diff --git a/README.md b/README.md
index 44b99a07..7532458a 100644
--- a/README.md
+++ b/README.md
@@ -223,72 +223,72 @@ third_party_api_monitoring_tool: ""
## Benchmark Status
-| **Status** | **Reviewed** | **Recommendation** | **Uses Input** |
-| ---------- | ------------ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Done | Yes | 1.1 | primary_contact |
-| Done | Yes | 1.2 | security_contact |
-| Manual | Yes | 1.3 | None |
-| Done | Yes | 1.4 | disable_slow_controls |
-| Done | Yes | 1.5 | disable_slow_controls |
-| Done | Yes | 1.6 | disable_slow_controls |
-| Done | Yes | 1.7 | disable_slow_controls
last_root_login_date
|
-| Done | Yes | 1.8 | None |
-| Done | Yes | 1.9 | None |
-| Done | Yes | 1.10 | service_account_mfa_exceptions |
-| Done | Yes | 1.11 | None |
-| Done | Yes | 1.12 | disable_slow_controls |
-| Done | Yes | 1.13 | None |
-| Done | Yes | 1.14 | disable_slow_controls |
-| Done | Yes | 1.15 | None |
-| Done | Yes | 1.16 | None |
-| Done | Yes | 1.17 | None |
-| Done | Yes | 1.18 | None |
-| Done | Yes | 1.19 | None |
-| Done | Yes | 1.20 | exempt_regions |
-| Manual | Yes | 1.21 | None |
-| Done | Yes | 1.22 | None |
-| Done | Yes | 2.1.1 | exempt_buckets
single_bucket |
-| Done | Yes | 2.1.2 | exempt_buckets
single_bucket |
-| Manual | Yes | 2.1.3 | third_party_management_tool |
-| Done | Yes | 2.1.4 | exempt_buckets |
-| Done | Yes | 2.2.1 | None |
-| Done | Yes | 2.3.1 | exempt_rds
single_rds |
-| Done | Yes | 2.3.2 | exempt_rds
single_rds |
-| Done | Yes | 2.3.3 | exempt_rds
single_rds |
-| Done | Yes | 2.4.1 | exempt_efs
single_efs |
-| Done | Yes | 3.1 | None |
-| Done | Yes | 3.2 | None |
-| Done | Yes | 3.3 | None |
-| Done | Yes | 3.4 | None |
-| Done | Yes | 3.5 | config_delivery_channels |
-| Done | Yes | 3.6 | exempt_buckets |
-| Done | Yes | 3.7 | None |
-| Done | Yes | 3.8 | exempt_kms_keys |
-| Done | Yes | 3.9 | None |
-| Done | Yes | 3.10 | single_trail |
-| Done | Yes | 3.11 | single_trail |
-| Done | Yes | 4.1 | None |
-| Done | Yes | 4.2 | None |
-| Done | Yes | 4.3 | None |
-| Done | Yes | 4.4 | None |
-| Done | Yes | 4.5 | None |
-| Done | Yes | 4.6 | None |
-| Done | Yes | 4.7 | None |
-| Done | Yes | 4.8 | None |
-| Done | Yes | 4.9 | None |
-| Done | Yes | 4.10 | None |
-| Done | Yes | 4.11 | None |
-| Done | Yes | 4.12 | None |
-| Done | Yes | 4.13 | None |
-| Done | Yes | 4.14 | third_party_api_monitoring_tool |
-| Done | Yes | 4.15 | third_party_api_monitoring_tool |
-| Done | Yes | 4.16 | exempt_regions |
-| No | Yes | 5.1 | disable_slow_controls
remote_management_port_ranges
exempt_ports
exempt_protocols
remote_management_protocols
exempt_acl_ids |
-| Done | Yes | 5.2 | disable_slow_controls
default_aws_region
ignore_other_regions
exempt_regions
remote_management_port_ranges
exempt_ports
exempt_protocols
remote_management_protocols
exempt_security_groups
exempt_sg_patterns |
-| Done | Yes | 5.3 | disable_slow_controls
default_aws_region
ignore_other_regions
exempt_regions
remote_management_port_ranges
exempt_ports
exempt_protocols
remote_management_protocols
exempt_security_groups
exempt_sg_patterns |
-| Done | Yes | 5.4 | exempt_vpcs |
-| Done | Yes | 5.5 | exempt_routes |
-| Done | Yes | 5.6 | skip_stopped_ec2
exempt_ec2s |
+| **Status** | **Reviewed** | **Recommendation** | **Uses Input** |
+| ---------- | ------------ | ------------------ | ------------------------------------------------- |
+| Done | Yes | 1.1 | primary_contact |
+| Done | Yes | 1.2 | security_contact |
+| Manual | Yes | 1.3 | None |
+| Done | Yes | 1.4 | disable_slow_controls |
+| Done | Yes | 1.5 | disable_slow_controls |
+| Done | Yes | 1.6 | disable_slow_controls |
+| Done | Yes | 1.7 | disable_slow_controls
last_root_login_date
|
+| Done | Yes | 1.8 | None |
+| Done | Yes | 1.9 | None |
+| Done | Yes | 1.10 | service_account_mfa_exceptions |
+| Done | Yes | 1.11 | None |
+| Done | Yes | 1.12 | disable_slow_controls |
+| Done | Yes | 1.13 | None |
+| Done | Yes | 1.14 | disable_slow_controls |
+| Done | Yes | 1.15 | None |
+| Done | Yes | 1.16 | None |
+| Done | Yes | 1.17 | None |
+| Done | Yes | 1.18 | None |
+| Done | Yes | 1.19 | None |
+| Done | Yes | 1.20 | exempt_regions |
+| Manual | Yes | 1.21 | None |
+| Done | Yes | 1.22 | None |
+| Done | Yes | 2.1.1 | exempt_buckets
single_bucket |
+| Done | Yes | 2.1.2 | exempt_buckets
single_bucket |
+| Done | No | 2.1.3 | third_party_management_tool
exempt_buckets |
+| Done | Yes | 2.1.4 | exempt_buckets |
+| Done | Yes | 2.2.1 | None |
+| Done | Yes | 2.3.1 | exempt_rds
single_rds |
+| Done | Yes | 2.3.2 | exempt_rds
single_rds |
+| Done | Yes | 2.3.3 | exempt_rds
single_rds |
+| Done | Yes | 2.4.1 | exempt_efs
single_efs |
+| Done | Yes | 3.1 | None |
+| Done | Yes | 3.2 | None |
+| Done | Yes | 3.3 | None |
+| Done | Yes | 3.4 | None |
+| Done | Yes | 3.5 | config_delivery_channels |
+| Done | Yes | 3.6 | exempt_buckets |
+| Done | Yes | 3.7 | None |
+| Done | Yes | 3.8 | exempt_kms_keys |
+| Done | Yes | 3.9 | None |
+| Done | Yes | 3.10 | single_trail |
+| Done | Yes | 3.11 | single_trail |
+| Done | Yes | 4.1 | None |
+| Done | Yes | 4.2 | None |
+| Done | Yes | 4.3 | None |
+| Done | Yes | 4.4 | None |
+| Done | Yes | 4.5 | None |
+| Done | Yes | 4.6 | None |
+| Done | Yes | 4.7 | None |
+| Done | Yes | 4.8 | None |
+| Done | Yes | 4.9 | None |
+| Done | Yes | 4.10 | None |
+| Done | Yes | 4.11 | None |
+| Done | Yes | 4.12 | None |
+| Done | Yes | 4.13 | None |
+| Done | Yes | 4.14 | third_party_api_monitoring_tool |
+| Done | Yes | 4.15 | third_party_api_monitoring_tool |
+| Done | Yes | 4.16 | exempt_regions |
+| No | Yes | 5.1 | disable_slow_controls
remote_management_port_ranges
exempt_ports
exempt_protocols
remote_management_protocols
exempt_acl_ids|
+| Done | Yes | 5.2 | disable_slow_controls
default_aws_region
ignore_other_regions
exempt_regions
remote_management_port_ranges
exempt_ports
exempt_protocols
remote_management_protocols
exempt_security_groups
exempt_sg_patterns|
+| Done | Yes | 5.3 |disable_slow_controls
default_aws_region
ignore_other_regions
exempt_regions
remote_management_port_ranges
exempt_ports
exempt_protocols
remote_management_protocols
exempt_security_groups
exempt_sg_patterns|
+| Done | Yes | 5.4 | exempt_vpcs |
+| Done | Yes | 5.5 | exempt_routes |
+| Done | Yes | 5.6 | skip_stopped_ec2
exempt_ec2s |
## Manual Checks
diff --git a/controls/aws-foundations-cis-2.1.3.rb b/controls/aws-foundations-cis-2.1.3.rb
index f62e7356..1d1bc62c 100644
--- a/controls/aws-foundations-cis-2.1.3.rb
+++ b/controls/aws-foundations-cis-2.1.3.rb
@@ -113,7 +113,15 @@
only_if('Amazon Macie unavailable in GovCloud; please manually review AWS account to determine if a third party data management tool is present') { !aws_sts_caller_identity.govcloud? }
- describe 'Manual Review' do
- skip 'Manual review of Amazon Macie configuration in the AWS console is required'
+ expected_monitored_buckets = aws_s3_buckets.bucket_names - input('exempt_buckets')
+
+ unmonitored_buckets = expected_monitored_buckets.filter { |bucket| aws_macie.monitoring?(bucket) }
+
+ fail_message = "Unmonitored buckets:\n\t- #{unmonitored_buckets.join("\n\t- ")}"
+
+ describe "AWS Macie" do
+ it "should be monitoring all S3 buckets" do
+ expect(unmonitored_buckets).to be_empty, fail_message
+ end
end
end