CIS Hardened Images FAQ

CIS offers hardened images via several of the major cloud computing vendors. CIS Hardened Images are securely configured according to applicable CIS Benchmarks.

What are CIS Hardened Images?

CIS Hardened Images are virtual machine images which have been configured to secure standards, based upon CIS Benchmarks that are collaboratively developed and used by thousands worldwide.

Where are CIS Hardened Images offered?

CIS Hardened Images are now available through Amazon Web Services (AWS Marketplace, AWS GovCloud, and AWS IC), Google Cloud Platform (GCP) and Microsoft Azure (Azure Marketplace and Azure Government Marketplace).

Are there Free Trials for CIS Hardened Images?

Free trials are available in AWS Marketplace for the following CIS Hardened Images: Amazon Linux 2, CentOS Linux 7, Microsoft Windows Server 2016, Microsoft Windows Server 2016 STIG, Red Hat Enterprise Linux 7, and Ubuntu Linux 18.04. Navigate to AWS Marketplace to try one today.

How are CIS Hardened Images created?

Each CIS Hardened Image is configured to follow the recommendations outlined in its corresponding Benchmark. CIS-CAT Pro Assessor is run to ensure that all appropriate settings are applied for proper conformance to that Benchmark.

Each CIS Hardened Image contains the final CIS-CAT Pro Assessor report to illustrate the hardened image’s compliance with the Benchmark. The report will also be accompanied by a README text file that includes any exceptions necessary for that hardened image to run in the cloud. If any setting in the CIS-CAT Pro Assessor report is identified as “Fail”, there will be an explanation in the exceptions file providing justification as to why that is.

Please note, CIS Hardened Images are configured using local group policy. If your intention is to use these images in a domain environment where policies are managed globally, the majority of our security settings will be changed and managed by your domain policies.

What is the difference between using CIS Hardened Images and utilizing a base image on a cloud platform and applying the corresponding Benchmark?

From a technical perspective, you could utilize a base image and use our CIS Build Kits to harden that base image. The most notable differences are in the overall time and resource allocation of your organization to persist in that effort. Additionally, CIS offers expertise in hardening each image with due care while including the necessary exceptions for that image to run correctly relative to each respective cloud platform.

How are the CIS Hardened Images accessed?

CIS Hardened Images are accessed according to the cloud platforms through which they are available. Each platform provides their own instructions associated with accessing their solutions. Please follow the cloud platform specific guidelines to ensure proper connectivity.

How often are CIS Hardened Images updated?

CIS Hardened Images for Microsoft Windows are updated each month in alignment with the Microsoft patch schedule. A new hardened image will be released with a new versioning number to indicate the update completion.

CIS Hardened Images for Linux are updated every month incorporating applicable operating system and software patches.

New versions of CIS Hardened Images (regardless of their OS) will be developed and made available on each platform any time there is a major or minor update to the corresponding CIS Benchmark itself. Additionally, that CIS Benchmark assessment content will be included in CIS-CAT Pro Assessor.

How are new versions and updates visually represented for each CIS Hardened Image?

Each CIS Hardened Image is accompanied by its version number. The version number is
representative of updates made or new releases of a particular image. Below is an example of the CIS Hardened Image versioning.

What steps should be taken when CIS Hardened Images are updated?

Following an update, two options are available in order to ensure compliance with the secure configurations.

1. Migrate to the newest version of the CIS hardened image available in your cloud provider marketplace. Please reference your cloud provider documentation for specific steps. The migration of your applications will be up to your organization. Some organizations can do this through code deployment that they have developed and maintained. Others manually reinstall applications depending on their internal process and procedure.
2. Run the OS updates on your hardened image. Then reference the corresponding CIS Benchmark and apply the new security settings manually that are located in the change log

In the AWS Marketplace, how do I know I am using the most up to-date CIS Hardened Image?

CIS Hardened Images help you save time and money on hardware purchasing, software licensing, and maintenance. CIS has now made it easy for you to verify that you are using the latest released Amazon Machine Image (AMI) for a particular CIS Benchmark.

Python script for CIS AMIs

In the AWS Marketplace, are CIS Hardened Images available in all instance types?

If a particular instance type is applicable to the version of the OS that is running on the hardened image, it should be available. If you are in search of a specific instance type and do not see that offering available, please visit our support portal.

How can I connect via ssh to my CIS EC2 (AWS) instance?

Please see this page  for information on how to connect via SSH. Note that the default username is based on the AMI that was used to launch the instance.

Can CIS Hardened Images help with DoD Security Technical Implementation Guide (STIG) compliance?

With a CIS STIG Hardened Image, you can rely on CIS Benchmarks and Hardened Images for Department of Defense (DoD) STIG compliance. The CIS STIG Benchmark recommendations map the existing Level 1 and 2 profiles of the Benchmark to the STIG where applicable, and includes a Level 3 (STIG) profile to expand recommendations to support the STIG.

Guidance from the DoD indicates CIS Benchmarks can be utilized in place of STIGs. The DoD Cloud Computing Security Requirements Guide (SRG), version 1, Release 3 states:

“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) benchmarks are an acceptable alternative to the STIGs and SRGs.”

To simplify the use of CIS Hardened Images for STIG conformance, each CIS STIG Hardened Image includes a report for the few CIS and STIG recommendations that were not applied to the Image.

The STIG compliant CIS Hardened Image will be updated on a monthly cadence to include operating system patches and any major or minor updates to the STIG Benchmark.