CMMC 第 1 级运营最佳实践 - Amazon Config
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

CMMC 第 1 级运营最佳实践

一致性包提供了一个通用的合规性框架,旨在使您能够使用托管或自定义的创建安全性、运营或成本优化治理检查Amazon Config和规则Amazon Config补救行动. 合规性包(作为示例模板)的设计目的不是为了完全确保符合特定的监管或合规性标准。您有责任自行评估您对服务的使用是否符合适用的法律和法规要求。

下面提供了网络安全成熟度模型认证 (CMMC) 1 级和Amazon Config托管规则。每个 Config 规则都应用于特定Amazon资源,并与一个或多个 CMMC 级别 1 控件相关。CMMC 级别 1 控制可能与多个 Config 规则相关。有关这些映射的详细信息和指南,请参阅下表。

此一致性包已通过Amazon安全保证服务有限责任公司 (AmazonSAS),这是一个由支付卡行业合格安全评估员 (QSA)、HITRUST 认证通用安全框架从业员 (CCSFP) 和合规专业人员组成的团队,他们通过了认证以为各种行业框架提供指导和评估的合规专业人员组成。AmazonSAS 专业人员设计了此符合性包,使客户能够与 CMMC 1 级的子集保持一致。

Amazon Web Services 区域:全部支持Amazon Web Services 区域中东(巴林)

控制 ID 控制描述 Amazon Config 规则 指南
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

iam-group-has-users-check

Amazon Identity and Access Management(IAM) 可以通过确保 IAM 组至少有一个 IAM 用户,帮助您将最小权限和职责分离的原则与访问权限和授权结合起来。根据 IAM 用户的关联权限或工作职能将其置于组中是纳入最小权限的一种方法。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

iam-password-policy

身份和证书是根据组织 IAM 密码策略颁发、管理和验证的。它们满足或超过 NIST SP 800-63 和互联网安全中心 (CIS) 规定的要求Amazon密码强度的基准基准。此规则允许您选择设置 RequireUppercaseCharactersAmazon基础安全最佳实践价值:true),RequireLowercaseCharacters(Amazon基础安全最佳实践价值:true),RequireSymbols(Amazon基础安全最佳实践价值:true)RequireNumbers(Amazon基础安全最佳实践价值:true),MinimumPasswordLength(Amazon基础安全最佳实践价值:14)、PasswordReusePrevention 护 (Amazon基础安全最佳实践价值:24)和 MaxPasswordAge(Amazon基础安全最佳实践值:90),适用于您的 IAM 密码策略。实际值应反映组织的策略。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

iam-policy-no-statements-with-admin-access

Amazon Identity and Access Management(IAM) 可以帮助您将最小权限和职责分离原则与访问权限和授权相结合,从而限制策略包含 “效果”:“允许” 与 “操作”: “*” 以及 “资源”: “*”。 允许用户拥有超过完成任务所需的更多权限可能违反最小权限和职责分离的原则。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

iam-root-access-key-check

对系统和资产的访问可以通过检查 root 用户是否没有附加到Amazon Identity and Access Management(IAM) 角色。确保已删除根访问密钥。相反,可以创建和使用基于角色的Amazon Web Services 账户,以帮助纳入最少功能的原则。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

iam-user-group-membership-check

Amazon Identity and Access Management(IAM) 可以确保 IAM 用户为至少一个组的成员,从而帮助您限制访问权限和授权。允许用户完成任务所需的更多权限可能违反最小权限和职责分离的原则。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

iam-user-no-policies-check

此规则确保Amazon Identity and Access Management(IAM) 策略仅附加到组或角色 在组或角色级别分配权限有助于减少身份接收或保留过多权限的机会。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

s3-bucket-policy-grantee-check

管理对的访问Amazon Web Services 云通过启用 s3_ 存储桶策略授权检查。此规则检查 Amazon S3 存储桶授予的访问权限是否受任何Amazon委托人、联合身份用户、服务委托人、IP 地址或您提供的 Amazon Virtual Private Cloud (Amazon VPC) ID。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

dms-replication-not-public

管理对的访问Amazon Web Services 云通过确保 DMS 复制实例不能公开访问。DMS 复制实例可以包含敏感信息,此类帐户需要访问控制。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

ebs-snapshot-public-restorable-check

管理对的访问Amazon Web Services 云通过确保 EBS 快照不可公开还原。EBS 卷快照可以包含敏感信息,此类帐户需要访问控制。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

ec2-instance-no-public-ip

管理对的访问Amazon Web Services 云通过确保 Amazon Elastic Compute Cloud (Amazon EC2) 实例无法公开访问。Amazon EC2 实例可以包含敏感信息,此类账户需要访问控制。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

elasticsearch-in-vpc-only

管理对的访问Amazon Web Services 云通过确保 Amazon Virtual Private Cloud (Amazon VPC) 中的 Amazon Sirtual Private Cloud。Amazon VPC 中的 Amazon ES 域可以在 Amazon VPC 中的 Amazon ES 和 Amazon VPC 中的其他服务之间进行安全通信,而无需 Internet 网关、NAT 设备或 VPN 连接。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

emr-master-no-public-ip

管理对的访问Amazon Web Services 云通过确保 Amazon EMR 集群主节点不能公开访问。Amazon EMR 集群主节点可以包含敏感信息,此类账户需要访问控制。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

iam-user-mfa-enabled

启用此规则可限制对Amazon Web Services 云。此规则确保为所有 IAM 用户启用多重验证 (MFA)。MFA 在用户名和密码之上增加了一层额外的防护。通过要求 IAM 用户使用 MFA,减少遭到破坏的账户事件。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

restricted-ssh

Amazon Elastic Compute Cloud (Amazon EC2) 安全组可以提供有状态的过滤以帮助管理网络访问,方法是:Amazon资源的费用。不允许从 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

ec2-instances-in-vpc

在 Amazon Virtual Private Cloud (Amazon VPC) 中部署 Amazon Elastic Compute Cloud (Amazon VPC) 实例,以在实例和 Amazon VPC 中的其他服务之间进行安全通信,而无需 Internet 网关、NAT 设备或 VPN 连接。所有流量都会保持安全。Amazon Web Services 云。由于进行了逻辑隔离,与使用公共终端节点的域相比,驻留在 Amazon VPC 中的域有一层额外的安全性。将 Amazon EC2 实例分配给 Amazon VPC 以正确管理访问权限。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

internet-gateway-authorized-vpc-only

管理对资源的访问Amazon Web Services 云确保互联网网关仅连接到授权 Amazon Virtual Private Cloud (Amazon VPC)。互联网网关允许进出 Amazon VPC 的双向互联网访问,这可能导致对 Amazon VPC 资源的未经授权访问。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

管理对资源的访问Amazon Web Services 云通过确保AmazonLambda 函数不能公开访问。公众获取资源可能会导致资源的减少。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

部署AmazonLambda 在 Amazon Virtual Private Cloud (Amazon VPC) 中运行,用于在 Amazon VPC 中的函数和其他服务之间进行安全通信。使用此配置,无需 Internet 网关、NAT 设备或 VPN 连接。所有流量都会保持安全Amazon Web Services 云。由于存在逻辑隔离,与使用公共终端节点的域相比,驻留在 Amazon VPC 中的域有一层额外的安全性。要正确管理访问,AmazonLambda 函数应分配给 VPC。
AC.1.001 将信息系统访问限制为授权用户、代表授权用户行事的进程或设备(包括其他信息系统)。

mfa-enabled-for-iam-console-access

管理对资源的访问Amazon Web Services 云通过确保为所有Amazon Identity and Access Management(IAM) 具有控制台密码的用户。MFA 在用户名和密码之上增加了一层额外的防护。通过要求 IAM 用户使用 MFA,您可以减少账户遭到破坏的事件,并防止未经授权的用户访问敏感数据。
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

rds-instance-public-access-check

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

rds-snapshots-public-prohibited

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information and principles and access control is required for such accounts.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

redshift-cluster-public-access-check

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Redshift clusters are not public. Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

restricted-common-ports

Manage access to resources in the Amazon Web Services 云 by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. This rule allows you to optionally set blockedPort1 - blockedPort5 parameters (Config Defaults: 20,21,3389,3306,4333). The actual values should reflect your organization's policies.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Manage access to resources in the Amazon Web Services 云 by ensuring hardware MFA is enabled for the root user. The root user is the most privileged user in an Amazon Web Services 账户. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised Amazon Web Services 账户.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Manage access to resources in the Amazon Web Services 云 by ensuring MFA is enabled for the root user. The root user is the most privileged user in an Amazon Web Services 账户. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised Amazon Web Services 账户.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

s3-account-level-public-access-blocks

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

s3-bucket-public-read-prohibited

Manage access to resources in the Amazon Web Services 云 by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

s3-bucket-public-write-prohibited

Manage access to resources in the Amazon Web Services 云 by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon SageMaker notebooks do not allow direct internet access. By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

vpc-default-security-group-closed

Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to Amazon resources. Restricting all the traffic on the default security group helps in restricting remote access to your Amazon resources.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

vpc-sg-open-only-to-authorized-ports

Manage access to resources in the Amazon Web Services 云 by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) Security Groups. Not restricting access on ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. By restricting access to resources within a security group from the internet (0.0.0.0/0) remote access can be controlled to internal systems.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

emr-kerberos-enabled

The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters. In Kerberos, the services and the users that need to authenticate are known as principals. The principals exist within a Kerberos realm. Within the realm, a Kerberos server is known as the key distribution center (KDC). It provides a means for the principals to authenticate. The KDC authenticates by issuing tickets for authentication. KDC 维护一个包含其领域中的委托人、它们的密码及其他有关每个委托人的管理信息的数据库。
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

电子邮件 2 检查

Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata. The IMDSv2 method uses session-based controls. With IMDSv2, controls can be implemented to restrict changes to instance metadata.
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

iam-NON-CONPRONT

Ensure an Amazon Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets. Amazon recommends to use managed policies instead of inline policies. The managed policies allow reusability, versioning and rolling back, and delegating permissions management.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

iam-group-has-users-check

Amazon Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

iam-password-policy

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the Centers for Internet Security (CIS) Amazon Foundations Benchmark for password strength. This rule allows you to optionally set RequireUppercaseCharacters (Amazon Foundational Security Best Practices value: true), RequireLowercaseCharacters (Amazon Foundational Security Best Practices value: true), RequireSymbols (Amazon Foundational Security Best Practices value: true), RequireNumbers (Amazon Foundational Security Best Practices value: true), MinimumPasswordLength (Amazon Foundational Security Best Practices value: 14), PasswordReusePrevention (Amazon Foundational Security Best Practices value: 24), and MaxPasswordAge (Amazon Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

iam-policy-no-statements-with-admin-access

Amazon Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

iam-root-access-key-check

Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their Amazon Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based Amazon Web Services 账户 to help to incorporate the principle of least functionality.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

iam-user-group-membership-check

Amazon Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring IAM users are members of at least one group. Allowing users more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

iam-user-no-policies-check

This rule ensures Amazon Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

iam-user-mfa-enabled

Enable this rule to restrict access to resources in the Amazon Web Services 云. This rule ensures multi-factor authentication (MFA) is enabled for all IAM users. MFA 在用户名和密码之上增加了一层额外的防护。Reduce the incidents of compromised accounts by requiring MFA for IAM users.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

mfa-enabled-for-iam-console-access

Manage access to resources in the Amazon Web Services 云 by ensuring that MFA is enabled for all Amazon Identity and Access Management (IAM) users that have a console password. MFA 在用户名和密码之上增加了一层额外的防护。By requiring MFA for IAM users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Manage access to resources in the Amazon Web Services 云 by ensuring hardware MFA is enabled for the root user. The root user is the most privileged user in an Amazon Web Services 账户. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised Amazon Web Services 账户.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Manage access to resources in the Amazon Web Services 云 by ensuring MFA is enabled for the root user. The root user is the most privileged user in an Amazon Web Services 账户. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised Amazon Web Services 账户.
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

iam-NON-CONPRONT

Ensure an Amazon Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets. Amazon recommends to use managed policies instead of inline policies. The managed policies allow reusability, versioning and rolling back, and delegating permissions management.
AC.1.003 Verify and control/limit connections to and use of external information systems.

restricted-ssh

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to Amazon resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.
AC.1.003 Verify and control/limit connections to and use of external information systems.

restricted-common-ports

Manage access to resources in the Amazon Web Services 云 by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. This rule allows you to optionally set blockedPort1 - blockedPort5 parameters (Config Defaults: 20,21,3389,3306,4333). The actual values should reflect your organization's policies.
AC.1.003 Verify and control/limit connections to and use of external information systems.

vpc-default-security-group-closed

Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to Amazon resources. Restricting all the traffic on the default security group helps in restricting remote access to your Amazon resources.
AC.1.003 Verify and control/limit connections to and use of external information systems.

vpc-sg-open-only-to-authorized-ports

Manage access to resources in the Amazon Web Services 云 by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) Security Groups. Not restricting access on ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. By restricting access to resources within a security group from the internet (0.0.0.0/0) remote access can be controlled to internal systems.
AC.1.003 Verify and control/limit connections to and use of external information systems.

internet-gateway-authorized-vpc-only

Manage access to resources in the Amazon Web Services 云 by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC). Internet gateways allow bi-directional internet access to and from the Amazon VPC that can potentially lead to unauthorized access to Amazon VPC resources.
AC.1.003 Verify and control/limit connections to and use of external information systems.

s3-account-level-public-access-blocks

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies.
AC.1.003 Verify and control/limit connections to and use of external information systems.

s3-bucket-public-read-prohibited

Manage access to resources in the Amazon Web Services 云 by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
AC.1.003 Verify and control/limit connections to and use of external information systems.

dms-replication-not-public

Manage access to the Amazon Web Services 云 by ensuring DMS replication instances cannot be publicly accessed. DMS replication instances can contain sensitive information and access control is required for such accounts.
AC.1.003 Verify and control/limit connections to and use of external information systems.

ebs-snapshot-public-restorable-check

Manage access to the Amazon Web Services 云 by ensuring EBS snapshots are not publicly restorable. EBS volume snapshots can contain sensitive information and access control is required for such accounts.
AC.1.003 Verify and control/limit connections to and use of external information systems.

ec2-instance-no-public-ip

Manage access to the Amazon Web Services 云 by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.
AC.1.003 Verify and control/limit connections to and use of external information systems.

elasticsearch-in-vpc-only

Manage access to the Amazon Web Services 云 by ensuring Amazon Elasticsearch Service (Amazon ES) Domains are within an Amazon Virtual Private Cloud (Amazon VPC). An Amazon ES domain within an Amazon VPC enables secure communication between Amazon ES and other services within the Amazon VPC without the need for an internet gateway, NAT device, or VPN connection.
AC.1.003 Verify and control/limit connections to and use of external information systems.

emr-master-no-public-ip

Manage access to the Amazon Web Services 云 by ensuring Amazon EMR cluster master nodes cannot be publicly accessed. Amazon EMR cluster master nodes can contain sensitive information and access control is required for such accounts.
AC.1.003 Verify and control/limit connections to and use of external information systems.

ec2-instances-in-vpc

Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the Amazon Web Services 云. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access.
AC.1.003 Verify and control/limit connections to and use of external information systems.

Manage access to resources in the Amazon Web Services 云 by ensuring Amazon Lambda functions cannot be publicly accessed. Public access can potentially lead to degradation of availability of resources.
AC.1.003 Verify and control/limit connections to and use of external information systems.

Deploy Amazon Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC. With this configuration, there is no requirement for an internet gateway, NAT device, or VPN connection. All the traffic remains securely within the Amazon Web Services 云. Because of their logical isolation, domains that reside within an Amazon VPC have an extra layer of security when compared to domains that use public endpoints. To properly manage access, Amazon Lambda functions should be assigned to a VPC.
AC.1.003 Verify and control/limit connections to and use of external information systems.

rds-instance-public-access-check

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.
AC.1.003 Verify and control/limit connections to and use of external information systems.

rds-snapshots-public-prohibited

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information and principles and access control is required for such accounts.
AC.1.003 Verify and control/limit connections to and use of external information systems.

redshift-cluster-public-access-check

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Redshift clusters are not public. Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.
AC.1.003 Verify and control/limit connections to and use of external information systems.

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon SageMaker notebooks do not allow direct internet access. By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.
AC.1.003 Verify and control/limit connections to and use of external information systems.

s3-bucket-public-write-prohibited

Manage access to resources in the Amazon Web Services 云 by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
AC.1.003 Verify and control/limit connections to and use of external information systems.

Ensure Amazon WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications. A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment.
IA.1.076 Identify information system users, processes acting on behalf of users, or devices.

cloudtrail-enabled

Amazon CloudTrail can help in non-repudiation by recording Amazon Web Services Management Console actions and API calls. You can identify the users and Amazon Web Services 账户 that called an Amazon service, the source IP address where the calls generated, and the timings of the calls. Details of captured data are seen within Amazon CloudTrail Record Contents.
IA.1.076 Identify information system users, processes acting on behalf of users, or devices.

emr-kerberos-enabled

The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters. In Kerberos, the services and the users that need to authenticate are known as principals. The principals exist within a Kerberos realm. Within the realm, a Kerberos server is known as the key distribution center (KDC). It provides a means for the principals to authenticate. The KDC authenticates by issuing tickets for authentication. KDC 维护一个包含其领域中的委托人、它们的密码及其他有关每个委托人的管理信息的数据库。
IA.1.076 Identify information system users, processes acting on behalf of users, or devices.

启用多区域云跟踪

Amazon CloudTrail records Amazon Web Services Management Console actions and API calls. You can identify which users and accounts called Amazon, the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files from all Amazon Web Services 区域 to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled. Additionally, when Amazon launches a new Region, CloudTrail will create the same trail in the new Region. As a result, you will receive log files containing API activity for the new Region without taking any action.
IA.1.076 Identify information system users, processes acting on behalf of users, or devices.

redshift-cluster-configuration-check

To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database. This rule requires that a value is set for clusterDbEncrypted (Config Default : TRUE), and loggingEnabled (Config Default: TRUE). The actual values should reflect your organization's policies.
IA.1.076 Identify information system users, processes acting on behalf of users, or devices.

To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.
IA.1.076 Identify information system users, processes acting on behalf of users, or devices.

s3-bucket-logging-enabled

Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

iam-password-policy

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. They meet or exceed requirements as stated by NIST SP 800-63 and the Centers for Internet Security (CIS) Amazon Foundations Benchmark for password strength. This rule allows you to optionally set RequireUppercaseCharacters (Amazon Foundational Security Best Practices value: true), RequireLowercaseCharacters (Amazon Foundational Security Best Practices value: true), RequireSymbols (Amazon Foundational Security Best Practices value: true), RequireNumbers (Amazon Foundational Security Best Practices value: true), MinimumPasswordLength (Amazon Foundational Security Best Practices value: 14), PasswordReusePrevention (Amazon Foundational Security Best Practices value: 24), and MaxPasswordAge (Amazon Foundational Security Best Practices value: 90) for your IAM Password Policy. The actual values should reflect your organization's policies.
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

emr-kerberos-enabled

The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters. In Kerberos, the services and the users that need to authenticate are known as principals. The principals exist within a Kerberos realm. Within the realm, a Kerberos server is known as the key distribution center (KDC). It provides a means for the principals to authenticate. The KDC authenticates by issuing tickets for authentication. KDC 维护一个包含其领域中的委托人、它们的密码及其他有关每个委托人的管理信息的数据库。
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

iam-user-mfa-enabled

Enable this rule to restrict access to resources in the Amazon Web Services 云. This rule ensures multi-factor authentication (MFA) is enabled for all IAM users. MFA 在用户名和密码之上增加了一层额外的防护。Reduce the incidents of compromised accounts by requiring MFA for IAM users.
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

mfa-enabled-for-iam-console-access

Manage access to resources in the Amazon Web Services 云 by ensuring that MFA is enabled for all Amazon Identity and Access Management (IAM) users that have a console password. MFA 在用户名和密码之上增加了一层额外的防护。By requiring MFA for IAM users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users.
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Manage access to resources in the Amazon Web Services 云 by ensuring hardware MFA is enabled for the root user. The root user is the most privileged user in an Amazon Web Services 账户. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised Amazon Web Services 账户.
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Manage access to resources in the Amazon Web Services 云 by ensuring MFA is enabled for the root user. The root user is the most privileged user in an Amazon Web Services 账户. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised Amazon Web Services 账户.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

cloudwatch-alarm-action-check

Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. 警报根据指标或表达式在多个时间段内相对于某阈值的值执行一项或多项操作。This rule requires a value for alarmActionRequired (Config Default: True), insufficientDataActionRequired (Config Default: True), okActionRequired (Config Default: False). The actual value should reflect the alarm actions for your environment.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Amazon GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds. These include lists of malicious IPs and machine learning to identify unexpected, unauthorized, and malicious activity within your Amazon Web Services 云 environment.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Amazon Security Hub helps to monitor unauthorized personnel, connections, devices, and software. Amazon Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple Amazon services. Some such services are Amazon Security Hub, Amazon Inspector, Amazon Macie, Amazon Identity and Access Management (IAM) Access Analyzer, and Amazon Firewall Manager, and Amazon Partner solutions.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

restricted-ssh

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to Amazon resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

restricted-common-ports

Manage access to resources in the Amazon Web Services 云 by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. This rule allows you to optionally set blockedPort1 - blockedPort5 parameters (Config Defaults: 20,21,3389,3306,4333). The actual values should reflect your organization's policies.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

vpc-default-security-group-closed

Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to Amazon resources. Restricting all the traffic on the default security group helps in restricting remote access to your Amazon resources.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

vpc-sg-open-only-to-authorized-ports

Manage access to resources in the Amazon Web Services 云 by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) Security Groups. Not restricting access on ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. By restricting access to resources within a security group from the internet (0.0.0.0/0) remote access can be controlled to internal systems.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

alb-http-to-https-redirection-check

To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use Amazon Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with Amazon services and internal resources.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

redshift-require-tls-ssl

Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

s3-bucket-ssl-requests-only

To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

启用了 alb-http 丢弃标题

Ensure that your Elastic Load Balancers (ELB) are configured to drop http headers. Because sensitive data can exist, enable encryption in transit to help protect that data.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC). Because sensitive data can exist, enable encryption in transit to help protect that data.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

ELB-TLS-https-仅侦听器

Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

elasticsearch-in-vpc-only

Manage access to the Amazon Web Services 云 by ensuring Amazon Elasticsearch Service (Amazon ES) Domains are within an Amazon Virtual Private Cloud (Amazon VPC). An Amazon ES domain within an Amazon VPC enables secure communication between Amazon ES and other services within the Amazon VPC without the need for an internet gateway, NAT device, or VPN connection.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

ec2-instances-in-vpc

Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the Amazon Web Services 云. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

internet-gateway-authorized-vpc-only

Manage access to resources in the Amazon Web Services 云 by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC). Internet gateways allow bi-directional internet access to and from the Amazon VPC that can potentially lead to unauthorized access to Amazon VPC resources.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Deploy Amazon Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC. With this configuration, there is no requirement for an internet gateway, NAT device, or VPN connection. All the traffic remains securely within the Amazon Web Services 云. Because of their logical isolation, domains that reside within an Amazon VPC have an extra layer of security when compared to domains that use public endpoints. To properly manage access, Amazon Lambda functions should be assigned to a VPC.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

dms-replication-not-public

Manage access to the Amazon Web Services 云 by ensuring DMS replication instances cannot be publicly accessed. DMS replication instances can contain sensitive information and access control is required for such accounts.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

ebs-snapshot-public-restorable-check

Manage access to the Amazon Web Services 云 by ensuring EBS snapshots are not publicly restorable. EBS volume snapshots can contain sensitive information and access control is required for such accounts.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

ec2-instance-no-public-ip

Manage access to the Amazon Web Services 云 by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

emr-master-no-public-ip

Manage access to the Amazon Web Services 云 by ensuring Amazon EMR cluster master nodes cannot be publicly accessed. Amazon EMR cluster master nodes can contain sensitive information and access control is required for such accounts.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Manage access to resources in the Amazon Web Services 云 by ensuring Amazon Lambda functions cannot be publicly accessed. Public access can potentially lead to degradation of availability of resources.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

rds-instance-public-access-check

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

rds-snapshots-public-prohibited

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information and principles and access control is required for such accounts.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

redshift-cluster-public-access-check

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Redshift clusters are not public. Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

s3-account-level-public-access-blocks

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access. This rule allows you to optionally set the ignorePublicAcls (Config Default: True), blockPublicPolicy (Config Default: True), blockPublicAcls (Config Default: True), and restrictPublicBuckets parameters (Config Default: True). The actual values should reflect your organization's policies.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

s3-bucket-public-read-prohibited

Manage access to resources in the Amazon Web Services 云 by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

s3-bucket-public-write-prohibited

Manage access to resources in the Amazon Web Services 云 by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets. The management of access should be consistent with the classification of the data.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Manage access to resources in the Amazon Web Services 云 by ensuring that Amazon SageMaker notebooks do not allow direct internet access. By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.
SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

internet-gateway-authorized-vpc-only

Manage access to resources in the Amazon Web Services 云 by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC). Internet gateways allow bi-directional internet access to and from the Amazon VPC that can potentially lead to unauthorized access to Amazon VPC resources.
SI.1.210 Identify, report, and correct information and information system flaws in a timely manner.

Amazon GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds. These include lists of malicious IPs and machine learning to identify unexpected, unauthorized, and malicious activity within your Amazon Web Services 云 environment.
SI.1.210 Identify, report, and correct information and information system flaws in a timely manner.

Amazon Security Hub helps to monitor unauthorized personnel, connections, devices, and software. Amazon Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple Amazon services. Some such services are Amazon Security Hub, Amazon Inspector, Amazon Macie, Amazon Identity and Access Management (IAM) Access Analyzer, and Amazon Firewall Manager, and Amazon Partner solutions.
SI.1.210 Identify, report, and correct information and information system flaws in a timely manner.

cloudwatch-alarm-action-check

Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. 警报根据指标或表达式在多个时间段内相对于某阈值的值执行一项或多项操作。This rule requires a value for alarmActionRequired (Config Default: True), insufficientDataActionRequired (Config Default: True), okActionRequired (Config Default: False). The actual value should reflect the alarm actions for your environment.
SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.

Amazon GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds. These include lists of malicious IPs and machine learning to identify unexpected, unauthorized, and malicious activity within your Amazon Web Services 云 environment.
SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.

Amazon Security Hub helps to monitor unauthorized personnel, connections, devices, and software. Amazon Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple Amazon services. Some such services are Amazon Security Hub, Amazon Inspector, Amazon Macie, Amazon Identity and Access Management (IAM) Access Analyzer, and Amazon Firewall Manager, and Amazon Partner solutions.

Template

The template is available on GitHub: Operational Best Practices for CMMC Level 1.