Secure Your Infrastructure with AWS CIS Benchmarks

by Hannah Grace Holladay / October 17th, 2022

Amazon Web Services (AWS) is the most widely used cloud platform. It offers hundreds of networking, storage, compute, and managed cloud services, each of which helps organizations to build robust and reliable IT infrastructure without the need to manage data centers and physical hardware. 

However, AWS’s richness and complexity can be challenging to configure and administer to maximize security, privacy, and compliance. This is a particular problem for organizations lacking cloud security expertise. They can deploy cloud infrastructure and services, but struggle to secure them. 

AWS CIS Benchmarks provide guidance and recommendations that help organizations to take a systematic, targeted, and effective approach to securing cloud infrastructure. Because CIS Benchmark recommendations map to information security and privacy regulations and standards, they also help organizations to achieve compliance. 

What are AWS CIS Benchmarks?

AWS CIS Benchmarks are platform-specific security recommendations published by the Center for Internet Security and developed by CIS members in a consensus-driven process. CIS membership comprises major cloud providers such as Amazon and Microsoft, as well as corporations, government agencies, and educational institutions. 

AWS CIS Benchmarks provide a secure configuration baseline agreed on by security experts from around the industry. AWS is complex and, as we’ve written before, most cloud security incidents and data leaks result from misconfiguration. As the cliché goes, cloud users don’t know what they don’t know—the AWS CIS Benchmarks provide the knowledge organizations need in a comprehensive and  actionable format.

The CIS publishes Benchmarks focused on many technologies and platforms, including cloud providers Microsoft Azure and Google Cloud Platform. This article focuses on Benchmarks targeting AWS and its services. We discussed CIS Benchmarks more generally in ‌What Are CIS Benchmarks?

How Are AWS CIS Benchmarks Structured?

AWS Benchmark documents comprise a series of prescriptive configuration recommendations designed to optimize security and defend against common attacks. Each recommendation follows a format that includes:

• A concise title.
• An assessment status indicating whether the recommendation’s implementation can be automated.
• A detailed description of the configuration setting and its recommended value.
• A rationale explaining the reason for the recommendation and its importance.
• An audit procedure detailing how to determine if a system complies with the recommendation.
• A remediation procedure to bring the system into compliance.

CIS publishes several benchmarks relevant to AWS, but organizations typically start with CIS Amazon Web Services Foundations Benchmark. The AWS Foundations Benchmark is ideal for configuring an AWS environment with a strong security baseline. It provides recommendations for AWS services used by the majority of organizations, including:

• AWS Identity and Access Management (IAM)
• AWS Config
• AWS CloudTrail
• AWS Simple Notification Service (SNS)
• AWS Simple Storage Service (S3)
• Elastic Compute Cloud (EC2)
• Relational Database Service (RDS)
• AWS VPC

The Foundations Benchmark provides recommendations that fall into two profiles: Level 1 and Level 2. Level 1 details basic security recommendations that are straightforward to implement with limited impact on the service’s usefulness. Level 2 extends Level 1 with recommendations suited to environments with more stringent security requirements, such as those storing sensitive data. 

In addition to the Foundations Benchmark, CIS publishes Benchmarks that cover other AWS services and use scenarios. These include:

• CIS AWS End User Compute Services Benchmark: Covers AWS services that include WorkSpaces, WorkDocs, and AppStream, among others.
• CIS Amazon Web Services Three-tier Web Architecture Benchmark: Extends the Foundations Benchmark with recommendations for web architectures hosted on VPCs.
• CIS Amazon Linux 2 Benchmark: Provides recommendations for securely configuring the Amazon Linux 2 distribution.
• CIS Amazon Elastic Kubernetes Service (EKS) Benchmark: Provides recommendations for securing EKS.

8 AWS CIS Standards You Should Know

The CIS Amazon Web Services Foundations Benchmark is a substantial document with dozens of recommendations. To give you some idea of the type of recommendations, we’d like to highlight and briefly explain eight of the most important for organizations working to secure their AWS environment. 

1. Eliminate use of the ‘root’ user for administrative and daily tasks

The AWS root account has access to all AWS services. It can add and remove users, deploy any infrastructure, and view any data. The root account is useful when initially setting up an AWS account, but it poses a significant security risk and should not be used for day-to-day management. Avoid using the root account wherever possible, and do not share its credentials. 

2. Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

Enabling IAM multi-factor authentication prevents bad actors from authenticating if passwords are leaked or shared. AWS supports numerous multi-factor authentication methods, including smartphone apps and dedicated MFA devices. 

3. Ensure all S3 buckets employ encryption-at-rest

Data stored in Amazon S3 buckets should be encrypted to prevent unauthorized access to sensitive data. Encryption ensures that data will not be readable to an attacker, even if they manage to circumvent other security precautions. 

The CIS Amazon Web Services Foundations Benchmark also recommends enabling encryption for Elastic Block Storage (EBS), Relational Database Service (RDS), and Elastic File System (EFS). 

4. Ensure that S3 Buckets are configured with ‘Block public access’

S3 buckets can be configured to allow access to anyone without requiring authentication. Although this is occasionally useful when serving data to the public, accidentally or negligently configuring public availability is a major cause of data leaks. Ensure that all S3 buckets block public access unless you are confident public access is safe and necessary. 

5. Ensure CloudTrail is enabled in all regions

AWS CloudTrail is a logging service that records API calls and prepares logs. Administrators can use the logs to monitor AWS usage for unexpected patterns, identify possible attacks, and create an audit trail for compliance auditing. Enabling CloudTrail is essential to gaining transparency into how your AWS environment is used and by whom. 

6. Ensure CloudTrail trails are integrated with CloudWatch Logs

CloudWatch is a monitoring service that uses data, including CloudTrail logs, to provide analysis and actionable insights into your AWS infrastructure. Integrating CloudTrail logs with CloudWatch allows users to detect unusual behavior, analyze and visualize data, and create alarms and alerts for anomalous events. 

7. Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

Network Access Control Lists provide a stateless firewall that allows AWS users to filter traffic coming into and out of their cloud environment. Blocking unrestricted access to server administration ports such as SSH’s port 22 prevents bad actors from attempting to interact with those services and circumvent their security. 

The AWS Benchmarks include a similar recommendation for Security Groups, another of AWS’s firewall services: “Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports.”

8. Ensure the default security group of every VPC restricts all traffic

When AWS users launch an EC2 instance within a Virtual Private Cloud without specifying a security group, it will be associated with the default security group. The default security group’s initial configuration denies inbound traffic but allows all outbound traffic and all traffic between instances. This is not the optimal security configuration, and the Benchmarks recommend implementing a new default security group configuration that denies all ingress and egress connections. 

Verify Your AWS Environment Conforms To CIS AWS Benchmarks

KirkpatrickPrice’s cloud security audits will help your organization to understand the security and compliance status of its AWS environment. Our cloud audit framework is based on the CIS Benchmarks, and experienced AWS Certified Cloud Practitioners carry out all audits. Contact a cloud security specialist to learn more.