cis-aws-compute-11.1
This skill audits AWS ECS clusters to verify that Fargate ephemeral storage is encrypted with customer-managed KMS keys rather than AWS-managed keys. Use it when implementing security controls to ensure sensitive data processed by containerized tasks maintains encryption under organizational key management, meeting compliance requirements for enhanced data protection and audit trail capabilities.
git clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-11.1 && cp -r /tmp/cis-aws-compute-11.1/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-11.1 ~/.claude/skills/cis-aws-compute-11.1SKILL.md
# 11.1 Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS (Automated) ## Description Use customer-managed AWS KMS keys to encrypt AWS Fargate ephemeral storage data for on Amazon ECS, ensuring that sensitive data remains protected during task execution. ## Rationale Customer-managed KMS keys offer enhanced control over encryption, including key rotation, access policies, and audit trails. ## Impact There are costs and configuration overhead associated with setting up and managing customer-managed keys. ## Audit Procedure ### Using AWS Console 1. Login to the ECS console using https://console.aws.amazon.com/ecs/. 2. In the left panel, click `Clusters`. 3. Click the name of a cluster. 4. Ensure that `Fargate ephemeral storage` is not set to `-`. 5. Repeat steps 1-4 for each ECS cluster. ### Using AWS CLI Run the following command to list clusters: ```bash aws ecs list-clusters ``` Run the following command to view the Fargate ephemeral storage KMS key ID configured for a cluster: ```bash aws ecs describe-clusters --clusters <cluster-arn> --include CONFIGURATIONS --query 'clusters[*].configuration.managedStorageConfiguration.fargateEphemeralStorageKmsKeyId' ``` Ensure the command returns a customer-managed KMS key ARN. Repeat for each cluster. ## Expected Result Each ECS cluster returns a valid customer-managed KMS key ARN for the Fargate ephemeral storage configuration, rather than `-` or empty. ## Remediation ### Using AWS Console 1. Login to the ECS console using https://console.aws.amazon.com/ecs/. 2. In the left panel, click `Clusters`. 3. Click the name of a cluster. 4. Click `Update cluster`. 5. Expand the `Encryption` section. 6. Under `Fargate ephemeral storage`, select a customer-managed KMS key. Note: Ensure the KMS key has appropriate Fargate service permissions. 7. Click `Update`. 8. Repeat steps 1-7 for each ECS cluster requiring remediation. ### Using AWS CLI N/A - Remediation is console-based for this control. ## Default Value AWS Fargate ephemeral storage data is encrypted by default. ## References 1. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-storage-encryption.html 2. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-create-storage-key.html 3. https://awscli.amazonaws.com/v2/documentation/api/2.0.33/reference/ecs/list-clusters.html 4. https://awscli.amazonaws.com/v2/documentation/api/2.0.33/reference/ecs/describe-clusters.html ## CIS Controls | Controls Version | Control | IG 1 | IG 2 | IG 3 | | ---------------- | ------------------------------------------ | ---- | ---- | ---- | | v8 | 3.11 Encrypt Sensitive Data at Rest | | X | X | | v7 | 14.8 Encrypt Sensitive Information at Rest | | | X | ## Profile Level 2 | Automated
Ensure Managed Platform updates is configured
Ensure Persistent logs is setup and configured to S3
Ensure access logs are enabled
Ensure that HTTPS is enabled on load balancer
Ensure AWS Config is Enabled for Lambda and Serverless
Ensure Lambda functions do not allow unknown cross account access via permission policies
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates
Ensure encryption in transit is enabled for Lambda environment variables