AWS Enterprise Accelerator - Compliance: Quick Start

Standardized Architecture for CIS Amazon Web Services Foundations Benchmark

Security Requirements Reference, v1.2.0, 05-23-2018

This document describes the CIS Amazon Web Services Foundations Security Requirements that are directly addressed by this AWS Quick
https://benchmarks.cisecurity.org/en-us/?route=downloads.form.awsfoundations.110
It is important to note that the Description of AWS Implementation details and Additional Guidance in this document are not exhaustive,
The controls are a combination of AWS Config Rules (both AWS-managed and custom), Amazon CloudWatch rules, and Amazon CloudWa

The following preconditions must be met before the stack can be launched. This Quickstart does provide customers with an option of con
Precondition 1: AWS Config must be turned on in the region where this template will be run. This is needed for Config Rules.
Precondition 2: AWS CloudTrail must be turned on and must be delivering logs to CloudWatch Logs. This is needed for CloudWatch metri
Precondition 3: AWS Lambda must be supported in the region where this template will be launched.
See this page for AWS services region support:
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/

CIS AWS Foundations Benchmarks v1.2 05-23-2018

1 Identity and Access Management

1.1 Avoid the use of the "root" account (Scored)

1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a password (Scored)
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)

1.4 Ensure access keys are rotated every 90 days or less (Scored)

1.5 Ensure IAM password policy requires at least one uppercase letter (Scored)
1.6 Ensure IAM password policy require at least one lowercase letter (Scored)
1.7 Ensure IAM password policy require at least one symbol (Scored)
1.8 Ensure IAM password policy require at least one number (Scored)
1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
1.10 Ensure IAM password policy prevents password reuse (Scored)
1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
1.12 Ensure no root account access key exists (Scored)

1.13 Ensure MFA is enabled for the "root" account (Scored)

1.14 Ensure hardware MFA is enabled for the "root" account (Scored)

1.15 Ensure security questions are registered in the AWS account (Not Scored)
1.16 Ensure IAM policies are attached only to groups or roles (Scored)

1.17 Maintain Current contact details (Not Scored)

1.18 Ensure Security contact information is registered (Not Scored)

1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)

1.20 Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.21 Do not setup access keys during initial user setup for all IAM users that have a console password (Not
Scored)

1.22 Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)

2 Logging
2.1 Ensure CloudTrail is enabled in all regions (Scored)

2.2 Ensure CloudTrail log file validation is enabled (Scored)

2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)

2.5 Ensure AWS Config is enabled in all regions (Scored)

2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)

2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)

2.8 Ensure rotation for customer created CMKs is enabled (Scored)

2.9 Ensure VPC flow logging is enabled in all VPCs (Scored)

3 Monitoring
3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)

3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)

3.3 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)

3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)

3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)

3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)

3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
(Scored)

3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)

3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)

3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)

3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)

3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)

3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)

4 Networking
4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)

4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)

4.3 Ensure the default security group of every VPC restricts all traffic (Scored)

4.4 Ensure routing tables for VPC peering are "least access" (Not Scored)
y this AWS Quick Start package. Additional information about this benchmark can be found at

e not exhaustive, and must be reviewed, evaluated, assessed, and approved by the customer organization, and layered with other security features that
Amazon CloudWatch alarms. Please note that these resources will incur costs in your account; please refer to the pricing model for each service.

h an option of configuring AWS CloudTrail and AWS Config. Customers can choose to do so or choose to configure these services themselves.
ules.
loudWatch metrics and alarms.

Description of AWS Implementation

CIS AWS Foundations Benchmarks Controls

This control is implemented using the AWS CloudWatch

Alarm and custom Log Metric Filter defined for control 3.3
which reports if the root account is being used.

This control is implemented as a Config rule backed by a

custom lambda function. The config rule reports back the
compliance status of IAM users against this control. The
Config rule DOES NOT enforce this control by enabling MFA
for any of the IAM users.
This control is implemented as a Config rule backed by a
custom lambda function. The config rule reports back the
compliance status of IAM users credentials against this
control. The Config rule DOES NOT enforce this control by
disabling credentials.

This control is implemented as a Config rule backed by a

custom lambda function. The config rule reports back the
compliance status of IAM users with active access keys
against this control. The Config rule DOES NOT enforce this
control by rotating the access keys.

The Quick Start creates an AWS Managed Config Rule to

check the compliance status of the policy password against
these specific CIS controls. The Config rule does not
enforce any security controls.

This control is implemented as a Config rule backed by a

custom lambda function. The config rule reports back the
compliance status of root account access keys and MFA
settings for root account. The Config rule DOES NOT
enforce this control by changing any root account
information.

The Quick start does not provide any implementation for

this control due to the lack of APIs to automate this.
This control is implemented as a Config rule backed by a
custom lambda function. The config rule reports back the
compliance status of IAM policies attached only to IAM
Groups or Roles. The Config rule DOES NOT enforce this
control by attaching IAM policies to either IAM Groups or
Roles

The Quick start does not provide any implementation for

this control due to the lack of APIs to automate this.

The Quick start does not provide any implementation for

this control due to the lack of APIs to automate this.

This control is implemented as a Config rule backed by a

custom lambda function. The config rule reports back the
compliance status of EC2 Instances which do not have an
Instance Profile attached to them. The Config rule DOES
NOT enforce this control by attaching Instance profiles to
EC2 Instances.

This control is implemented as a Config rule backed by a

custom lambda function. The config rule reports back the
compliance status on whether a Support role exists or not.
The Config rule DOES NOT enforce this control by creating
a Support role.When the "AWSSupportAccess" managed
policy is not assigned to any IAM User, Role or Group the
config rule will not list any resources.When the
"AWSSupportAccess" managed policy is assigned to any
IAM User, Role or Group the config rule will list the
resources as being compliant.
The Quick start does not provide any implementation for
this control.

This control is implemented as a Config rule backed by a

custom lambda function. The config rule reports back the
compliance status on IAM Policies allowing Admin
privileges. The Config rule DOES NOT enforce this control
by deleting such Policies.

This quickstart provides customers an option to

automatically configure CloudTrail in the AWS region
where this Quick Start is being run. Cloudtrail is not
enabled in all regions. This is because CloudTrail Logs need
to be delivered to CloudWatch Logs within each region.

This control is also implemented as a Config rule backed by

a custom lambda function. The config rule reports back the
compliance status on whether CloudTrail is enabled in all
regions. The Config rule DOES NOT enforce this control by
enabling CloudTrail in all regions.

This quickstart enables Cloudtrail log file validation when

customers choose the to automatically configure CloudTrail
via the template.
This control is also implemented as a Config rule backed by
a custom lambda function. The config rule reports back the
compliance status on whether CloudTrail log file validation
is enabled. The Config rule DOES NOT enforce this control
by enabling CloudTrail log file validation.

This quickstart ensures that S3 Bucket for Cloudtrail is not

publicly accessible when customers choose to
automatically configure Cloudtrail via the template.

This control is also implemented as a Config rule backed by

a custom lambda function. The config rule reports back the
compliance status on whether CloudTrail log file S3 Bucket
is publicly accessible. The Config rule DOES NOT enforce
this control by changing S3 Bucket ACLs.
This quickstart ensures that Cloudtrail trails are integrated
with CloudWatch Logs when customers choose to
automatically configure Cloudtrail via the template.

This control is also implemented as a Config rule backed by

a custom lambda function. The config rule reports back the
compliance status on whether CloudTrail logs are
integrated with CloudWatch logs. The Config rule DOES
NOT enforce this control by configuring CloudTrail to
deliver logs to CloudWatch Logs.

This quickstart provides customers an option to

automatically configure Config at a regional level via the
template.

This quickstart ensures that S3 bucket access logging is

enabled on the Cloudtrail S3 bucket when customers
choose to automatically configure Cloudtrail via the
template.

This control is also implemented as a Config rule backed by

a custom lambda function. The config rule reports back the
compliance status on whether all S3 Buckets have logging
enabled. The Config rule DOES NOT enforce this control by
configuring logging on any S3 bucket.

This quickstart ensures that Cloudtrail logs are encrypted at

rest using KMS CMKs when customers choose to
automatically configure Cloudtrail via the template.

This control is also implemented as a Config rule backed by

a custom lambda function. The config rule reports back the
compliance status on whether CloudTrail logs are
encrypted . The Config rule DOES NOT enforce this control
by enabling CloudTrail log file validation.

This control is implemented as a Config Rule backed by a

custom Lambda function. The Config Rule reports back the
compliance status on whether the rotation for any CMKs is
enabled. The Config rule DOES NOT enforce this control by
enabling CMKs rotation.
This control is implemented as a Config rule backed by a
custom lambda function. The config rule reports back the
compliance status on whether VPC Flow Logging is
enabled. The Config rule DOES NOT enforce this control by
enabling VPC Flow Logging.

The Quick Start creates an AWS CloudWatch Alarm and a

custom Log Metric Filter to report on multiple
unauthorized action or login attempts.
The Quick Start creates an AWS CloudWatch Alarm and a
custom Log Metric Filter to report on Management Console
logins without MFA.
The Quick Start creates an AWS CloudWatch Alarm and a
custom Log Metric Filter to report if the root account is
used.
The Quick Start creates an AWS CloudWatch Rule that
matches incoming CloudWatch Events for IAM policy
changes and publishes the changes to an SNS topic.
The Quick Start creates an AWS CloudWatch Rule that
matches incoming CloudWatch Events for CloudTrail
changes and publishes the changes to an SNS topic.
The Quick Start creates an AWS CloudWatch Alarm and a
custom Log Metric Filter to report if there are multiple
management console logins failures.
The Quick Start creates an AWS CloudWatch Alarm and a
custom Log Metric Filter to report if customer created
CMKs get disabled or scheduled for deletion.
The Quick Start creates an AWS CloudWatch Rule that
matches incoming CloudWatch Events for S3 bucket policy
changes and publishes the changes to an SNS topic.
The Quick Start creates an AWS CloudWatch Rule that
matches incoming CloudWatch Events for Config changes
and publishes the changes to an SNS topic.
The Quick Start creates an AWS CloudWatch Rule that
matches incoming CloudWatch Events for security groups
changes and publishes the changes to an SNS topic.
The Quick Start creates an AWS CloudWatch Rule that
matches incoming CloudWatch Events for network access
control lists changes and publishes the changes to an SNS
topic.
The Quick Start creates an AWS CloudWatch Rule that
matches incoming CloudWatch Events for network
gateways, route tables and VPC changes and publishes the
changes to an SNS topic.

This control is implemented as an AWS Managed Config

Rule to report back the compliance status on whether
security groups allow ingress from 0.0.0.0/0 to port 22. The
Config rule DOES NOT enforce this control by restricting
security groups ingress traffic from 0.0.0.0/0 to port 22.

This control is implemented as an AWS Managed Config

Rule to report back the compliance status on whether
security groups allow ingress from 0.0.0.0/0 to port 3389.
The Config rule DOES NOT enforce this control by
restricting security groups ingress traffic from 0.0.0.0/0 to
port 3389.

This control is implemented as a Config rule backed by a

custom lambda function. The config rule reports back the
compliance status on whether the default security groups
restrict all traffic. The Config rule DOES NOT enforce this
control by configuring the default security groups.

This control is implemented as a Config rule backed by a

custom lambda function. The config rule reports back the
compliance status on whether the VPC routing tables are
configured with "least access". The Config rule DOES NOT
enforce this control by configuring routing tables for VPC
peering.
rk can be found at

by the customer organization, and layered with other security features that address all of the in-scope systems and applications for a holistic solution t
s in your account; please refer to the pricing model for each service.

hoose to do so or choose to configure these services themselves.

Additional AWS Guidance

oundations Benchmarks Controls

We recommend that Root accounts should not be used and that the credentials not be shared with anyone else
should leverage IAM Groups, Roles and Users to grant access to specific AWS resources. Refer to IAM Best Practi
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

For extra security, we recommend that customers enable multi-factor authentication (MFA) for IAM users based
by the config rule.
Refer to IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

If the Config rule reports NonCompliance, ensure that IAM Users with a password have MFA enabled. For remed
the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
We recommend that unused credentials be disabled by customers based on the Compliance reported by the Co
Refer to IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

If the Config rule reports NonCompliance, ensure that credentials unused for 90 days or greater are disabled. Fo
1.3 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pd

We recommend that access keys be rotated by customers based on the Compliance reported by the Config rule
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

If the Config rule reports NonCompliance, ensure that Access keys are rotated every 90 days or less. For remedia
document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

We recommend that a strong password policy be set for IAM users.

Refer to IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

If the Config rule reports NonCompliance, ensure that the password policy meets the controls requirements. For
1.5 through 1.11 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_B

We recommend you that create an IAM user for yourself that has administrative privileges and avoid generating
account.
Refer to IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
If the Config rule reports NonCompliance, ensure that no root account access key exists. For remediation, refer t
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

We recommend that MFA be enabled for the root account

Refer to IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

If the Config rule reports NonCompliance, ensure MFA is enabled for root account. For remediation, refer to con
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

We recommend that MFA be enabled for the root account

Refer to IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

If the Config rule reports NonCompliance, ensure hardware MFA is enabled for root account. For remediation, re
document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

Security Questions are highly recommended to be setup to help you recover root login access, if lost. For remed
the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
We recommend that you assign IAM Policies to either IAM Groups or IAM Roles to reduce the complexity of acc
of users grow.
If the Config rule reports NonCompliance, ensure IAM policies are attached only to Groups or Roles. For remedia
document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

We recommend that current contact details be maintained. AWS Uses this contact the account owner when pro
are observed within an account.
For remediation, refer to control 1.17 in the document
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

We recommend that the Security contact information be kept current. Specifying security-specific contact inform
security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.

For remediation, refer to control 1.18 in the document

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

We recommend that IAM Roles be attached to an EC2 Instance to provide temporary credentials for the applicati
Instances
Refer to IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

If the Config rule reports NonCompliance, ensure IAM Instance roles are used for EC2 Instances. For remediation
document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

Note: IAM Roles can be atached to running Instances. See this documentation
https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-us
sc_channel=sm&sc_campaign=rolesforrunninginstances&sc_publisher=tw&sc_medium=social&sc_content=read
post&sc_country=global&sc_geo=global&sc_category=ec2&sc_outcome=launch

It is recommended that customers create an IAM Role to allow authorized users to manage incidents with AWS

If the Config rule reports NonCompliance, ensure that atleast 1 IAM Role,User,Group has the AWSSupportAcces
remediation, refer to control 1.20 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CI
It is recommended that additional steps be taken by their user upon profile creation to understand the intent of
For remediation, refer to control 1.21 in the document
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

It is recommended that IAM policies do not allow full administrative privileges and that the policies follow the p

If the Config rule reports NonCompliance, ensure that IAM Policies provide least previlige access to AWS resourc
control 1.22 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Bench

This quickstart provides customers an option to automatically configure CloudTrail in the AWS region where this
accounts which do not have Cloudtrail configured, should choose this option for the CIS Cloudformation templat
If the Config rule reports NonCompliance, customers can choose to enable Cloudtrail in all regions and configure
remediation, refer to control 2.1 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_

If the Config rule reports NonCompliance, ensure Cloudtrail log file validation is enabled. For remediation, refer
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

If the Config rule reports NonCompliance, ensure S3 Bucket configured for Cloudtrail to log to is not publicly acc
to control 2.3 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benc
If the Config rule reports NonCompliance, ensure that Cloudtrail trails are integrated with Cloudwatch logs. For r
in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

This quickstart provides customers an option to automatically configure AWS Config at a regional level. Custome
have Config configured, should choose this option for the CIS Cloudformation template to execute successfully.

For manual remediation, refer to control 2.5 in the document

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

It is recommended that Logging be enabled for all S3 Buckets. Configuring logs to be placed in a separate bucket
information which can be useful in security and incident response workflows. 

If the Config rule reports NonCompliance, enable Cloudtrail S3 bucket access logging. For remediation, refer to c
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user mu
the corresponding log bucket and must be granted decrypt permission by the CMK policy.

If the Config rule reports NonCompliance, ensure Cloudtrail logs are encrypted at rest using KMS CMKs. For rem
the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

It is recommended to rotate encryption keys to reduce the potential impact of a compromised key as data encry
accessed with a previous key that may have been exposed.

If the Config rule reports NonCompliance, ensure rotation of customer created CMKs are enabled. For remediati
document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
It is recommended to have VPC Flow Logs enabled to provide visibility into network traffic that traverses the VPC
traffic or insight during security workflows.

If the Config rule reports NonCompliance, ensure VPC Flow logging is enabled in all VPCs. For remediation, refer
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

It is recommended that customers monitor unauthorized API calls which will help reveal application errors and m
malicious activity.

It is recommended that customers monitor for single-factor console logins. This will increase visibility into accou
MFA.

It is recommended that customers monitor for root account logins which will provide visibility into the use of a f
opportunity to reduce the use of it.

It is recommended that customers monitor changes to IAM policies which will help ensure authentication and au
intact.

It is recommended that customers monitor changes to CloudTrail's configuration which will help ensure sustaine
performed in the AWS account.

It is recommended that customers monitor failed console logins. This may decrease lead time to detect an attem
which may provide an indicator, such as source IP, that can be used in other event correlation.

It is recommended that customers monitor deletion or disabling of CMKs. Data encrypted with disabled or delet
accessible.

It is recommended that customers monitor changes to S3 bucket policies to reduce time to detect and correct p
S3 buckets.

It is recommended that customers monitor changes to AWS Config configuration which will help ensure sustaine
items within the AWS account.

It is recommended that customers monitor changes to security group which will help ensure that resources and
exposed.

It is recommended that customers monitor changes to NACLs to help ensure that AWS resources and services ar
It is recommended that customers monitor changes to network gateways which will help ensure that all ingress/
border via a controlled path.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.Monitori
configuration will help ensure that all VPCs remain intact.

It is recommended that customers remove unfettered connectivity to remote console services, such as SSH, redu
If the Config rule reports NonCompliance, ensure no security groups allow Ingress from 0.0.0.0/0 to port 22. For
4.1 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pd

It is recommended that customers remove unfettered connectivity to remote console services, such as RDP, red

If the Config rule reports NonCompliance, ensure no security groups allow Ingress from 0.0.0.0/0 to port 3389. F
4.2 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pd

It is recommended to configure all VPC default security groups to restrict all traffic. This will encourage least priv
development and mindful placement of AWS resources into security groups which will in-turn reduce the exposu

If the Config rule reports NonCompliance, ensure that the default security group of every VPC restricts all traffic.
control 4.3 in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchm

Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as reso
are inaccessible to the peered VPC.

If the Config rule reports NonCompliance, ensure that the routing tables for VPC peering are "least access". For r
in the document https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
 Control Enforcement
Responsibility

Customer

Shared (Config Rule and Customer)

Shared (Config Rule and Customer)

Shared (Config Rule and Customer)

Shared (Config Rule and Customer)

Shared (Config Rule and Customer)

Shared (Config Rule and Customer)

Shared (Config Rule and Customer)

Customer
Shared (Config Rule and Customer)

Customer

Customer

Shared (Config Rule and Customer)

Shared (Config Rule and Customer)

Customer

Shared (Config Rule and Customer)

Shared (Cloudformation template,

Config rule and Customer)

Shared (Cloudformation template,

Config rule and Customer)

Shared (Cloudformation template,

Config rule and Customer)
Shared (Cloudformation template,
Config rule and Customer)

Shared (Cloudformation Template

and Customer)

Shared (Cloudformation template,

Config rule and Customer)

Shared (Cloudformation template,

Config rule and Customer)

Shared (Config rule and Customer)

Shared (Config rule and Customer)

Shared (CloudWatch Alarm and

Customer)

Shared (CloudWatch Alarm and

Customer)

Shared (CloudWatch Alarm and

Customer)

Shared (CloudWatch Rule and

Customer)

Shared (CloudWatch Rule and

Customer)

Shared (CloudWatch Alarm and

Customer)

Shared (CloudWatch Alarm and

Customer)

Shared (CloudWatch Rule and

Customer)

Shared (CloudWatch Rule and

Customer)

Shared (CloudWatch Rule and

Customer)

Shared (CloudWatch Rule and

Customer)
Shared (CloudWatch Rule and
Customer)

Shared (Config rule and Customer)

Shared (Config rule and Customer)

Shared (Config rule and Customer)

Shared (Config rule and Customer)