CIS Controls v7.1 Implementation Group 1 - AWS Audit Manager

CIS Controls v7.1 Implementation Group 1

AWS Audit Manager provides a prebuilt framework that supports the Center for Internet Security (CIS) to assist you with your audit preparation.

What are CIS controls?

The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices. These best practices mitigate the most common attacks against systems and networks. Implementation Group 1 is generally defined for an organization with limited resources and cybersecurity expertise that are available to implement Sub-Controls.

Difference between CIS Controls and CIS Benchmarks

The CIS Controls are foundational best practice guidelines that an organization can follow to have protection from known cyberattack vectors. The CIS Benchmarks are security best practice guidelines specific to vendor products. Ranging from operating systems to cloud services and network devices, the settings that are applied from a Benchmark protect the systems that are being used.

Examples

  • CIS Benchmarks are prescriptive. They typically reference a specific setting that can be reviewed and set in the vendor product.

    • Example: CIS Amazon Web Services Foundations Benchmark v1.2.0 - 1.13 Ensure MFA is enabled for the "root user" account.

    • This recommendation provides prescriptive guidance on how to check for this and how to set this on the root account for the AWS environment.

  • CIS Controls are for your organization as a whole and aren't specific to only one vendor product.

    • Example: CIS Controls v7.1 - Sub-Control 4.5 Use Multi-Factor Authentication for All Administrative Access

    • This control tells you what should be applied within your organization. However, it doesn't tell you how you should apply it for the systems and workloads that you're running (regardless of where they are).

Use AWS Audit Manager to support your CIS audit preparation

You can use the CIS Controls v7.1 IG1 framework in AWS Audit Manager to prepare for CIS audits. The framework contains 21 automated controls and 22 manual controls. The controls in this framework aren't intended to verify whether your systems are compliant with the CIS standard. They can't guarantee that you will pass a CIS assessment. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find the CIS Controls v7.1 IG1 framework under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using this framework, see Creating an assessment. For instructions on how to customize this framework to support your specific requirements, see Customizing an existing framework and Customizing an existing control.