Control Help Tips

AWS Custom Controls

Following are the list of controls that you can customize to suit your requirement. For each control that you can customize, you can change the specified parameter to the valid values that are acceptable.

CID 2 - Ensure console credentials unused for 90 days or greater are disabled

Last accessed AWS console days

25, 16, 10

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-Example - 34, 200, 45

-If the operator selected is 'Greater than' and the value entered is 30, then for all IAM users, this control will fail for those IAM users who have not accessed AWS console for more than 30 days.

 

CID 3 - Ensure access keys unused for 90 days or greater are disabled

Access key unused days

25, 16, 10

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-Example - 34, 200, 45

-If the operator selected is 'greater than' and the value entered is 50, then for all access keys preset for every IAM user, this control will fail for those IAM users who have not used those access keys for more than 50 days.

 

CID 4 - Ensure access key1 is rotated every 90 days or less

Access key1 is not rotated in last days

25, 16, 10

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-Example - 34, 200, 45

-If the operator selected is 'greater than equal to' and the value entered is 25, then for every access key1, this control will fail if those access keys have not been rotated in last 25 days.

 

CID 5 - Ensure access key2 is rotated every 90 days or less

Access key2 is not rotated in last days

25, 16, 10

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-Example - 34, 200, 45

-If the operator selected is 'greater than equal to' and the value entered is 25, then for every access key2, this control will fail if those access keys have not been rotated in last 25 days.

 

CID 11 - Ensure IAM password policy requires minimum length of 14 or greater

IAM password length

25, 16, 10

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-Example - 34, 200, 45

-If the operator selected is 'Greater than' and the value entered is 15, this control will fail if the password length set in IAM password policy is less than or equal to 15 characters.

 

CID 12 - Ensure IAM password policy prevents password reuse

Number of IAM password history maintain

2, 3, 5

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-Example - 2, 3, 5

-If the operator selected is 'Greater than or equal to' and the value entered is 3, this control will fail if the password reuse option set in IAM password policy to 3 or more passwords.

 

CID 13 - Ensure IAM password policy expires passwords within 90 days or less

IAM Password policy does not enforces password expiration period in days

34, 55, 45

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-Example - 34, 55, 45

-If the operator selected is 'Less than' and the value entered is 45, this control will fail if the password expiry set in IAM password policy is less than to 45 days.

 

CID 18 - Avoid the use of the root account

Avoid Root account use in last days

34, 55, 45

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-Example - 34, 55, 45

-If the operator selected is 'Less than' and the value entered is 45, this control will fail if the password expiry set in IAM password policy is less than to 45 days.

 

CID 27 - Ensure a log metric filter and alarm exist for unauthorized API calls

Filter Pattern

{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }

-This field expects a log metric filter pattern.

-Alphabets and special characters cannot be entered as input for this text field.

-If The operator for this field is set to 'Equals' and the log metric pattern entered matches with the log metric pattern present in AWS, then this control will pass, otherwise this control will fail.

 

CID 41 - Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

Protocol

TCP, UDP, ICMP, ANY

-Protocol values accepted are ANY, TCP, UDP, ICMP.

-Multiple values will be accepted.

-When Protocol ICMP is selected, value provided in customizable parameter PORT will be ignored for control evaluation.

-When Protocol ICMP is selected , only ICMP IPv4 is supported.

-When Protocol value is selected to ALL, control evaluation will ignore protocol field set in Security group rules.

-AWS field TYPE is not supported by control customization. However, combination of IP, Protocol and Port can be used to address the functionality and rule matching. e.g.. on AWS console TYPE selected as HTTPS can be achieved through customizing control with Protocol set to TCP and Port Set to 443. Another example: on AWS console TYPE selected as All Traffic can be achieved through customizing control with Protocol set to ANY , Port Set to range 0-65535 and IP set to 0.0.0.0/0

Port

80, 5465-5690, ANY

-Only Destination port will be evaluated.

-Multiple values will be accepted.

-Values can be provided in form of single port, Port-ranges and comma separated port/port-ranges. E.g. 22, 2250-4000

-In order to cover Any/ALL ports scenario, It is recommended to provide entire port range "0-65535" while customising the control. Port range "0-65535" will be matched against security group rules with port configured to "Port number", Port range" as well as "ANY"

-When Protocol ICMP is selected, value provided in customizable parameter PORT will be ignored for control evaluation.

Source IP Address

192.168.0.1 , 0.0.0.0/0

-This files accepts IPv4 and IPv6 address(es), IPv4 CIDRs as well as Security Group and Prefix list identifiers.

-This field accepts only one type (IP/SG/PL) of value at a time. Mix of IP address, Security group and prefix lists cannot be provided for configuring IP address field for the same copy of a control.

-For data type IP, field supports both IPV4 and IPV6 values for evaluation.

-Source IP Addresses can be provided in form of CIDR e.g.. 192.168.1.0/24, 0.0.0.0/0, ::/0

-Source IP addresses can be provided as comma separated values e.g.. 192.168.1.1, 192.168.1.2/32, 10.10.10.0/24

-If IP address value is provided as Single IP (For e.g.. 192.168.1.1), it will be evaluated against Security Group rules with CIDR containing provided single IP. For example: If Source IP address 192.168.1.1 is provided as a value while configuring control, This will be evaluated and matched against Security group rules with Source IP 192.168.1.1 as well as 192.168.1.0/24.

-If IP address value is provided as CIDR range (For e.g.. 192.168.1.1/32 ,192.168.1.0/24) it will be evaluated against Security group rules with IP address as CIDR string match only. It will not expand the CIDR range and check for source IPs from Security Group rules that are part of provided CIDR range.

-For Example, If Source IP address 192.168.1.0/24 is provided as a value while configuring control, This will be evaluated and matched against Security group rules with Source IP 192.168.1.0/24 only. It will not be evaluated against Security Group rules with source IP for example, 192.168.1.1 which rather falls in the CIDR range 192.168.1.0/24.

-Providing Value 0.0.0.0/0 corresponds to source set to ANYWHERE on security group rule configuration UI.

 

CID 45 - S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users

Permissions

FULL_CONTROL | WRITE | WRITE_ACP | READ | READ_ACP

-Accepted values are FULL_CONTROL, WRITE , WRITE_ACP, READ, READ_ACP

-Field accepts comma separated values.

-Field does not provides regex support.

List of Grantees

Canonical User id

-By default control evaluates for "AllUsers" or "AuthenticatedUsers" in Grantee when this field is left Blank.

-This field accepts only canonical Ids

-Field accepts comma separated values

 

CID 56 - Ensure database Instance is not listening on to a standard/default port

Endpoint port

80, 5465-5690

-This field accept the ports on which user do not want the database to listen.

-By default, Database listens on 3306 but it is recommended that port should be changed.

-Fields can be comma separated

 

Azure Custom Controls

Following are the list of controls that you can customize to suit your requirement. For each control that you can customize, you can change the specified parameter to the valid values that are acceptable.

CID 50013 - Ensure that default Auditing policy for a SQL Server is configured to capture and retain the activity logs

Log retention in Days

25, 16, 10

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-If the operator selected is 'Greater than or equal to' and the value entered is 30, this control will fail if the log retention for a SQL Server is set to 30 or more days.

 

CID 50024 - Ensure that LogProfile for a subscription is configured properly

Log retention in Days

25, 16, 10

-This field will only accept values in numeric form.

-Alphabets and special characters cannot be entered as input for this text field.

-Multiple comma separated values are not allowed.

-Numeric values specified as a range are not allowed.

-The control is evaluated as per the Operator selected (Equals, Greater than etc.) and the input value entered by the user.

-If the operator selected is 'Greater than or equal to' and the value entered is 30, this control will fail if the log retention for a SQL Server is set to 30 or more days.

 

CID 50029 - Disable RDP access on Network Security Groups from Internet (ANY IP)

Protocol

TCP , UDP, ICMP, ANY

-Protocol values accepted are ANY, TCP, UDP, ICMP

-Protocol value set to ANY for control customization is inclusive of TCP and UDP only. It will not cover rules with ICMP.

-Only one value will be accepted

-When Protocol ICMP is selected, value provided in customizable parameter PORT will be ignored for control evaluation.

-When Protocol value is selected to ANY, control evaluation will ignore protocol field set in Network Security group rules

To Port

80, 546-569, *

-Only Destination port will be evaluated.

-Values can be provided in form of single port, Port-ranges and comma separated port/port-ranges. E.g.. 22, 2250-4000

-In order to cover Any/ALL ports scenario, "*" can be used.

-When Protocol ICMP is selected, value provided in customizable parameter PORT will be ignored for control evaluation.

Source IP Address

192.168.0.1

-Source IP Addresses can be provided in form of CIDR e.g.. 192.168.1.0/24, 0.0.0.0/0

-Source IP Addresses can be provided as comma separated values e.g.. 192.168.1.1, 192.168.1.2, 10.10.10.0/24

-For data type IP, Field supports only IPV4 values for evaluation.

-If IP address value is provided as Single IP (For e.g.. 192.168.1.1), it will be evaluated against NSG rules with CIDR containing provided single IP. For example: If Source IP address 192.168.1.1 is provided as a value while configuring control, This will be evaluated and matched against NSG rules with Source IP 192.168.1.1 as well as 192.168.1.0/24.

-If IP address value is provided as CIDR range (For e.g.. 192.168.1.1/32 ,192.168.1.0/24) it will be evaluated against NSG rules with IP address as CIDR string match only. It will not expand the CIDR range and check for source IPs from NSG rules that are part of provided CIDR range.

-For Example, If Source IP address 192.168.1.0/24 is provided as a value while configuring control, This will be evaluated and matched against NSG rules with Source IP 192.168.1.0/24 only. It will not be evaluated against NSG rules with source IP for example, 192.168.1.1 which rather falls in the CIDR range 192.168.1.0/24.

-This Field does not accepts Service Tags provided by Azure NSG rule configuration blade.

-Providing Value 0.0.0.0/0 is similar to selecting Source IP Address "ANY" or "Internet" on Azure Portal NSG rule configuration.

-Providing Value 0.0.0.0/0 is similar to selecting Source Service Tag "Internet" on Azure Portal NSG rule configuration blade.

Access

Allow, Deny

-Accepts only one value at a time.