CIS Hardened Images FAQ

CIS Hardened Images provide users with a secure, on-demand, and scalable computing environment. They are securely configured according to applicable CIS Benchmarks and are available through several of the major cloud service provider (CSP) marketplaces.


What are CIS Hardened Images?

CIS Hardened Images are virtual machine (VM) images that have been pre-configured to the CIS Benchmarks. These secure standards are developed through a consensus process and used by thousands of organizations worldwide.

How are CIS Hardened Images created?

Each CIS Hardened Image is configured to follow the recommendations outlined in its corresponding Benchmark. CIS-CAT Pro Assessor is run on the image to ensure that all applicable settings are properly configured to that Benchmark.

Each CIS Hardened Image contains the final CIS-CAT Pro Assessor report to illustrate the Hardened Image’s compliance with the Benchmark. The report is accompanied by a README text file that includes any exceptions necessary for that Hardened Image to run in the cloud. If any setting in the CIS-CAT Pro Assessor report is identified as “Fail,” there will be an explanation in the exceptions file providing justification.

Please note: CIS Hardened Images are configured using local group policy. If your intention is to use these images in a domain environment where policies are managed globally, the majority of our security settings will be changed and managed by your domain policies.

How are the CIS Hardened Images accessed?

CIS Hardened Images are accessed according to the cloud platforms through which they are available. Each platform provides its own instructions associated with accessing its solutions. Please follow the cloud platform specific guidelines to ensure proper connectivity.

Are there free trials for CIS Hardened Images?

Free trials are available in AWS Marketplace for the following CIS Hardened Images: CentOS Linux 7, Microsoft Windows Server 2016, Microsoft Windows Server 2016 STIG, Red Hat Enterprise Linux 7, and Ubuntu Linux 18.04. Navigate to AWS Marketplace to try one today.


Where are CIS Hardened Images offered?

CIS Hardened Images are available through Amazon Web Services (AWS Marketplace including the AWS GovCloud (U.S.) region and AWS for the U.S. Intelligence Community), Google Cloud Platform (GCP) Marketplace, Microsoft Azure (Azure Marketplace and Azure Government Marketplace), and Oracle Cloud Marketplace.

In the AWS Marketplace, how do I know I am using the most up-to-date CIS Hardened Image?

CIS has now made it easy for you to verify that you are using the latest released Amazon Machine Image (AMI) for a particular CIS Benchmark.

Python script for CIS AMIs

If you do not use a script to automatically identify when a new Image is available, you can expect updates to occur once a month as a rule of thumb.

In the AWS Marketplace, are CIS Hardened Images available in all instance types?

If a particular instance type is applicable to the version of the operating system (OS) that is running on the CIS Hardened Image, it should be available. If you are searching for a specific instance type and do not see that offering available, please visit our support portal.

How can I connect via SSHto my CIS EC2 (AWS) instance?

Please see this AWS documentation for information on how to connect via SSH. Note that the default username is based on the AMI that was used to launch the instance.


Can CIS Hardened Images help with Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) compliance?

Yes! Guidance from the DoD indicates CIS Benchmarks can be utilized in place of STIGs. The DoD Cloud Computing Security Requirements Guide (SRG), version 1, Release 3 states:

  • “Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) Bbenchmarks are an acceptable alternative to the STIGs and SRGs.”

With a CIS STIG Hardened Image, you can rely on CIS STIG Benchmarks recommendations to help meet DISA STIG compliance. The CIS STIG Benchmarks recommendations map the existing Level 1 and 2 profiles of the Benchmark to the STIG where applicable, and they include a Level 3 (STIG) profile to expand recommendations to support the STIG.

To simplify the use of CIS Hardened Images for STIG conformance, each CIS STIG Hardened Image includes a report for the few CIS and STIG recommendations that were not applied to the Image.

The CIS STIG Hardened Images will be updated monthly to include OS patches and any major or minor updates to the STIG Benchmarks.


How often are CIS Hardened Images updated?

CIS Hardened Images are updated on a monthly basis. Each new CIS Hardened Image will be released with a new versioning number to indicate the update has been completed. New versions of CIS Hardened Images will be developed and made available on each platform any time there is an update to the corresponding CIS Benchmark itself.

How are new versions and updates visually represented for each CIS Hardened Image?

Each CIS Hardened Image is accompanied by its version number. The version number is representative of updates made or new releases of a particular image. Below is an example of the CIS Hardened Image versioning.

CIS Benchmarks versions

What steps should be taken when CIS Hardened Images are updated?

Following an update, two options are available in order to ensure compliance with the secure configurations.

  • Migrate to the newest version of the CIS Hardened Image available in your cloud provider marketplace. Please reference your cloud provider documentation for specific steps. The migration of your applications will be up to your organization. Some organizations can do this through code deployment that they have developed and maintained. Others manually reinstall applications depending on their internal process and procedure.
  • Run the OS updates on the current version of your Hardened Image. Then reference the corresponding CIS Benchmark and apply the new security settings manually that are located in the change log.