CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0 - AWS Audit Manager

CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0

To assist you with your audit preparation, AWS Audit Manager provides two prebuilt frameworks that support the CIS AWS Foundations Benchmark v1.3:

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1 and 2

Note

CIS AWS Foundations Benchmark v1.3.0 is the most recent version of this benchmark. Other CIS Benchmark versions are available.

For information about v1.2.0, and the AWS Audit Manager frameworks that support this version of the benchmark, see CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0.

What is CIS?

The Center for Internet Security (CIS) developed the CIS AWS Foundations Benchmark v1.3.0, a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures.

For more information, see the CIS AWS Foundations Benchmark blog posts on the AWS Security Blog.

Difference between CIS Benchmarks and CIS Controls

The CIS Benchmarks are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the systems that are being used. The CIS Controls are foundational best practice guidelines for your organization to follow to help protect from known cyberattack vectors.

Examples

  • CIS Benchmarks are very prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.

    Example: CIS Amazon Web Services Foundations Benchmark v1.3.0 - 1.5 Ensure MFA is enabled for the "root user" account

    This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.

  • CIS Controls are for your organization as a whole, and aren't specific to only one vendor product.

    Example: CIS Controls v7.1 - Sub-Control 4.5 Use Multi-Factor Authentication for All Administrative Access

    This control tells you what should be applied within your organization, but not how you should apply it for the systems and workloads that you're running (regardless of where they are).

Use AWS Audit Manager to support your CIS audit preparation

The CIS AWS Foundations Benchmark v1.3 frameworks in AWS Audit Manager are designed to help you prepare for CIS audits. They contain the following number of controls:

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1 and 2 contains 49 automated controls and 6 manual controls

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1 contains 33 automated controls and 5 manual controls

The controls in these frameworks aren't intended to verify whether your systems are compliant with the CIS standard, and they can't guarantee that you will pass a CIS assessment. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

These frameworks provide guidance for configuring security options for a subset of AWS services with an emphasis on foundational, testable, and architecture agnostic settings. Specific AWS services in scope for these frameworks include the following:

  • AWS Identity and Access Management (IAM)

  • AWS Config

  • AWS CloudTrail

  • Amazon CloudWatch

  • Amazon Simple Notification Service (Amazon SNS)

  • Amazon Simple Storage Service (Amazon S3)

  • Amazon Virtual Private Cloud (default)

You can find the CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1 and CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.3.0, Level 1 and 2 frameworks under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using these frameworks, see Creating an assessment. For instructions on how to customize these frameworks to support your specific requirements, see Customizing an existing framework and Customizing an existing control.