aws-cis-foundation-benchmark-checklist fails

Question

aws-cis-foundation-benchmark-checklist fails

lang7 opened this issue 7 years ago · 8 comments

3.8, 3.9, 3.13 Fail checks because of metric /alarm / subscription missing.

Answer 1 · 2017-07-05T13:00:18.000Z

@lang7 3.8, 3.9 and 3.13 is working for me

Answer 2 · 2017-07-05T14:28:52.000Z

@Infectsoldier It looks like the LogGroup Metric Filters are not being created - the checks for 3.8, 3.9, and 3.13 are covered by Event Rules / Lambda functions. I don't think aws-cis-foundation-benchmark-checklist.py checks for this ?

Answer 3 · 2017-07-05T15:14:43.000Z

@lang7 you are correct. I had to build my own Metric Filters and Alarms to satisfy that check with the python code. Same for 3.6 and 3.7, still getting false positives.

Answer 4 · 2017-07-05T15:15:57.000Z

@etendards you can check the fix for 3.6 and 3.7 in my PR #35

Answer 5 · 2017-07-05T15:17:34.000Z

@lang7 i've create all log groups and metrics using aws cli, not cloudformation template

Answer 6 · 2017-07-10T23:15:01.000Z

Will look into this. The log group metrics/filters are mapped to the CIS benchmark, will verify against the CFn template.

Answer 7 · 2017-08-09T19:25:50.000Z

Seems like the py script is correct but the cfn template is deviating from the benchmark. Although the event rules might be an acceptable alternative to creating a metric/filter + alarm for certain use cases, it isn't really fulfilling the requirement as written. @lcymburajr can you PR our cfn template changes?

Answer 8 · 2017-08-21T06:14:03.000Z

I have fixed 3.2 pattern issue and updated cfn template with additional checks. Also put sam template as well there to create lambda functions and config event rule.

https://github.com/riponbanik/aws-cis-foundation-framework