3 Ways to Use CIS Cloud Security Resources on the AWS Cloud

It’s obvious that the remote capabilities of the modern day office have transformed permanently. Most organizations will see an increase in hybrid remote work, which means utilizing the public cloud is critical. Customer security in the cloud remains an important part of that growth. The Center for Internet Security (CIS), in conjunction with Amazon Web Services (AWS), continues to enhance security for the AWS Cloud since 2015.

As most security professionals know, the AWS shared responsibility model is a key resource to learn how to implement cloud security. This model makes it easy to understand the role cloud consumers play in protecting their unique AWS environments. Once you understand what security actions you should take, your next step is to rely on independent security tools to implement those actions. CIS security best practices can help organizations achieve cloud security from the customer’s side of the responsibility model. Keep reading to learn about three key cloud security resources from CIS.

1. Prevent Common Cyber-Attacks with CIS Controls

To get a baseline of understanding of security at your organization, your first step should be to assess your overall cyber hygiene. Measuring your organization against a security best practice, such as the CIS Controls, will help you take stock of your cybersecurity health.

The CIS Controls are a free, internationally-recognized set of cybersecurity best practices. Prioritized and prescriptive in nature, they are the definition of “how” to achieve an effective cybersecurity program; they serve as a starting point for organizations seeking to improve their cyber defense.

For organizations in the cloud to use CIS Controls, CIS offers the CIS Controls Cloud Companion Guide. The guide outlines four types of as-a-service cloud environments and maps them to the CIS Controls: Infrastructure as a Service (IaaS), Software as a Service (SaaS), Platform as a Service (PaaS), and Function as a Service (FaaS).

The guide also examines unique risks (vulnerabilities, threats, consequences, and security responsibilities) to cloud environments. These risks drive the priority of enterprise security requirements (e.g., availability, integrity, and confidentiality of data).

The CIS Controls Cloud Companion Guide helps consumers apply the CIS Controls to their cloud environment. It’s an essential starting point for those who wish to conduct a security improvement assessment. In addition to the free PDF guide, CIS provides a downloadable spreadsheet to track conformance to these recommendations.

Download the CIS Controls Cloud Companion Guide

2. Consensus-based Cloud Security Guidance

The second resource CIS offers to help organizations meet their portion of the AWS shared responsibility model for cloud security are the CIS Benchmarks. These guides contain prescriptive guidance to secure configurations for various technologies, including a subset of AWS Cloud services and account-level settings. There is an emphasis on foundational, testable, and architecture agnostic settings. Best practice configuration guides for AWS include the CIS AWS Foundations Benchmark, CIS Amazon Linux 2 Benchmark, and service-based guidance like the CIS Amazon Elastic Kubernetes Service (EKS) Benchmark and the AWS End User Compute Benchmark.

To develop these and other CIS Benchmarks, the participation of subject matter experts and technology vendors is essential. AWS is an active participant, along with other volunteer members of the CIS Communities. The insight AWS provides for the CIS AWS Benchmarks is invaluable to their success. As with any CIS Benchmark, the community for that technology comes to consensus on what to include.

New versions of CIS Benchmarks for AWS include the following updates:

  • Changed multiple recommendations referring to password complexity and expiration, as well as access key rotation to align with current NIST (and CIS) guidance.
  • Reordered Identity and Access Management (IAM) section to align with the AWS Console interface, making it easier for users to audit and implement recommendations.
  • Added recommendations to ensure that Data-in-Transit and Data-at-Rest encryption are used to protect private and sensitive information.
Download the CIS AWS Foundations Benchmark

3. Secure Amazon Machine Images on AWS Cloud

While the foundations and service-based CIS Benchmarks help configure the cloud environment securely, CIS Hardened Images provide secure operating systems. CIS Hardened Images are built on base operating systems (OS). CIS pre-configures the security recommendations of the CIS Benchmarks into the OS. To utilize CIS Hardened Images, you can access them on AWS Marketplace. These VMs are available in all AWS Regions including the AWS GovCloud (US) Region.

Looking to learn more about the CIS Hardened Images available in the AWS Cloud? Check out our video to learn more.



In 2019, CIS became an Authority to Operate (ATO) on AWS launch partner. The ATO on AWS program highlights AWS Partner Network (APN) Partners that can help expedite the authorization process for common compliance frameworks. APN Partners in this program have access to both technical Security Automation and Orchestration (SAO) capabilities as well as direct engagement with highly qualified AWS compliance specialists. This accreditation validates the support that CIS provides to organizations to help them meet common compliance frameworks.

CIS is proud to be an APN Partner and provide independently developed resources to the cybersecurity community.