For 16 years, CIS Benchmarks have been the de facto standard for prescriptive, industry-accepted best practices for securely configuring traditional IT components. The release of the CIS AWS Foundations Benchmark into this existing ecosystem marks one of many milestones for the maturation of the cloud and its suitability for sensitive and regulated workloads.
These industry-accepted best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures. This is the first time CIS has issued a set of security best practices specific to an individual cloud service provider.
Beam’s Security & Compliance has imbibed CIS AWS Framework best practices to benchmark its audits ecosystem to ensure CIS compliance.
CIS AWS Foundations Benchmark empowers Beam users to
- Implement foundational security measures in your AWS account that removes guesswork for security professionals
- Constantly evaluate security of your AWS account for continuous security
- Perform additional audit ecosystem into your environment
CIS AWS Foundations Benchmark overview
The CIS benchmark for AWS provides prescriptive guidance for configuring security options for a basic set of foundational AWS services. Here’s the list of services that are within the scope of this benchmark:
- AWS Identity and Access Management (IAM)
- AWS Config
- AWS CloudTrail
- AWS CloudWatch
- AWS Simple Notification Service (SNS)
- AWS Simple Storage Service (S3)
- AWS VPC (Default)
This benchmark is divided into four sections-:
- Identity and Access Management (IAM)
If Amazon Web Services were a territory, then the keys to that territory would be the “root” account. The root account has unrestricted access to all resources in the AWS account and it must be fiercely guarded and its use limited. This section provides recommendations to limit the use of the root account, and if used, provides necessary monitoring guidance to prevent unauthorized use. In addition, it also recommends using multifactor authentication (MFA), disabling inactive accounts, and having a very strong password policy.
- Logging (CloudTrail, CloudWatch, S3, AWS Config)
The use of logging API calls is an important recommendation in this benchmark. It recommends that all AWS API calls should be logged via CloudTrail, and CloudTrail should be configured to send logs to S3 and CloudWatch for long term and real-time analysis respectively. The logs should be encrypted, and the encryption keys should be rotated on a regular basis.
- Monitoring (CloudTrail, CloudWatch, SNS)
Monitoring an AWS account is critical to prevent and detect unauthorized use of the account. The benchmark recommends generating alerts by using a combination of metric filters and alarms. Some of the events to monitor and generate alerts against include non-MFA enabled accounts logged in via the console, root account usage, failed authentication attempts, unauthorized changes to IAM, S3, AWS Config and network configuration.
- Networking (default VPC)
And last but not least, the networking section makes recommendations for configuring security related aspects of the default virtual private cloud (VPC). The recommendations include prohibiting security groups from allowing unfettered ingress access to remote console services such as SSH and RDP from 0.0.0.0/0, and also ensuring that the default security group restricts all traffic by default.
Who should be using these benchmarks?
- AWS Customers
- AWS Auditors
- AWS System Integrators
- AWS Partners
- AWS Consultants
Try the CIS Benchmark today to secure and benchmark your AWS cloud security.