Member-only story
Cloud Custodian Policies for CIS AWS Foundations Benchmark (Part-2)
5 min readJul 27, 2021
Cloud Custodian CIS AWS Benchmark Policies
The Cloud Custodian Policies covering the CIS Benchmark version 1.4.0 checks are continued below from Part-1. This story covers from 1.18 through 2.2.1
1.18 Ensure IAM instance roles are used for AWS resource access from instances — Level 2 (Automated)
policies:
- name: cis-ec2-iam-instance-role-is-present
resource: aws.ec2
comment: |
CIS AWS Foundations v1.4.0 (1.18)
AWS access from within AWS instances can be done either encoding
AWS keys into AWS API calls or by assigning the instance to a
role which has an appropriate permissions policy for the
required access. "AWS Access" means accessing the APIs of AWS in
order to access AWS resources or manage AWS account resources.
filters:
— type: value
key: IamInstanceProfile
value: absent
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.81.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed — Level 1 (Automated)
policies:
- name: cis-iam-certificate-expired
resource: aws.iam-certificate
comment: |
CIS AWS Foundations v1.4.0 (1.19)
Removing expired…
