Update docs of CIS v4.0.0 with changes CIS v4.0.1

cis_v400/docs/cis_v400_1_1.md

@@ -2,14 +2,15 @@
 
 Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.
 
-An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.
+An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of the Acceptable Use Policy or indicative of a likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.
 
-If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.
+If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS's best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.
 
 ## Remediation
 
-This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing).
-1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/.
+This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\*Billing).
+
+1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at [https://console.aws.amazon.com/billing/home#/](https://console.aws.amazon.com/billing/home#/).
 2. On the navigation bar, choose your account name, and then choose `Account`.
 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`.
 4. Next to the field that you need to update, choose `Edit`.

cis_v400/docs/cis_v400_1_10.md

@@ -8,22 +8,24 @@ Enabling MFA provides increased security for console access as it requires the a
 
 Perform the following to enable MFA:
 
-### From Console:
+### From Console
 
 1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'.
 2. In the left pane, select `Users`.
 3. In the `User Name` list, choose the name of the intended MFA user.
 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`.
 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`.
 
-IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.
+ IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.
 
-6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
+6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at [https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications)](https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications)) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
 7. Determine whether the MFA app supports QR codes, and then do one of the following:
-- Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
-- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
 
-When you are finished, the virtual MFA device starts generating one-time passwords.
+ - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
+ - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
 
-8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new `one-time password`. Then type the second one- time password into the `MFA Code 2 box`.
-9. Click `Assign MFA`.
+ When you are finished, the virtual MFA device starts generating one-time passwords.
+
+8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.
+
+9. Click `Assign MFA`.

cis_v400/docs/cis_v400_1_11.md

@@ -6,28 +6,27 @@ Programmatic access: The IAM user might need to make API calls, use the AWS CLI,
 
 AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.
 
-Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.
+Requiring the additional steps to be taken by the user for programmatic access after their profile has been created will provide a stronger indication of intent that access keys are [a] necessary for their work and [b] that once the access key is established on an account, the keys may be in use somewhere in the organization.
 
 **Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.
 
 ## Remediation
 
 Perform the following to delete access keys that do not pass the audit:
 
-### From Console:
+### From Console
 
-1. Log into the AWS Management Console:
+1. Login to the AWS Management Console:
 2. Click `Services`.
 3. Click `IAM`.
 4. Click on `Users`.
 5. Click on `Security Credentials`.
-6. As an Administrator
-- Click on the X (`Delete`) for keys that were created at the same time as the user profile but have not been used.
+6. As an Administrator.
+ - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.
+7. As an IAM User.
+ - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.
 
-7. As an IAM User
-- Click on the X (`Delete`) for keys that were created at the same time as the user profile but have not been used.
-
-### From Command Line:
+### From Command Line
 
 ```bash
 aws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>

cis_v400/docs/cis_v400_1_12.md

@@ -1,12 +1,12 @@
 ## Description
 
-AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.
+AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused for 45 days or more be deactivated or removed.
 
 Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
 
 ## Remediation
 
-### From Console:
+### From Console
 
 Perform the following to manage Unused Password (IAM user console access)
 
@@ -17,9 +17,9 @@ Perform the following to manage Unused Password (IAM user console access)
 5. Click on `Security Credentials`.
 6. Select user whose `Console last sign-in` is greater than 45 days.
 7. Click `Security credentials`.
-8. In section `Sign-incredentials`, `Console password` click `Manage`.
+8. In section `Sign-in credentials`, `Console password` click `Manage`.
 9. Under Console Access select `Disable`.
-10. Click `Apply`
+10. Click `Apply`.
 
 Perform the following to deactivate Access Keys:
 
@@ -28,8 +28,7 @@ Perform the following to deactivate Access Keys:
 3. Click `IAM`.
 4. Click on `Users`.
 5. Click on `Security Credentials`.
-6. Select any access keys that are over 45 days old and that have been used and
-- Click on `Make inactive`.
-
-7. Select any access keys that are over 45 days old and that have not been used and
-- Click the X to `Delete`.
+6. Select any access keys that are over 45 days old and that have been used and.
+ - Click on `Make Inactive`
+7. Select any access keys that are over 45 days old and that have not been used and.
+ - Click the X to `Delete`

cis_v400/docs/cis_v400_1_13.md

@@ -6,9 +6,9 @@ One of the best ways to protect your account is to not allow users to have multi
 
 ## Remediation
 
-### From Console:
+### From Console
 
-1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
+1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`.
 2. In the left navigation panel, choose `Users`.
 3. Click on the IAM user name that you want to examine.
 4. On the IAM user configuration page, select `Security Credentials` tab.
@@ -17,15 +17,18 @@ One of the best ways to protect your account is to not allow users to have multi
 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key.
 8. Repeat steps 3-7 for each IAM user in your AWS account.
 
-### From Command Line:
+### From Command Line
 
 1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.
+
 2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user.
 
 **Note** - the command does not return any output:
+
 ```bash
 aws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name>
 ```
+
 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User:
 
 ```bash
@@ -34,4 +37,4 @@ aws iam list-access-keys --user-name <user-name>
 
 - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.
 
-4. Repeat steps 1-3 for each IAM user in your AWS account.
+4. Repeat steps 1-3 for each IAM user in your AWS account.

cis_v400/docs/cis_v400_1_14.md

@@ -10,19 +10,19 @@ Access keys should be rotated to ensure that data cannot be accessed with an old
 
 Perform the following to rotate access keys:
 
-### From Console:
+### From Console
 
-1. Go to Management Console(https://console.aws.amazon.com/iam).
+1. Go to the Management Console (https://console.aws.amazon.com/iam).
 2. Click on `Users`.
 3. Click on `Security Credentials`.
-4. As an Administrator
-  - Click on `Make Inactive` for keys that have not been rotated in `90` Days.
-5. As an IAM User
-  - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days.
+4. As an Administrator.
+ - Click on `Make Inactive` for keys that have not been rotated in `90` Days
+5. As an IAM User.
+ - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days
 6. Click on `Create Access Key`.
-7. Update programmatic call with new Access Key credentials.
+7. Update programmatic calls with new Access Key credentials.
 
-### From Command Line:
+### From Command Line
 
 1. While the first access key is still active, create a second access key, which is active by default. Run the following command:
 
@@ -32,7 +32,7 @@ aws iam create-access-key
 
 At this point, the user has two active access keys.
 
-2. Update all applications and tools to use the new access key pair.
+2. Update all applications and tools to use the new access key.
 3. Determine whether the first access key is still in use by using this command:
 
 ```bash
@@ -41,14 +41,14 @@ aws iam get-access-key-last-used
 
 4. One approach is to wait several days and then check the old access key for any use before proceeding.
 
-Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:
+Even if step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:
 
 ```bash
 aws iam update-access-key
 ```
 
-5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the
-first access key. Then return to step 2 and update this application to use the new key.
+5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step 2 and update this application to use the new key.
+
 6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:
 
 ```bash

cis_v400/docs/cis_v400_1_15.md

@@ -10,27 +10,27 @@ Assigning IAM policies solely through groups unifies permissions management into
 
 Perform the following to create an IAM group and assign a policy to it:
 
-1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
+1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
 2. In the navigation pane, click `Groups` and then click `Create New Group`.
 3. In the `Group Name` box, type the name of the group and then click `Next Step`.
 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step`.
 5. Click `Create Group`.
 
 Perform the following to add a user to a given group:
 
-1. Sign into the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
+1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
 2. In the navigation pane, click `Groups`.
-3. Select the group to add a user to
-4. Click `Add Users To Group`
-5. Select the users to be added to the group
-6. Click `Add Users`
+3. Select the group to add a user to.
+4. Click `Add Users To Group`.
+5. Select the users to be added to the group.
+6. Click `Add Users`.
 
 Perform the following to remove a direct association between a user and policy:
 
-1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
+1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
 2. In the left navigation pane, click on Users.
 3. For each user:
-  - Select the user.
-  - Click on the `Permissions` tab.
-  - Expand `Permissions policies`.
-  - Click `X` for each policy; then click Detach or Remove (depending on policy type).
+ - Select the user
+ - Click on the `Permissions` tab
+ - Expand `Permissions policies`
+ - Click `X` for each policy; then click Detach or Remove (depending on policy type)

cis_v400/docs/cis_v400_1_16.md

@@ -6,23 +6,23 @@ It's more secure to start with a minimum set of permissions and grant additional
 
 Providing full administrative privileges instead of restricting access to the minimum set of permissions required for the user exposes resources to potentially unwanted actions.
 
-IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed.
+IAM policies that contain a statement with `"Effect": "Allow"` and `"Action": "*"` over `"Resource": "*"` should be removed.
 
 ## Remediation
 
-### From Console:
+### From Console
 
 Perform the following to detach the policy that has full administrative privileges:
 
-1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
+1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
 2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
 3. Select the policy that needs to be deleted.
-4. In the policy action menu, select first `Detach`.
+4. In the policy action menu, select `Detach`.
 5. Select all Users, Groups, Roles that have this policy attached.
 6. Click `Detach Policy`.
-7. In the policy action menu, select `Detach`.
+7. Select the newly detached policy and select `Delete`.
 
-### From Command Line:
+### From Command Line
 
 Perform the following to detach the policy that has full administrative privileges as found in the audit step: