InSpec profile to validate the secure configuration of Amazon Web Services against CIS' Amazon Web Services Foundations Benchmark Version 1.2.0 - 05-23-2018

It is intended and recommended that InSpec and this profile be run from a "runner" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target remotely over AWS CLI.

For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.

The latest versions and installation options are available at the InSpec site.

This baseline also requires the AWS Command Line Interface (CLI) which is available at the AWS CLI site (at least version 2.x).

The IAM account used to run this profile against the AWS environment needs to attached through a group or role with at least AWS IAM "ReadOnlyAccess" Managed Policy

You will need to ensure your AWS CLI environment has the right system environment variables set with your AWS region and credentials and session token to use the AWS CLI and InSpec resources in the AWS environment. InSpec supports the following standard AWS variables:

• AWS_REGION
• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN (optional) - required if MFA is enabled

In any AWS MFA enabled environment - you need to use derived credentials to use the CLI. Your default AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will not satisfy the MFA Policies in AWS environments.

• The AWS documentation is here: https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html
• The AWS profile documentation is here: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html
• A useful bash script for automating this is here: https://gist.github.com/dinvlad/d1bc0a45419abc277eb86f2d1ce70625

To generate credentials using an AWS Profile you will need to use the following AWS CLI commands.

a. aws sts get-session-token --serial-number arn:aws:iam::<$YOUR-MFA-SERIAL> --token-code <$YOUR-CURRENT-MFA-TOKEN> --profile=<$YOUR-AWS-PROFILE>

b. Then export the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN that was generated by the above command.

The following inputs must be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the InSpec Profile Documentation.

- Primary aws region (2.5)
default_aws_region: 'us-east-1'

- List of **documented service accounts** which are exempt from the MFA requirement (1.2)
service_account_mfa_exceptions:
  - user1
  - user2
  - ...

- List of buckets exempted from inspection (2.3, 2.6)
exception_bucket_list: ["exception_bucket_name"]

- List of security groups exempted from inspection (4.1, 4.2)
exception_security_group_list: ["exception_security_group_name"]

- Config service list and settings in all relevant regions (2.5)
config_delivery_channels:
  us-east-1:
    s3_bucket_name: "s3_bucket_name_value"
    sns_topic_arn: "sns_topic_arn_value"
  us-east-2:
    s3_bucket_name: "s3_bucket_name_value"
    sns_topic_arn: "sns_topic_arn_value"
  us-west-1:
    s3_bucket_name: "s3_bucket_name_value"
    sns_topic_arn: "sns_topic_arn_value"
  us-west-2:
    s3_bucket_name: "s3_bucket_name_value"
    sns_topic_arn: "sns_topic_arn_value"

The repo includes a script : generate_inputs.rb to generate part of the inputs required for the profile. The script will inspect aws regions: us-east-1, us-east-2, us-west-1, us-west-2 to generate the following input to STDOUT.

- config_delivery_channels

# Set required ENV variables
$ export AWS_ACCESS_KEY_ID=key-id
$ export AWS_SECRET_ACCESS_KEY=access-key
$ export AWS_SESSION_TOKEN=session_token
$ export AWS_REGION=us-west-1

# Run the `generate_inputs.rb` 
$ ruby generate_inputs.rb
# The generated inputs __must be reviewed carefully__. 
# Only __valid__ channels should be placed in the inputs.yml file.

# How to run
inspec exec https://github.com/mitre/aws-foundations-cis-baseline/archive/master.tar.gz --target aws:// --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

Full exec options

If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this baseline and all of its dependent tests:

(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the Git site.)

When the "runner" host uses this profile baseline for the first time, follow these steps:

mkdir profiles
cd profiles
git clone https://github.com/mitre/aws-foundations-cis-baseline
inspec archive aws-foundations-cis-baseline
inspec exec <name of generated archive> --target aws:// --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

For every successive run, follow these steps to always have the latest version of this baseline:

cd aws-foundations-cis-baseline
git pull
cd ..
inspec archive aws-foundations-cis-baseline --overwrite
inspec exec <name of generated archive> --target aws:// --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

The JSON results output file can be loaded into heimdall-lite for a user-interactive, graphical view of the InSpec results.

The JSON InSpec results file may also be loaded into a full heimdall server, allowing for additional functionality such as to store and compare multiple profile runs.

• Rony Xavier - rx294
• Aaron Lippold - aaronlippold
• Shivani Karikar - karikarshivani

• Eugene Aronne - ejaronne

© 2018-2020 The MITRE Corporation.

Approved for Public Release; Distribution Unlimited. Case Number 18-3678.

MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.

This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.

No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.

For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.

CIS Benchmarks are published by the Center for Internet Security (CIS), see: https://www.cisecurity.org/.