Member-only story
Cloud Custodian Policies for CIS AWS Foundations Benchmark (Part-3)
3 min readOct 14, 2021
CIS AWS Foundations Benchmark v1.4.0–05–28–2021
The Cloud Custodian Policies covering the CIS Benchmark version 1.4.0 checks are continued below from Part-2. This story covers from 2.3.1 through 3.8
2.3 Relational Database Service (RDS)
2.3.1 Ensure that encryption is enabled for RDS Instances — Level 1 (Automated)
policies:
- name: cis-rds-encryption-not-enabled-at-rest
resource: aws.rds
comment: |
CIS AWS Foundations v1.4.0 (2.3.1)
filters:
— type: value
key: StorageEncrypted
op: ne
value: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.83.0 Logging
3.1 Ensure CloudTrail is enabled in all regions— Level 1 (Automated)
policies:
- name: cis-cloudtrail-is-not-enabled-for-all-regions
resource: aws.cloudtrail
comment: |
CIS AWS Foundations v1.4.0 (3.1)
filters:
— type: value
key: IsMultiRegionTrail
value: false
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
