Advancing Hardened Systems in the AWS Cloud

Cloud security remains an ongoing challenge for organizations. In The State of Security 2022, four out of five respondents told Splunk that they don't fully understand their duties under the shared responsibility model. Slightly more (88%) said they have a difficult time maintaining clarity under that model. With all this uncertainty, organizations might think that a particular cloud security function is the responsibility of the cloud service provider (CSP) and thus not perform it themselves. Doing so could elevate their risk of data exposure or another security incident in the cloud.

At the Center for Internet Security (CIS), we are well aware of these security challenges. That’s why we work with CSPs like Amazon Web Services (AWS) on an ongoing basis to help organizations achieve security in the cloud. Toward that end, CIS has produced one updated and one new CIS Benchmark to help them operate more securely.

Foundational AWS Cloud Security

The first release is CIS AWS Foundations Benchmark v1.5.0. It covers account-level security and provides recommendations for AWS Identity and Access Management (IAM), AWS IAM Access Analyzer, AWS Config, AWS CloudTrail, AWS CloudWatch, AWS Simple Notification Service (SNS), AWS Simple Storage Service (S3), Amazon Elastic Compute Cloud (EC2), Amazon Relational Database Service (RDS), and AWS VPC.

This updated CIS AWS Benchmark comes with the following changes:

  • Updates to multiple audit and remediation steps in accordance with AWS changes
  • Five new recommendations
  • Multiple updated MITRE mappings

The purpose of these modifications is to help organizations keep up with their evolving cloud security requirements as the technology and threat landscapes continue to change.

A New CIS Benchmark for Bottlerocket

The second release is the first-ever CIS Benchmark for Bottlerocket, a Linux distribution sponsored and supported by AWS for running container workloads. Today, containers are a growing area of focus for many cloud users, which drives demand for Linux distributions that are optimized for this use case. 

AWS assisted CIS and our community of experts in the development of both the CIS Bottlerocket Benchmark v1.0.0 and the CIS AWS Foundations Benchmark. This CIS Benchmark for Bottlerocket includes both Level 1 and Level 2 configuration profiles to help organizations meet their unique security requirements. It also applies to all official releases of Bottlerocket, starting with version 1.9.0.

Cloud Security is an Ongoing Journey

CIS continues to actively work with AWS and other CSPs to advance the security interests of cloud users. In the meantime, we encourage users to download these new Benchmarks. Everyone can access them in PDF form for free, non-commercial use on the website; CIS SecureSuite Members can access the Benchmarks in Word Documents, PDF form, and Excel sheets in CIS WorkBench. Finally, if you'd want to contribute to the guidance, you can join an individual CIS Benchmark Community.