Security in the Cloud with More Automation

Hopefully, you’ve been working with the Center for Internet Security^® (CIS^®) on securing your cloud infrastructure for a while now. You might have started by using our CIS Benchmarks^® and other no-cost resources to manually configure your operating systems (OSes) in the public cloud. More recently, you might have deployed CIS Hardened Images^®. Pre-hardened to the CIS Benchmarks, these virtual machine (VM) images help you to avoid misconfigurations and stay secure against common cloud security threats.

We continue to make cloud security automation easier for you by releasing and refining CIS hardening components in EC2 Image Builder on Amazon Web Services (AWS).

Automation as a Pain Point

It can be time-consuming to spin up a VM and manually add your custom service/app, but it's even harder if you have dozens of different components or configuration templates you want to use. That's time and money for manual configurations you don't have.

Our CIS hardening components help to customize and automate your image build pipeline, resulting in a personalized image tailored to your organization's policies and security compliance requirements. Let's take a look at the image creation process of EC2 Image Builder to understand how.

1. You begin by subscribing to the CIS hardening component through AWS Marketplace.
2. You use an OS base image to start your image customization. For proper functionality, the base image must be compatible with the associated CIS hardening component.
3. Either with the AWS Console or AWS CLI, you use your source image in EC2 Image Builder and customize that image to your organizational needs. That could be adding applications like build environments, business productivity tools, and databases.
4. You execute the CIS hardening component in EC2 Image Builder to secure your image to the CIS Benchmark Level 1 profile for that OS.
5. Once you have the configurations you need for your golden image, you can go through the test phase in EC2 Image Builder to make sure the output image meets your criteria.
6. A successful test phase means you can begin using the golden image across your organization.

 

 

From a resources perspective, the main benefit of the CIS hardening components is that they let you buy and not build. By "buy," we mean automatically configuring what you want. EC2 Image Builder works by adjusting your image to your desired criteria in an automated way. As a result, you can build a golden image more efficiently and with fewer errors while saving time and money.

Rollout of the CIS Hardening Components

We're rolling out the CIS hardening components for EC2 Image Builder in two phases.

Phase 1: General Availability

You can now start with a Linux or Windows image in EC2 Image Builder's pipeline to get access to the CIS hardening component for select OSes. This will happen automatically, as you won't be able to see or modify the CIS hardening components for these OSes on your end.

The components are available for the following images in AWS:

• Amazon Linux 2023 Level 1
• Microsoft Windows Server 2022 Level 1

The hardening to the Level 1 guidance will be completed with a few exceptions to ensure proper performance in a cloud environment. If you're a CIS SecureSuite^® Member, you can use CIS-CAT^® Pro to scan the image after the image pipeline has created your golden image and you've manually configured any necessary settings. You can also validate configuration management and drift by using existing licenses for certified tools from any of the wide range of CIS SecureSuite Product Vendor Members.

The CIS hardening components have pricing parity with the CIS Hardened Images. Pricing ranges from $0.02 to $0.06 per compute hour based on the instance size chosen. There's no additional cost for the flexibility of leveraging the Image Builder pipeline.

Phase 2: Additional Functionality

Acting in partnership with AWS, we're committed to understanding customer feedback as well as enhancing current functionality and expanding offers where appropriate. You can reach out with feedback or questions on the CIS hardening components through EC2 Image Builder at any time. Alternatively, you can raise feature requests directly to EC2 Image Builder on AWS.

Integration: A Key for Security in the Cloud

If you're looking to apply CIS security best practices to your workloads on AWS with more automation, you can use our CIS hardening components. With EC2 Image Builder, you can also leverage the broader AWS ecosystem for your cloud operations. It’s part of our ongoing commitment to become more closely integrated into cloud services and to make it easier for you to uphold your cloud security.

Ready to get started?