CIS Hardened VMs on AWS Graviton2: Enhancing EC2 Security

blog-cloud-securityThe Center for Internet Security (CIS) now offers two CIS Hardened Images, Ubuntu Linux 20.04 and Amazon Linux 2, on AWS Graviton2 processors. Amazon Web Services (AWS) custom builds AWS Graviton processors using 64-bit Arm Neoverse cores. AWS Graviton2 processors deliver 40% better price performance compared to current generation x86-based instances. These hardened VMS are two of more than 35 CIS Hardened Images in AWS Marketplace.

AWS Graviton2 + CIS Hardened VMs = Quick, Secure Development

Developers building applications for the cloud rely on cloud infrastructure for security, speed, and optimal resource footprint. That’s why CIS builds hardened VMs – CIS Hardened Images – to provide enhanced security on Amazon Elastic Compute Cloud (Amazon EC2) instances. CIS configures the Amazon Machine Image (AMI) to CIS Benchmark standards. A community of cybersecurity experts develops these internationally-recognized secure configuration guidelines.

In addition to the hardening from CIS, AWS Graviton2 processors feature key capabilities that enable developers to run cloud native applications securely. Examples include the always-on 256-bit DRAM encryption and 50% faster per core encryption performance compared to first-generation AWS Graviton.

VMs Hardened to CIS Benchmarks

CIS Hardened Images are built to the consensus-based secure configuration guidelines of the CIS Benchmarks. The CIS Benchmarks include more than 100 configuration guidelines across 25+ vendor product families. They’re designed to safeguard endpoint devices and systems against today’s evolving cyber threats. In addition to global recognition, CIS Benchmarks are the only configuration guidelines both developed and accepted by government, business, industry, and academia.

Many compliance frameworks recognize CIS Benchmarks as an acceptable standard to provide evidence of compliance. These include NIST, HIPPA, PCI DSS, FedRAMP, DoD Cloud Computing SRG, and STIGs. Because CIS builds these hardened VMs to CIS Benchmark standards, this recognition also applies to CIS Hardened Images.

CIS Benchmarks are available as free PDF downloads for manual self-configuration of systems and applications.

Help Fulfill the Shared Security Responsibility with Hardened VMs

It’s crucial to use third-party security tools to keep your cloud infrastructure secure. This is because you, the cloud consumer, are solely responsible for securing a portion of your cloud environment. Depending on what services your organization uses, your responsibilities change. That’s when it’s important to understand the AWS Shared Security Responsibility Model. In short, the consumer is responsible for security “in” the cloud; AWS is responsible for security “of” the cloud. For example, Amazon EC2 instances are an Infrastructure as a Service (IaaS) environment. As such, they require the customer to perform all of the necessary security configuration and management tasks. Customers manage the guest OS (including updates and security patches) on their Amazon EC2 instances.

At $0.02 per compute hour, CIS Hardened Images make that management easier, more scalable, and quicker. These hardened VMs not only include the latest configurations from the CIS Benchmarks, but CIS also patches the Images regularly for vulnerabilities and OS updates. Within each hardened VM, CIS includes a CIS Benchmarks configuration assessment report from our assessment tool, CIS-CAT Pro. This provides the customer with an easily accessible and auditable report of every configuration in place on the CIS Hardened Image.

CIS Hardened Images for Ubuntu Linux 20.04 and Amazon Linux 2 built on AWS Graviton2 processors provide Amazon EC2 users with enhanced security and performance.