Amazon Web Services (AWS) provides organizations unprecedented scalability and flexibility for meeting modern business demands. They provide the security of the underlying technology and services that they provide; however, while AWS provides the security of the cloud, it is the customer’s responsibility to ensure their security in the cloud. Proper configuration is critical for making an AWS environment resilient against cyber threats — and it’s more important than ever.
Largely due to the chaos caused by the COVID-19 pandemic, 90 percent of organizations said they experienced an increase in cyberattacks during 2020 — a trend that is likely to continue for the foreseeable future.
One of the simplest ways for organizations to assess their AWS security posture is to use the Center for Internet Security’s (CIS) benchmarks — documented best practices that provide straightforward checks to identify gaps in the security configuration of your AWS services for maximum protection.
Here’s what you need to know about the AWS CIS benchmark to get started.
What is the AWS CIS Benchmark?
The AWS CIS Foundations Benchmark is a compliance standard that provides guidelines specifically for hardening and monitoring AWS accounts. It was developed by the Center for Internet Security (CIS), whose mission is to make cyberspace safer by “developing, validating, and promoting timely best practice solutions.” CIS benchmarks are developed by a global community of security experts for securely configuring IT systems, software, and networks, and are considered the global standard for improving organizations’ security and compliance posture.
AWS CIS compliance is important because cloud misconfigurations are a leading factor in data breaches and other cybercrimes. The benchmark enables organizations operating in the cloud to ensure their IT infrastructure is safeguarded against cyber threats and attacks.
The AWS CIS benchmark provides guidelines for configuring the security options of foundational AWS services. These include:
- AWS Identity and Access Management (IAM)
- AWS Config, AWS CloudTrail
- AWS CloudWatch
- AWS Simple Notification Service (SNS)
- AWS Simple Storage Service (S3)
- AWS VPC
The benchmark organizes the services into four sections: AWS CIS IAM Benchmark, AWS CIS Logging Benchmark, AWS CIS Monitoring Benchmark, and AWS CIS Networking Benchmark.
What Security Does AWS Provide?
AWS provides a range of security tools and features similar to the controls organizations would deploy in their on-premise infrastructure. The company groups these into five categories:
- Infrastructure security — Includes network firewalls built into Amazon VPC, private or dedicated connectivity options, DDoS mitigation technologies, automatic encryption of all traffic on the AWS global and regional networks between AWS secured facilities, and other tools to increase privacy and control network access.
- Inventory and configuration management — Includes deployment tools for managing the creation and decommissioning of AWS resources; tools to identify AWS resources and track and manage changes to those resources over time; and tools to create standard, preconfigured, hardened virtual machines for EC2 instances.
- Data encryption — Includes tools to encrypt data at rest; flexible key management options; dedicated, hardware-based cryptographic key storage; and encrypted message queues for the transmission of sensitive data.
- Identity and access control — AWS provides the tools to define and enforce user access policies across AWS services through AWS Identity and Access Management, AWS Directory Service, and AWS Single Sign-On.
- Monitoring and logging — Includes AWS CloudTrail, Amazon CloudWatch, and Amazon GuardDuty to give organizations visibility into their AWS environments to identify issues before they impact the business and reduce their security risk.
In response to the ever-increasing adoption of AWS, CIS developed several benchmarks to help configure many of these AWS services more securely. Before we jump into the details, take a look at the infographic below for an overview of the importance of securing AWS.
What are CIS Benchmarks?
New software installations generally come with default settings. All the services apps may be turned on, for example, or all its ports open. These out-of-the-box installations are extremely insecure. CIS benchmarks define best practices for configuring IT systems to meet industry cybersecurity standards. Currently, there are over 100 benchmarks across more than 25 products from AWS, Microsoft, Cisco, and IBM, and other vendors.
Benchmarks are organized into two profile levels to help meet organizations immediate and long-term needs:
- Level 1: These recommendations are designed to be implemented easily so organizations can quickly reduce their attack surface while maintaining normal operations. Guidelines with a Level 1 profile represent the minimum level of security and compliance all organizations should meet.
- Level 2: These recommendations address deeper defense. They are costlier and more laborious to implement and can adversely impact the organization if not done correctly. Level 2 is designed for environments where security is of paramount importance.
Every benchmark is the product of input from a global community of security and IT professionals and goes through a two-step consensus review. In the first step, a panel of the community members creates and tests the recommendations. Then the larger community reviews the recommendations and provides feedback, which is incorporated into the final standards.
All CIS benchmarks are made available as PDF documents on the CIS website. The benchmarks are extremely detailed, with some running over 800 pages, but they all follow the same basic structure.
Each benchmark starts with an overview addressing definitions and the benchmark’s intended audience. Recommendations for ensuring the correct configuration of an IT system make up the bulk of the document. The benchmark ends with a checklist appendix to help monitor compliance for each recommendation.
There may be hundreds of recommendations in a single benchmark, and each recommendation includes a description, the reason for the guideline, its potential security impact, and instructions on how to implement it. Recommendations are classified as “scored” or “not scored.” Each scored recommendation contributes to an overall benchmark score and is required to achieve CIS compliance. Recommendations that are not scored do not impact the overall benchmark score.
What are CIS Controls?
CIS controls are sets of broader security guidelines beyond asset configuration. They are offered separately from CIS benchmarks, but every benchmark recommendation maps to at least one CIS control.
The controls are designed to provide actions organizations can take to mitigate the damage from cyberattacks. There are 20 controls in all, organized into three categories to guide implementation. Basic CIS controls provide guidelines for preventing unauthorized hardware and software from accessing the network, controlling administrative privileges, and identifying and fixing system vulnerabilities. Foundational CIS controls deal with email and web browser protections, malware defenses, boundary defense, and data recovery. Organizational CIS Controls cover security awareness and training programs, application software security, incident response and management, and penetration tests and red team exercises.
The controls are further prioritized into three implementation groups, allowing organizations to determine which actions to take based on their particular security risks and resources. Implementation Group 1 includes small organizations with low data sensitivity and/or limited resources. Group 2 is for larger organizations with multiple more complex IT systems and compliance requirements. Group 3 represents complex organizations that have high-data sensitivity, strict compliance requirements, and that may be subject to targeted cyberattacks.
The main difference between CIS benchmarks and CIS controls is that the benchmarks provide guidance for specific products and systems and the controls address the whole IT infrastructure. As every benchmark recommendation is mapped to at least one CIS control, organizations gain an understanding of how each one affects the larger security effort.
What is CIS Compliance?
CIS compliance is achieved by correctly implementing the best practice recommendations in a particular CIS benchmark. While it’s possible to implement benchmark recommendations manually, it’s time-consuming and error prone. For that reason, most organizations will opt to use an automated solution. These third-party tools can scan a system or product to identify and alert the organization to areas of non-compliance and provide clear guidance on how to configure them to meet benchmark recommendations. Regular or continuous scans can alert the organization to misconfigurations that get introduced over time so corrective action can be taken quickly and compliance maintained.
Who Should Use the CIS Benchmarks?
Any organization can use CIS benchmarks to meet its security and compliance objectives. The guides are developed by and for business, government, and academic institutions, and their global recognition makes them more widely applicable than nation-specific standards like GDPR and HIPPA. In particular, groups in the government, healthcare, and financial sectors should consider using CIS benchmarks to meet their stringent regulatory requirements.
Alert Logic’s Free AWS Security Sssessment
Fortra’s Alert Logic provides an assessment of 49 best practice controls based on the industry-standard AWS CIS Benchmark. It includes a summary report of your AWS posture and how your AWS security measures compare to the CIS benchmarks. Alert Logic will provide a list of remediating actions you can take and suggestions for ensuring ongoing visibility and creating compensating controls for more than 70 percent of monitoring check failures automatically. Best of all, Alert Logic does all the work so you can focus on your company’s daily business.
To get started, request your free AWS security assessment.