa_active* is also set to *true*.`,
36
+
37
+
rationale: 'Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.',
38
+
39
+
remediation: `Perform the following to enable MFA:
40
+
41
+
**From Console:**
42
+
43
+
1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'
44
+
2. In the left pane, select *Users*.
45
+
3. In the *User Name* list, choose the name of the intended MFA user.
46
+
4. Choose the *Security Credentials* tab, and then choose *Manage MFA Device*.
47
+
5. In the *Manage MFA Device wizard*, choose *Virtual MFA* device, and then choose *Continue*.
48
+
49
+
IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.
50
+
51
+
6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
52
+
7. Determine whether the MFA app supports QR codes, and then do one of the following:
53
+
54
+
- Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
55
+
- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
56
+
57
+
When you are finished, the virtual MFA device starts generating one-time passwords.
58
+
59
+
8. In the *Manage MFA Device wizard*, in the *MFA Code 1 box*, type the *one-time password* that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second *one-time password* into the *MFA Code 2 box*.
0 commit comments