CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.4.0 - AWS Audit Manager

CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.4.0

AWS Audit Manager provides two prebuilt standard frameworks that support the CIS AWS Foundations Benchmark v1.4.0:

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 1

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 1 and 2

Note

What is the CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.4.0?

The CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 1 and 2 provides prescriptive guidance for configuring security options for a subset of Amazon Web Services. It has an emphasis on foundational, testable, and architecture agnostic settings. Some of the specific Amazon Web Services in scope for this document include the following:

  • AWS Identity and Access Management (IAM)

  • IAM Access Analyzer

  • AWS Config

  • AWS CloudTrail

  • Amazon CloudWatch

  • Amazon Simple Notification Service (Amazon SNS)

  • Amazon Simple Storage Service (Amazon S3)

  • Amazon Elastic Compute Cloud (Amazon EC2)

  • Amazon Relational Database Service (Amazon RDS)

  • Amazon Virtual Private Cloud

Difference between CIS Benchmarks and CIS Controls

The CIS Benchmarks are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the systems that are being used. The CIS Controls are foundational best practice guidelines for your organization to follow to help protect from known cyberattack vectors.

Examples

  • CIS Benchmarks are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.

    Example: CIS Amazon Web Services Foundations Benchmark v1.4.0 - 1.5 Ensure MFA is enabled for the "root user" account

    This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.

  • CIS Controls are for your organization as a whole, and aren't specific to only one vendor product.

    Example: CIS Controls v7.1 - Sub-Control 4.5 Use Multi-Factor Authentication for All Administrative Access

    This control describes what's expected to be applied within your organization. However, it doesn't describe how to apply it for the systems and workloads that you're running, regardless of where they are.

Using this framework to support your audit preparation

You can use the CIS AWS Foundations Benchmark v1.4.0 frameworks in AWS Audit Manager to help you prepare for CIS audits. You can also customize these frameworks and their controls to support internal audits with specific requirements.

Using the frameworks as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the CIS framework. When it's time for an audit, you—or a delegate of your choice—can review the collected evidence and then add it to an assessment report. You can use this assessment report to show that your controls are working as intended.

The framework details are as follows:

Framework name in AWS Audit Manager Number of automated controls Number of manual controls Number of control sets
CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 1 32 6 7
CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 1 and 2 50 8 7

The controls in these frameworks aren't intended to verify if your systems are compliant with the CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.4.0 standard. Moreover, they can't guarantee that you'll pass a CIS audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find these frameworks under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using these frameworks, see Creating an assessment.

For instructions on how to customize these frameworks to support your specific requirements, see Customizing an existing framework and Customizing an existing control.

More CIS resources