Assess Security Best Practices for Amazon Web Services with AWS CIS Benchmark

Enterprises, especially B2B focused ones, face security questions from customers as soon as they gain some customers. Promises only go so far and you need some proven ways to show that you secure your applications at every level. We will dive deep into communicating security with customers in every aspect of upcoming content, but for now, let’s focus on cloud benchmarks.

Cloud is one of the key areas customers expect security proof because every critical component of your software is somehow integrated into the Cloud. AWS in particular offers ways for customers to show that they follow best practices. A well-known framework that AWS developed is AWS Well-Architected, which we automate at Resmo. Other frameworks developed by independent organizations also exist. Compliance frameworks like SOC2 or HIPAA are good examples. 

The difference between benchmarks and compliance frameworks is how you comply with them. Official compliance organizations require formal audits while assessment benchmarks do not. That’s why in the early stage, they are great ways to check your security posture and show your customers that you take security seriously. As mentioned, Well-Architected is a great one and should definitely be enabled for production from the start for AWS customers. Another great option is CIS benchmarks. They are popular and designed with the experts in residence. 

In this blog post, we will focus on CIS, especially on AWS benchmark and share the important details for you to get started with CIS easily.

What is a CIS Benchmark?

CIS, Center for Internet Security, is a community-driven non-profit organization responsible for the CIS controls and benchmarks. They provide standards and best practices for IT security. For example, you can find security assessment recommendations for Docker, Microsoft Azure, Zoom (which we’ll also cover soon in Resmo!) and of course, AWS. 

The important point is the benchmarks have recommendations, not must-haves that you must comply with. Companies use them to check key security considerations. Solutions like Resmo automate these CIS benchmark recommendations and help you make sure you know if you violate one. They are also a great way to show your customers your security efforts, especially when combined with automation. 

What is AWS CIS Benchmark?

AWS CIS Benchmark is free to download on the official website. CIS and AWS teams have worked on them since 2015. You can download it here or use AWS’s official website. AWS also offers a detailed whitepaper on the details and different levels. The current up-to-date version is 1.4.0. The exact name for the benchmark is CIS Amazon Web Services Foundations Benchmark. It’s called “Foundations” because the 49 recommendations listed in the benchmark focus on four foundational areas.

  • Identity and Access Management

This area is about AWS’s gateway to other services and outside of the cloud, IAM. Identity, accounts, organizations, users and all critical access control configurations are covered in this part. 

  • Logging

AWS, as shared in the Well-Architected framework, wants you to make sure that logging is enabled at different levels. Services like CloudTrail, Config, KMS and VPC Flow logs are covered in this section.

  • Monitoring

Monitoring is about CloudWatch and CloudTrail in this guide. Both require configurations to monitor the AWS environment and collect the right metrics. 

  • Networking

Networking is deep but fundamentally every AWS account uses VPC, so this guide wants to make sure you don’t make any rookie mistakes and expose everything with a misconfiguration.

AWS services covered in this benchmark are AWS Identity and Access Management (IAM),  AWS Config,  AWS CloudTrail, AWS CloudWatch,  AWS Simple Notification Service (SNS),  AWS Simple Storage Service (S3), and AWS VPC (Default). These are fundamental services DevOps engineers use every day and their security is fundamental for running anything on AWS. 

How do we automate AWS CIS checks?

AWS offers many services for cloud security like Config, Audit Manager and Security Manager. Customers can combine them to do the checks. Other, usually easier and cheaper alternatives like Resmo exist. You can also use them to automate CIS checks. The advantage is CIS or other frameworks offer many other services and you can see them all in one place.

Sign up for our newsletter for our upcoming guides and detailed documentation for CIS controls and more!


Continue Reading