Global API Accounting Config records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services. Maps to Security Standards:

• NIST Cyber Security Framework (CSF): ID.RA-1
• NIST 800-53: SC-7

Global API Accounting Config records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services. Maps to Security Standards:

• Center for Internet Security (CIS): Logging 2.1
• NIST Cyber Security Framework (CSF): ID.AM-1
• NIST 800-53: AU-12
• CSA Cloud Controls Matrix (CCM): AIS-04, BCR-07, BCR-10, BCR-11, IAM-01, IAM-12, IVS-01, IVS-03

The root account is the most privileged user in a cloud account. API Keys provide programmatic access to a given cloud account. It is recommended that all API keys associated with the root account be removed. Maps to Security Standards:

• Center for Internet Security (CIS): Identity & Access Management 1.12
• NIST 800.53: AC-6

The root account is the most privileged user in a cloud account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to the cloud account, (s)he will be prompted for username and password as well as for an authentication code from an AWS MFA device. Note: When virtual MFA is used for root accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal devices. (“non-personal virtual MFA”) This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company Maps to Security Standards:

• Center for Internet Security (CIS): Identity & Access Management 1.13
• NIST Cyber Security Framework (CSF): DE.CM-3
• NIST 800-53: PM-11

Network Traffic Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your network. Network Traffic Logs provide visibility into network traffic that traverses the network and can be used to detect anomalous traffic or insight during security workflows. Maps to Security Standards:

• Center for Internet Security (CIS): Networking 4.3
• NIST Cyber Security Framework (CSF): PR.PT-4
• NIST 800-53: AU-12

API Accounting Config logs a record of every API call made in your cloud account. These logs file are stored in storage containers. It is recommended that the security policy or access control list (ACL) applied to the storage container that stores the logs prevent public access to the logs. Maps to Security Standards:

• Center for Internet Security (CIS): Logging 2.3
• NIST Cyber Security Framework (CSF): PR.PT-4
• NIST 800-53: AU-9
• CSA Cloud Controls Matrix (CCM): IVS-01

Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:

• Center for Internet Security (CIS): Networking 4.1
• NIST Cyber Security Framework (CSF): ID.RA-1
• NIST 800-53: AC-17
• CSA Cloud Controls Matrix (CCM): GRM-01

Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 3389. Maps to Security Standards:

• Center for Internet Security (CIS): Networking 4.2
• NIST Cyber Security Framework (CSF): ID.RA-1
• NIST 800-53: AC-17
• CSA Cloud Controls Matrix (CCM): GRM-01

Security groups provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:

• Center for Internet Security (CIS): Networking 4.1
• NIST Cyber Security Framework (CSF): ID.RA-1
• NIST 800-53: CM-7

Cloud key management services allow customers to rotate the backing key, which is used to perform cryptographic operations such as encryption and decryption. Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. It is recommended that key rotation is enabled. Maps to Security Standards:

• Center for Internet Security (CIS): Logging 2.8
• CSA Cloud Controls Matrix (CCM): AIS-04, BCR-11, DSI-01, DSI-03, DSI-06, DSI-07, EKM-01, EKM-02, EKM-03, EKM-04, IAM-02