CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0 - AWS Audit Manager

CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0

To assist you with your audit preparation, AWS Audit Manager provides two prebuilt frameworks that support the CIS AWS Foundations Benchmark v1.2.0:

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0, Level 1

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0, Level 1 and 2

Note

A more recent version of the CIS AWS Foundations Benchmark is available. For more information about this version and the frameworks that support it, see CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0.

What is CIS?

The Center for Internet Security (CIS) is a nonprofit that developed the CIS AWS Foundations Benchmark. This benchmark serves as a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available, providing you with clear, step-by-step implementation and assessment procedures.

For more information, see the CIS AWS Foundations Benchmark blog posts on the AWS Security Blog.

Difference between CIS Benchmarks and CIS Controls

CIS Benchmarks are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the systems that are being used. CIS Controls are foundational best practice guidelines for an organization to follow to help protect themselves from known cyberattack vectors.

Examples

  • CIS Benchmarks are very prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.

    Example: CIS Amazon Web Services Foundations Benchmark v1.2.0 - 1.13 Ensure MFA is enabled for the "root user" account

    This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.

  • CIS Controls are for your organization as a whole, and aren't specific to only one vendor product.

    Example: CIS Controls v7.1 - Sub-Control 4.5 Use Multi-Factor Authentication for All Administrative Access

    This control tells you what should be applied within your organization, but not how you should apply it for the systems and workloads that you're running (regardless of where they are).

Use AWS Audit Manager to support your CIS audit preparation

You can use the CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0, Level 1 and CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0, Level 1 and 2 frameworks in AWS Audit Manager to prepare for CIS audits. The controls in these frameworks aren't intended to verify whether your systems are compliant with the CIS standard, and they can't guarantee that you will pass a CIS assessment. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find these frameworks under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using these frameworks, see Creating an assessment. For instructions on how to customize these frameworks to support your specific requirements, see Customizing an existing framework and Customizing an existing control.