- Newest
- Most votes
- Most comments
Please see the answer to your questions below:
Q1. For customers with central logging they can disable the CIS 3.x checks in all child accounts that are pushing logs to a centeral account and only have these checks in the central logging account see - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html
CIS 2.1 and FSBP [Cloudtrail.1]– Checks if cloudtrail is enabled in all regions and if a multiregion cloud trail exists respectively. As best practice customers should have an org trail (which is enabled on all accounts in the organization by default). If the customer is not using an org trail i.e they have centrall logging configured which involves manually adding account to the central trail then they will need a way to audit accounts that are not forwarding to the central trail using a custom rule.
Q2. For CIS 3.x this is only checking if the filters/alrams are in place. As far as I know, If the customer wants details on the activity that triggered the alarm, they will need to use CWE custom findings and transforms. I hope this helps!
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago