New CIS AWS Benchmarks Help Secure Cloud Products and Services
Amazon Web Services (AWS) continues to expand with new cloud products and services. The Center for Internet Security (CIS) responded with more resources to help secure these capabilities in the AWS cloud. The Beginner’s Guide to Secure Cloud Configurations in AWS describes how users can secure their AWS cloud accounts, products, services, and more.
New Guidance from the CIS AWS Benchmarks Community
CIS called upon its network of volunteers to expand their guidance for the AWS Cloud. This effort resulted in CIS Benchmarks specific to AWS cloud products and services.
CIS honed its resources and did not create a CIS Benchmark for every unique service. Instead, CIS followed the lead of AWS, and grouped services by cloud product. AWS offers dozens of products, grouping cloud services based on the function they provide.
Understanding AWS Shared Cloud Security Responsibility
Security and Compliance are shared responsibilities between AWS and the customer. This shared model, the AWS Shared Responsibility Model, can help relieve the customer’s operational burden; AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS provided security group firewall.
Three Levels of CIS AWS Cloud Benchmarks
The guide presents the three CIS AWS Benchmark categories applicable to the cloud:
- CIS AWS Foundations Benchmark
- CIS End User Compute Services Benchmark
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmarks
Each Benchmark level provides an additional layer of security, starting with the CIS AWS Foundations Benchmark, and ends with securing virtual machines via CIS Hardened Images.
- CIS AWS Foundations Benchmark provide an account-level starting point for configuring securely for the AWS Cloud. These resources cover identity and access management, logging and monitoring, networking, etc. Download the free foundational guidance for AWS.
- Cloud Product-Level CIS Benchmarks provide product and service configuration guidance, and include areas such as compute, databases, storage, and containers. These CIS Benchmarks allow the user to choose the applicable cloud services and configure them according to their environment. The product-level CIS Benchmarks complement the CIS Foundations Benchmarks by providing an additional layer of security built into the cloud services used within the cloud account. The first release is the CIS AWS End User Compute Services Benchmark.
- Standalone Cloud Service CIS Benchmarks are specific to an AWS service that requires more extensive configuration guidance. In these cases, the product-level CIS Benchmark will have a section for the service, and will point to the standalone CIS Benchmark for the service.
CIS AWS End User Compute and Kubernetes Benchmarks
The first release of a cloud product-level CIS Benchmark is the CIS AWS End User Compute Services Benchmark. This includes configuration recommendations for Amazon WorkSpaces, Amazon WorkDocs, Amazon AppStream 2.0, and Amazon WorkLink. The user can choose the applicable services and configure them according to what’s running in their environment.
In some cases, the configurations needed for services warrants a CIS Benchmark specific to one cloud service. With this scenario, the product-level CIS Benchmark will include a section for the cloud service, but will point to a separate CIS Benchmark for the service. An example of the standalone cloud service CIS Benchmark is the CIS Amazon Elastic Kubernetes Service (EKS) Benchmarks.
Download the CIS EKS Benchmark
Secure Configurations with CIS Hardened Images
A virtual image is a snapshot of a virtual machine (VM) that provides the same functionality as a physical computer. Virtual images reside on the cloud and enable users to cost-effectively perform routine computing operations without investing in local hardware and software.
Hardening is a process of limiting potential weaknesses that make systems vulnerable to cyber-attacks. More secure than a standard image, hardened virtual images help protect against malware, insufficient authorization, and remote intrusion.
Securely pre-configured CIS Hardened Images help organizations secure their operating systems in the cloud. CIS Hardened Images meet the requirements of the CIS Benchmarks, and are available on AWS Marketplace.
Additional Layers of Cloud Security
CIS works directly with AWS to identify the top used cloud products and services. We then use that information to inform the development plan for future CIS AWS Benchmarks.
All CIS AWS Benchmarks recommendations reference other guidelines and additional resources. With these cloud guides, CIS demonstrates the relationship between the CIS Benchmarks and AWS documentation. The intention is to inform the user of the guidance available from AWS both security and otherwise. This documentation helps the user recognize the responsibility AWS has, and is assisting with, when running the service.
The rapid pace of cloud expansion means that many more products and services are soon to come. CIS is working closely with AWS to stay ahead of developments. By doing so, we plan to bring timely and effective guidance at no cost to the global user community.