CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0
AWS Audit Manager provides two prebuilt frameworks that support the CIS AWS Foundations Benchmark v1.3:
-
CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1
-
CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1 and 2
Note
For information about CIS AWS Foundations Benchmark v1.2.0, and the AWS Audit Manager frameworks that support this version of the benchmark, see CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0.
What is CIS?
The Center for Internet Security (CIS) developed
the CIS AWS
Foundations Benchmark
For more information, see the CIS AWS Foundations Benchmark blog
posts
CIS AWS Foundations Benchmark v1.3.0 provides guidance for configuring security options for a subset of AWS services with an emphasis on foundational, testable, and architecture agnostic settings. Some of the specific Amazon Web Services in scope for this document include the following:
-
AWS Identity and Access Management (IAM)
-
AWS Config
-
AWS CloudTrail
-
Amazon CloudWatch
-
Amazon Simple Notification Service (Amazon SNS)
-
Amazon Simple Storage Service (Amazon S3)
-
Amazon Virtual Private Cloud (default)
Difference between CIS Benchmarks and CIS Controls
The CIS Benchmarks are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the systems that your organization uses. The CIS Controls are foundational best practice guidelines for your organization to follow to help protect from known cyberattack vectors.
Examples
-
CIS Benchmarks are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.
Example: CIS Amazon Web Services Foundations Benchmark v1.3.0 - 1.5 Ensure MFA is enabled for the "root user" account
This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.
-
CIS Controls are for your organization as a whole, and aren't specific to only one vendor product.
Example: CIS Controls v7.1 - Sub-Control 4.5 Use Multi-Factor Authentication for All Administrative Access
This control describes what's expected to be applied within your organization, but not how you should apply it for the systems and workloads that you're running (regardless of where they are).
Using these frameworks to support your audit preparation
You can use the CIS AWS Foundations Benchmark v1.3 frameworks in AWS Audit Manager to help you prepare for CIS audits. You can also customize these frameworks and their controls to support internal audits with specific requirements.
Using the frameworks as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets | AWS services in scope |
|---|---|---|---|---|
| CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1 |
33 |
5 |
6 |
|
| CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1 and 2 | 49 | 6 | 6 |
|
Tip
To review a list of the AWS Config rules that are used as data source mappings for these standard frameworks, download the following files:
The controls in these frameworks aren't intended to verify if your systems are compliant with the CIS standard. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.
You can find these frameworks under the Standard frameworks tab of the Framework library in Audit Manager.
For instructions on how to create an assessment using these frameworks, see Creating an assessment.
When you use the Audit Manager console to create an assessment from these standard frameworks, the list of AWS services in scope is selected by default and can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the CIS Benchmarks. If you need to edit the list of services in scope for these frameworks, you can do so by using the CreateAssessment or UpdateAssessment API operations. Alternatively, you can customize the standard framework and then create an assessment from the custom framework.
For instructions on how to customize these frameworks to support your specific requirements, see Customizing an existing framework and Customizing an existing control.
More CIS resources
-
CIS AWS Foundations Benchmark blog posts
on the AWS Security Blog
