The Center for Internet Security (CIS) is a non-profit security research body that develops best practices for securing IT systems and data, including cloud security best practices. The CIS Benchmarks draw on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world.
CIS created the AWS Foundations Benchmark, a set of security configuration best practices for Amazon Web Service (AWS). These best practices offer highly specific, detailed guidelines for implementing security controls in AWS services and validating their effectiveness.
In addition to the AWS Foundations Benchmark, the CIS provides security guidance for specific AWS services, in the form of Product-Level Benchmarks and Standalone Cloud Service Benchmarks.
The CIS Benchmark addresses multiple aspects of AWS infrastructure and managed services, including operating systems, cloud service configuration, and network devices. By following CIS controls, organizations can protect their AWS deployments from known cyber attack vectors, to fulfill their part of the shared responsibility model.
Download all the CIS AWS benchmarks at no cost on the CIS AWS page.
In this article:
Who Should be Using the CIS Benchmarks?
Any organization can use CIS benchmarks to achieve their security and compliance goals in AWS. The guidelines are created by representatives from businesses, governments, and academic institutions with global recognition, and are in line with standards and regulations such as GDPR in the EU, HIPAA in the US, and PCI DSS. In particular, government, healthcare, and financial sector organizations should consider using the CIS benchmark to meet their regulatory requirements.
AWS CIS Benchmark Benefits
The AWS CIS Benchmark provides the following security benefits:
- Industry accepted best practices—CIS benchmarks provide security professionals with clear set of standards and prescriptive guidance for specific assets in their AWS account. Prescribed best practices make it easy for security teams and AWS account holders to implement key security measures. It is referenced and recognized by PCI 3.1 and FedRAMP, and is included in the National Vulnerability Database (NVD) National Checklist Program (NCP).
- Easy integration into security ecosystem—the CIS benchmark can be integrated into products developed by over 20 security vendors. By leveraging these tools, organizations can integrate AWS security best practices into their existing security and audit processes.
- Consistent auditing—security and compliance teams can continuously assess the security of an AWS account. Best practices reduce the complexity of managing risk and make it clear how to audit the use of AWS for business critical and regulated systems, infrastructure, and applications.
Related content: Read our guide to AWS cloud security ›
Levels of CIS AWS Cloud Benchmarks
The CIS provides three levels of benchmarks that can help secure an AWS environment:
- CIS AWS Foundations Benchmark—provides an account-level starting point for securely setting up the AWS cloud. These resources include identity and access management, logging, monitoring, and networking.
- CIS Product-Level Benchmarks—provide guidance for configuring products and services, including areas such as compute, database, storage, and containers. These benchmarks help users choose the right cloud service for their needs and configure it for their environment. They add another layer of security to the cloud services used within cloud accounts.
- CIS Standalone Cloud-Service Benchmarks—these are specific to AWS services that require broader configuration guidance. In this case, the Product-Level Benchmark has a services section that references the standalone CIS Benchmark for the specific service.
AWS Foundation Benchmark Sections
The AWS Foundation Benchmark contains the following sections, each providing recommendations for a different aspect of an Amazon deployment.
Identity and Access Management
This section’s recommendations are for identity, accounts, authentication, and authorization. Most identity and access control concerns on AWS are managed using the IAM service. Most recommendations discuss IAM configurations like a password policy, using security groups and roles, and configuring devices for multi-factor authentication (MFA).
The recommendations in this section are enhancements and updates to AWS’s storage capabilities which can enhance security. The section mainly focuses on Amazon EC2, S3, and RDS. It covers encryption for data in transit and at rest, access control to resources, and handling sensitive data.
There are several logging, monitoring, and auditing features available in AWS with associated benchmark recommendations:
- AWS CloudTrail—used to track user activity and API usage.
- AWS Config—used to record and evaluate resource configurations.
- VPC Flow Logs—used to capture network traffic information in VPCs.
- AWS KMS—used to manage keys to encrypt and decrypt your data.
The Benchmark does not directly address some AWS logging features. The main log ingestion and query service, Amazon Cloudwatch Logs, is integrated with many AWS services. The Benchmark recommends users should integrate CloudTrail with CloudWatch Logs.
The recommendations for this section are concerned with monitoring specific API calls using the CloudTrail service paired with CloudWatch Logs filter metrics. Each recommendation sets a specific filter with an associated alarm.
Monitoring recommendations depend on two conditions, defined in the Logging section:
- Users must ensure CloudTrail is enabled in all regions
- Users must integrate CloudTrail with CloudWatch Logs
Even though networking has a central role in the security of any distributed system, this section’s recommendations are not highly restrictive. The recommendations limit traffic from a zero network (0.0.0.0/0) and, based on the principle of least-privilege, limit routing for VPC peering connections.
What Information Does Each Section Provide?
Each CIS Foundations Benchmark recommendation contains the following subsections:
- Profile applicability—determines if the recommendation relates to Level 1 (standard security profile) or Level 2 (higher security profile).
- Description—explains the recommendation and its importance.
- Audit—describes how to evaluate the recommendation’s status in its current condition.
- Remediation—step-by-step guide of successful implementation of recommendations.
- References—supporting documentation links.
- Additional information—more explanations that can assist with evaluating and remediating the issue.
- CIS controls—recommendation mapping to specific CIS controls.
Ensure Compliance in AWS with Aqua CSPM
Cloud Security Posture Management, or CSPM, is a relatively new cloud security category designed to address configuration and compliance risks in your cloud infrastructure. The concept of CSPM is to enable organizations to automatically discover, assess, and remediate security configuration issues and gaps across multiple cloud providers and accounts – utilizing frameworks such as the CIS Benchmarks as well as custom policies for assessment. This approach is intended to ensure that at any given moment you have a consistent, secure, and compliant cloud infrastructure.
Industry analyst firm Gartner defines the product category as, “CPSM offerings continuously manage cloud risk through the prevention, detection, response, and prediction of where excessive cloud infrastructure risk resides based on common frameworks, regulatory requirements and enterprise policies. The core of CSPM offerings proactively and reactively discover and assess risk/trust of cloud services configuration (such as network and storage configuration), and security settings (such as account privileges and encryption)
Aqua’s SaaS-based CSPM scans, validates, monitors, and remediates configuration issues in your public cloud accounts, including 50 checks for the CIS Amazon Web Services Foundations v1.2.0 Benchmark – covering AWS Identity and Access Management (IAM), AWS Config, AWS CloudTrail, AWS CloudWatch, AWS Simple Notification Service (SNS), AWS Simple Storage Service (S3) and AWS VPC (Default).
Once connected to the AWS environment through a dedicated IAM role,, the Aqua CSPM will query various read-only APIs in your account to obtain information about the configuration of your infrastructure services. This information will be processed and analyzed by Aqua’s security control plugins, with the output represented in a reporting dashboard, integrating findings with compound risk evaluation for remediation prioritization. Aqua’s CSPM assesses configurations against the CIS Benchmarks identify misconfigurations, and generate reports mapped to and certified by CIS Foundation Benchmarks.
Compliance reports are generated by taking existing security controls (represented as CSPM plugins) and presenting them through the lens of the specific compliance report being generated. In this way, you can access all compliance reports and details for all of your cloud accounts without having to pre-configure the reporting types.
Aqua’s CSPM also provides self-securing capabilities to help ensure your cloud accounts do not drift out of compliance by leveraging a policy-driven approach. Aligning with your multi-account strategy, Aqua CSPM integration for AWS Control Tower accelerates the onboarding process by employing automation and enables your organization to start from a secure foundation right out the gate.
The Aqua CSP performs these checks based on the CIS Foundation Benchmarks, along with hundreds of other configuration settings and compliance best practices checks, enabling consistent, unified multi-account security.