CIS AWS Foundations Benchmark
Achieve and maintain compliance with the CIS AWS Foundations Benchmark recommendations.
Compliance in days, not months
The CIS AWS Foundations Benchmark is an objective, consensus-driven guideline for establishing secure infrastructure on AWS. Gruntwork’s production-grade, battle-tested infrastructure as code modules are built for compliance. Leverage them to achieve compliance with the Benchmark quickly and repeatably, avoiding the burden of a complex, drawn-out compliance project.
Why is CIS AWS Compliance Important?
Any organization that uses cloud resources provided by Amazon Web Services can help safeguard sensitive IT systems and data by complying with the CIS AWS Foundations Benchmark. Cloud misconfigurations and cyber attacks are a constant concern for organizations that operate in the cloud, so security is of utmost importance.
CIS notes that the benchmark is for anyone who plans to “develop, deploy, assess or secure solutions in Amazon Web Services,” so DevOps personnel, security analysts, and compliance analysts, in particular, can benefit from evaluating their infrastructure against the benchmark and adhering to its recommendations.
CIS AWS Foundations Benchmark Compliance
The CIS AWS Foundations Benchmark is composed of 4 sections with a total of 49 controls known as “recommendations.”
These 4 sections include:
1. Identity and Access Management
The first section contains recommendations for configuring IAM-related options. For example, CIS AWS 1.11 encourages users to “Ensure IAM password policy expires passwords within 90 days or less.” Regular password changes can limit the risk of a breach due to stolen or compromised passwords, reuse of the same password in different systems, and other potentially dangerous situations. Organizations can promote password hygiene by creating a password policy that requires users to create a new password every 90 days or less.
The second section contains recommendations for configuring account logging features. CIS AWS 2.7 suggests that users “Ensure CloudTrail logs are encrypted at rest using KMS CMKs.” Using KMS customer master keys to encrypt CloudTrail log files provides additional confidentiality controls on log data. For each CloudTrail trail, enable encryption and specify a KMS key ID.
The third section contains recommendations for configuring AWS log metric filters and alarms to monitor services. To comply with CIS AWS 3.1, “Ensure a log metric filter and alarm exist for unauthorized API calls,” you can direct CloudTrail logs to CloudWatch logs and establish a corresponding metric filter and alarm. Monitoring API calls can help decrease the time needed to detect malicious activity, so set up a metric filter, alarm, SNS topic, and subscription to track suspicious calls.
The fourth section contains recommendations for configuring security-related VPC attributes. For example, CIS AWS 4.1, “Ensure no security groups allow ingress from 0.0.0.0/0 to port 22,” helps prevent the internet at large from accessing your servers through SSH. You can achieve this by auditing your security groups and removing any inbound rules that allow unrestricted traffic to port 22.
- Create compliant IAM users, groups, roles, and policies
- Require multi-factor authentication for accessing AWS
- Enable AWS Config across all regions
- Remove default VPCs and unnecessary default security groups
- Configure CloudTrail integration with S3, KMS, and CloudWatch Logs
- Establish metrics and alarms for compliance violations
- Configure VPCs with flow logs and a minimal set of peering connections
- Avoid overly permissive inbound security group rules