Beware: the CIS rules are not aligned to CIS

[chrisdlangton]

Hello maintainers.

Please consider addressing CIS benchmarks 1.3.0 correctly. You are writing about 1.22 from AWS Foundations in the README and the rule defined here; https://github.com/fugue/regula/blob/master/rules/aws/iam_admin_policy.rego

Seems you have not checked what the CIS 1.22 intent should be, because you are looking for "overly permissive" policy (which is great to have a rule for it just is not CIS 1.22).

You can view this rule here; https://workbench.cisecurity.org/sections/43739/recommendations/939514

Here is a copy from the site if you have not registered for an account

1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Scoring Status
Manual
Applicable Profiles
Level 2
Description
In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.

Rationale Statement
Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.

Audit Procedure
For multi-account AWS environments with an external identity provider...

Determine the master account for identity federation or IAM user management
Login to that account through the AWS Management Console
Click Services
Click IAM
Click Identity providers
Verify the configuration
Then..., determine all accounts that should not have local users present. For each account...

Determine all accounts that should not have local users present
Log into the AWS Management Console
Switch role into each identified account
Click Services
Click IAM
Click Users
Confirm that no IAM users representing individuals are present
For multi-account AWS environments implementing AWS Organizations without an external identity provider...

Determine all accounts that should not have local users present
Log into the AWS Management Console
Switch role into each identified account
Click Services
Click IAM
Click Users
Confirm that no IAM users representing individuals are present
Remediation Procedure
The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.

CIS Controls
Version 7
16.2: Configure Centralized Point of Authentication

As you can see the intent is for federation via an identity provider (like Okta, Auth0, AzureAD, JumpCloud, etc) and I would suggest that AWS SOO or Cognito are also equally acceptable solutions to address this rule.

Happy to help you with any other CIS interpretations, but the rule basically speaks for itself, do not hesitate to ask.

This overly permissive rule is actually CIS 1.16. which strangely you have ;

resource_type = "aws_ebs_volume"
controls = {"CIS_1-16"}

You can renumber 1.22 as 1.16 to correct the first issue.

EBS is storage, and CIS is broken into 5 categories where Storage is category 2. So an EBS rule would start with a 2; 2.xx not a 1.

Again, happy to help with CIS interpretations, but they are pretty straightforward as far as security standards go i'd say they are extremely simple and very well documented.

[jaspervdj-luminal]

@chrisdlangton Oh, this seems like a version issue. Regula is currently using v1.2.0 of the CIS Benchmarks, and the one you are referring to is v1.3.0, which came out very recently. It's very unfortunate and confusing that the numbering changed. I'll see if we can either add versioning, or move to to the latest version.

[curtis-fugue]

As Jasper mentioned, Regula today includes CIS AWS 1.2 mappings. We're looking into adding the CIS AWS 1.3 mappings and will report back with an update there. Closing this issue.

[chrisdlangton]

Given 1.3.0 was versioned FINAL in 2018, you may be confused with a revision in mid 2020 as the released date.

But you don't need to worry about version 1.3.0 any more (nearly 3 years late) because version 1.4.0 has been released this year.