For certain resources, tags can be used to define suppression policies. For more information, see AWS Compliance Reports - Using Suppression.
The following table specifies which control numbers can and cannot be suppressed using tags.
| Control Number | Tags Allowed | Description |
|---|---|---|
| AWS_CIS_1_1 | No | Avoid the use of the "root" account |
| AWS_CIS_1_2 | No | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
| AWS_CIS_1_3 | No | Ensure credentials unused for 90 days or greater are disabled |
| AWS_CIS_1_4 | No | Ensure access keys are rotated every 90 days or less |
| AWS_CIS_1_5 | No | Ensure IAM password policy requires at least one uppercase letter |
| AWS_CIS_1_6 | No | Ensure IAM password policy require at least one lowercase letter |
| AWS_CIS_1_7 | No | Ensure IAM password policy require at least one symbol |
| AWS_CIS_1_8 | No | Ensure IAM password policy require at least one number |
| AWS_CIS_1_9 | No | Ensure IAM password policy requires minimum length of 14 or greater |
| AWS_CIS_1_10 | No | Ensure IAM password policy prevents password reuse |
| AWS_CIS_1_11 | No | Ensure IAM password policy expires passwords within 90 days or less |
| AWS_CIS_1_12 | No | Ensure no root account access key exists |
| AWS_CIS_1_13 | No | Ensure MFA is enabled for the "root" account |
| AWS_CIS_1_14 | No | Ensure hardware MFA is enabled for the "root" account |
| AWS_CIS_1_15 | No | Ensure security questions are registered in the AWS account |
| AWS_CIS_1_16 | No | Ensure IAM policies are attached only to groups or roles |
| AWS_CIS_1_17 | No | Enable detailed billing |
| AWS_CIS_1_19 | No | Maintain current contact details |
| AWS_CIS_1_20 | No | Ensure security contact information is registered |
| AWS_CIS_1_21 | Yes | Ensure IAM instance roles are used for AWS resource access from instances |
| AWS_CIS_1_22 | No | Ensure a support role has been created to manage incidents with AWS Support |
| AWS_CIS_1_23 | No | Do not setup access keys during initial user setup for all IAM users that have a console password |
| AWS_CIS_1_24 | No | Ensure IAM policies that allow full "* |
| AWS_CIS_2_1 | No | Ensure CloudTrail is enabled in all regions |
| AWS_CIS_2_2 | No | Ensure CloudTrail log file validation is enabled |
| AWS_CIS_2_3 | Yes | Ensure S3 bucket CloudTrail logs is not publicly accessible |
| AWS_CIS_2_5 | No | Ensure AWS Config is enabled in all regions |
| AWS_CIS_2_6 | Yes | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
| AWS_CIS_2_7 | Yes | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| AWS_CIS_2_8 | Yes | Ensure rotation for customer created CMKs is enabled |
| AWS_CIS_3_2 | No | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
| AWS_CIS_3_3 | No | Ensure a log metric filter and alarm exist for usage of "root" account |
| AWS_CIS_3_4 | No | Ensure a log metric filter and alarm exist for IAM policy changes |
| AWS_CIS_3_5 | No | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
| AWS_CIS_3_6 | No | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
| AWS_CIS_3_7 | No | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
| AWS_CIS_3_8 | No | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
| AWS_CIS_3_9 | No | Ensure a log metric filter and alarm exist for AWS Config configuration changes |
| AWS_CIS_3_10 | No | Ensure a log metric filter and alarm exist for security group changes |
| AWS_CIS_3_11 | No | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
| AWS_CIS_3_12 | No | Ensure a log metric filter and alarm exist for changes to network gateways |
| AWS_CIS_3_13 | No | Ensure a log metric filter and alarm exist for route table changes |
| AWS_CIS_3_14 | No | Ensure a log metric filter and alarm exist for VPC changes |
| AWS_CIS_3_15 | No | Ensure appropriate subscribers to each SNS topic |
| AWS_CIS_4_1 | Yes | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 |
| AWS_CIS_4_2 | Yes | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 |
| AWS_CIS_4_4 | Yes | Ensure the default security group of every VPC restricts all traffic |
| AWS_CIS_4_5 | Yes | Ensure routing tables for VPC peering are "least access" |
| LW_S3_1 | Yes | All users cannot access objects in the S3 buckets |
| LW_S3_2 | Yes | All users cannot place objects in the S3 buckets |
| LW_S3_3 | Yes | All users cannot list S3 buckets or view the S3 Bucket access policies |
| LW_S3_4 | Yes | All users cannot modify the S3 bucket access policies |
| LW_S3_5 | Yes | All users do not have full access to the S3 buckets |
| LW_S3_6 | Yes | All authenticated AWS users cannot access objects in the S3 buckets |
| LW_S3_7 | Yes | All authenticated AWS users cannot place objects in the S3 buckets |
| LW_S3_8 | Yes | All authenticated AWS users cannot list S3 buckets or view the S3 bucket access policies |
| LW_S3_9 | Yes | All authenticated AWS users cannot modify the S3 bucket access policies |
| LW_S3_10 | Yes | All authenticated AWS users do not have full access to the S3 buckets |
| LW_S3_11 | Yes | S3 bucket policy does not provide permissions to everyone |
| LW_S3_12 | Yes | S3 bucket has MFA delete enabled |
| LW_S3_13 | Yes | All activity on S3 buckets can be audited |
| LW_S3_14 | Yes | All data in the S3 bucket is securely encrypted |
| LW_S3_15 | Yes | All data transported from the S3 bucket is done so Securely. There is no policy configured for the S3 bucket. |
| LW_S3_16 | Yes | S3 bucket has versioning enabled |
| LW_AWS_IAM_1 | No | Ensure access keys are rotated every 30 days or less |
| LW_AWS_IAM_2 | No | Ensure access keys are rotated every 45 days or less |
| LW_AWS_IAM_3 | No | Ensure public ssh keys are rotated every 30 days or less |
| LW_AWS_IAM_4 | No | Ensure public ssh keys are rotated every 45 days or less |
| LW_AWS_IAM_5 | No | Ensure public ssh keys are rotated every 90 days or less |
| LW_AWS_IAM_6 | No | Ensure active access keys are used every 90 days or less |
| LW_AWS_IAM_7 | No | iam user should not be inactive from last 30 days or more |
| LW_AWS_GENERAL_SECURITY_1 | Yes | Ensure all ec2 instances are tagged. |
| LW_AWS_NETWORKING_1 | Yes | Ensure SecurityGroups are assigned to all ec2 instances. |
| LW_AWS_NETWORKING_2 | Yes | Ensure Network ACLs donot have unrestricted inbound traffic. |
| LW_AWS_NETWORKING_3 | Yes | Ensure Network ACLs donot have unrestricted outbound traffic. |
| LW_AWS_NETWORKING_4 | No | Ensure AWS VPC Endpoints are not exposed |
| LW_AWS_SERVERLESS_1 | Yes | Lambda Function with Admin Privileges |
| LW_AWS_SERVERLESS_2 | Yes | Ensure Lambda functions do not have cross account access. |
| LW_AWS_SERVERLESS_3 | Yes | Ensure an IAM role is not attached to more than one lambda function. |
| LW_AWS_SERVERLESS_4 | Yes | Ensure lambda function has tracing enabled |