{"id":13844625,"url":"https://github.com/centriascolocation/inspec-aws-baseline","last_synced_at":"2025-07-11T23:34:04.892Z","repository":{"id":52200961,"uuid":"161456623","full_name":"centriascolocation/inspec-aws-baseline","owner":"centriascolocation","description":"InSpec AWS Baseline Profile","archived":false,"fork":false,"pushed_at":"2021-05-18T19:15:36.000Z","size":40,"stargazers_count":12,"open_issues_count":3,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-21T17:42:11.915Z","etag":null,"topics":["aws","baseline","bestpractice","inspec","security"],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/centriascolocation.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-12-12T08:30:30.000Z","updated_at":"2022-01-12T08:39:47.000Z","dependencies_parsed_at":"2022-09-09T18:55:06.592Z","dependency_job_id":null,"html_url":"https://github.com/centriascolocation/inspec-aws-baseline","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/centriascolocation/inspec-aws-baseline","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centriascolocation%2Finspec-aws-baseline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centriascolocation%2Finspec-aws-baseline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centriascolocation%2Finspec-aws-baseline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centriascolocation%2Finspec-aws-baseline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/centriascolocation","download_url":"https://codeload.github.com/centriascolocation/inspec-aws-baseline/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centriascolocation%2Finspec-aws-baseline/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264914670,"owners_count":23682874,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","baseline","bestpractice","inspec","security"],"created_at":"2024-08-04T17:02:48.998Z","updated_at":"2025-07-11T23:34:04.632Z","avatar_url":"https://github.com/centriascolocation.png","language":"Ruby","funding_links":[],"categories":["Ruby (88)","Ruby"],"sub_categories":[],"readme":"\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n**Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*\n\n- [InSpec AWS Baseline Profile](#inspec-aws-baseline-profile)\n  - [Usage](#usage)\n    - [IAM Permissions](#iam-permissions)\n    - [Profile Execution - variant A](#profile-execution---variant-a)\n    - [Profile Execution - variant B](#profile-execution---variant-b)\n    - [Re-Vendor Dependencies](#re-vendor-dependencies)\n  - [AWS Organizations](#aws-organizations)\n  - [Local execution of tests with Docker](#local-execution-of-tests-with-docker)\n  - [Further Information](#further-information)\n    - [The Importance of Compliance Results](#the-importance-of-compliance-results)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n# InSpec AWS Baseline Profile\n\n![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/centriascolocation/inspec-aws-baseline)\n\nThis profile covers some parts of the \"CIS Amazon Web Services Foundations Benchmark (v1.2.0)\".\n\nBatteries included:\n\n  * IAM\n    * MFA for root account :white_check_mark:\n    * Password Policy :white_check_mark:\n    * all your Access Keys - Expiration :white_check_mark:\n  * Logging\n    * AWS Config is active :white_check_mark:\n    * CloudTrail is enabled :white_check_mark:\n  * Networking\n    * Security Groups for SSH are restricted :white_check_mark:\n    * Security Groups for Remote Desktop (RDP) are restricted :white_check_mark:\n  * additional best-practices not covered by the CIS Benchmark:\n    * all your S3 Buckets are not public and encrypted (per Region) :white_check_mark:\n    * Organizations :white_check_mark:\n    * all your EBS volumes should be encrypted (per region) :white_check_mark:\n    * ECR: Test that images are scanned for vulnerabilities at a push to repository :white_check_mark:\n\n## Usage\n\nPlease make sure you have InSpec version \u003e= 4 installed, e.g. with `bundle install` (see [Gemfile](Gemfile) for details). \n\n**We recommend the usage of [aws-vault](https://github.com/99designs/aws-vault).**\n\n### IAM Permissions\n\nMake sure your Auditor IAM User has the following managed policy attached:\n\n`arn:aws:iam::aws:policy/SecurityAudit`\n\nIt is also possible to use higher privileged policies, such as `arn:aws:iam::aws:policy/ReadOnlyAccess`.\n\n### Profile Execution - variant A\n\nYou can easily use this InSpec profile from Github:\n\n\n```\n\n  ## the \"-n\" instructs aws-vault not to use AWS STS session tokens:\n  aws-vault exec -n \u003cYOURNAMEDPROFILEHERE\u003e -- inspec exec \\\n    -t aws:// --show-progress \\\n    https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz\n\n```\n\n### Profile Execution - variant B\n\nCall InSpec with AWS region + your local configured Profile:\n\n```\n\n  inspec exec -t aws://eu-central-1/my-named-profile --show-progress \\\n    https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz\n  \n```\n\n### Re-Vendor Dependencies\n\n```\n\n  inspec vendor --overwrite . \n\n```\n\n## AWS Organizations\n\nYou can also check if a given account is part of AWS Organizations (Master or Member). This feature is disabled by default.\nYou can enable it by providing variables given as an [InSpec Input File](https://www.inspec.io/docs/reference/inputs/). \n\n[See example configurations here](enable-aws-organizations-checks.yml).\n\n```\n\n  aws-vault exec -n \u003cYOURNAMEDPROFILEHERE\u003e -- inspec exec \\\n    https://github.com/centriascolocation/inspec-aws-baseline/archive/master.tar.gz \\\n    -t aws:// --show-progress \\\n    --input-file enable-aws-organizations-checks.yml\n\n```\n\n## Local execution of tests with Docker\n\n```\n  git clone https://github.com/centriascolocation/inspec-aws-baseline.git\n  \n  make build-docker-images\n  aws-vault exec -n \u003cYOURNAMEDPROFILEHERE\u003e -- make test\n  \n```\n\n## Further Information\n\n### The Importance of Compliance Results\n\nThese values are based off [CVSS 3.0](https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System): \n\n| numeric value | impact, importance |\n| ------------- | ------------------ |\n| 0.0 to \u003c0.01  | `none` - they only provide information |\n| 0.01 to \u003c0.4  | `low` |\n| 0.4 to \u003c0.7   | `medium` |\n| 0.7 to \u003c0.9   | `high` |\n| 0.9 to 1.0    | `critical` |","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcentriascolocation%2Finspec-aws-baseline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcentriascolocation%2Finspec-aws-baseline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcentriascolocation%2Finspec-aws-baseline/lists"}