AWS alerts
AWS resources created by Sophos Cloud Optix can cause alerts for non-compliance with CIS rules.
This table shows the relevant Center for Internet Security (CIS) rules for AWS, which alerts they raise, and why the alerts happen. See CIS Benchmarks - Securing Amazon Web Services.
You can suppress the alert for a rule. In many cases you can change your AWS configuration to prevent the alert occuring.
To change your configuration, follow the instructions in the relevant Sophos Cloud Optix alert.
CIS rule AR-255
| Label | Description |
|---|---|
| Rule description | S3 bucket versioning isn't turned on. |
| Details | Turning on S3 versioning prevents accidental deletion of important data. |
| Affected AWS resources | sophos-optix-cloudtrail, sophos-optix-flowlogs. |
| Reason for non-compliance | The S3 we create doesn't store different versions of the same object. Keeping each version of an object adds extra charges. |
CIS rule AR-556
| Label | Description |
|---|---|
| Rule description | Ensure S3 bucket access logging is turned on for the CloudTrail S3 bucket. |
| Details | S3 access logs let you track access requests and identify potentially unauthorized or unwarranted access attempts. |
| Affected AWS resources | sophos-optix-cloudtrail. |
| Reason for non-compliance | Adds extra charges. |
CIS rule AR-1065
| Label | Description |
|---|---|
| Rule description | Ensure that object-level logging for write events is turned on for S3 buckets. |
| Details | S3 object-level API operations such as GetObject, DeleteObject, and PutObject are data events. By default, CloudTrail trails don't log data events so CIS recommends you turn on object-level logging for S3 buckets. |
| Affected AWS resources | sophos-optix-cloudtrail, sophos-optix-flowlogs |
| Reason for non-compliance | Adds extra charges. |
CIS rule AR-1066
| Label | Description |
|---|---|
| Rule description | Ensure that object-level logging for read events is turned on for S3 buckets. |
| Details | S3 object-level API operations such as GetObject, DeleteObject, and PutObject are data events. By default, AWS CloudTrail trails don't log data events, so we recommend that you turn on object-level logging for S3 buckets. |
| Affected AWS resources | sophos-optix-cloudtrail, sophos-optix-flowlogs. |
| Reason for non-compliance | Adds extra charges. |
CIS rule AR-557
| Label | Description |
|---|---|
| Rule description | Ensure CloudTrail logs are encrypted at rest using KMS CMKs. |
| Details | CloudTrail log files contain sensitive information about an account and should be encrypted for additional protection. |
| Affected AWS resources | sophos-optix-cloudtrail. |
| Reason for non-compliance | S3 buckets are already encrypted. Additional encryption adds extra charges. |
CIS rule AR-605
| Label | Description |
|---|---|
| Rule description | Ensure a log metric filter and alarm exist for CloudTrail configuration changes and all log metric alerts. |
| Details | Monitoring changes to CloudTrail's configuration shows activities performed in the AWS account. |
| Affected AWS resources | sophos-optix-cloudtrail |
| Reason for non-compliance | We export Cloud Trail logs using S3 instead of CloudWatch in V2, to save costs. |
CIS rule AR-1036
| Label | Description |
|---|---|
| Rule description | Ensure Cloudwatch encryption is turned on for all relevant log groups. |
| Details | Encryption further protects log data by ensuring it's stored encrypted. This is useful if the logs contain sensitive data. |
| Affected AWS resources | Sophos-Optix-cloudtrail-fn, Sophos-Optix-flowlogs-fn. |
| Reason for non-compliance | Log groups created by Lambda executions don't contain sensitive information. Adding encryption adds extra charges. |
CIS rule AR-554
| Label | Description |
|---|---|
| Rule description | Ensure CloudTrail trails are integrated with CloudWatch Logs. |
| Details | Sending CloudTrail logs to CloudWatch Logs gives real-time and historic activity logging based on user, API, resource, and IP address, and allows alarms and notifications for anomalous or sensitive account activity to be raised. |
| Affected AWS resources | sophos-optix-cloudtrail. |
| Reason for non-compliance | CloudWatch adds extra charges. |
CIS rule AR-253
| Label | Description |
|---|---|
| Rule description | Ensure encryption is turned on for S3 buckets. |
| Details | AWS provides encryption for S3 buckets which should be turned on to ensure the integrity and confidentiality of data stored within the cluster. This is especially useful if the clusters store sensitive data like personally identifiable information, for example credit card details and medical records. |
| Affected AWS resources | sophos-optix-flowlogs. |
| Reason for non-compliance | Flowlogs aren't generated. |