Skip to main content
ClaudeWave
Skill323 repo starsupdated today

cis-aws-compute-8.1

This control verifies that AWS Batch is configured to send job logs to CloudWatch Logs through the Batch console permissions settings. Use this manual audit procedure when establishing logging compliance for AWS Batch workloads to ensure job activity is centrally collected and monitored in CloudWatch for security and operational visibility.

View sourceRepository: CyberStrike
Install in Claude Code
Copy
git clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-8.1 && cp -r /tmp/cis-aws-compute-8.1/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-8.1 ~/.claude/skills/cis-aws-compute-8.1
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# 8.1 Ensure AWS Batch is configured with AWS CloudWatch Logs (Manual)

## Description

You can configure Batch jobs to send log information to CloudWatch Logs.

## Rationale

This enables you to view different logs from all your jobs in one convenient location.

## Impact

N/A

## Audit Procedure

### Using AWS Console

1. Login to the AWS Console using https://console.aws.amazon.com/batch/
2. On the left hand side under `Console settings`, Click on `Permissions`
3. Under `Job logs` section
4. Confirm that `Authorize Batch to use Cloudwatch` is set with a green check.
5. If it is showing a red X refer to the remediation below.

### Using AWS CLI

N/A - This control is manual and console-based.

## Expected Result

`Authorize Batch to use Cloudwatch` is enabled (green check) in the Batch Console settings under Permissions > Job logs.

## Remediation

### Using AWS Console

1. Login to the AWS Console using https://console.aws.amazon.com/batch/.
2. In the left column under Console settings, Click on `Permissions`
3. In the Job logs section click on `Edit`
4. Click the `Authorize Batch to use CloudWatch`
5. Click Save

### Using AWS CLI

N/A - This control is manual and console-based.

## Default Value

AWS Batch is not configured with CloudWatch Logs by default.

## References

- https://docs.aws.amazon.com/batch/latest/userguide/

## CIS Controls

| Controls Version | Control                    | IG 1 | IG 2 | IG 3 |
| ---------------- | -------------------------- | ---- | ---- | ---- |
| v8               | 8.2 Collect Audit Logs     | X    | X    | X    |
| v7               | 6.2 Activate audit logging | X    | X    | X    |

## Profile

Level 1 | Manual
More from this repository
cis-aws-compute-10.1Skill

Ensure Managed Platform updates is configured

cis-aws-compute-10.2Skill

Ensure Persistent logs is setup and configured to S3

cis-aws-compute-10.3Skill

Ensure access logs are enabled

cis-aws-compute-10.4Skill

Ensure that HTTPS is enabled on load balancer

cis-aws-compute-11.1Skill

Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS

cis-aws-compute-12.1Skill

Ensure AWS Config is Enabled for Lambda and Serverless

cis-aws-compute-12.10Skill

Ensure Lambda functions do not allow unknown cross account access via permission policies

cis-aws-compute-12.11Skill

Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates