CIS Benchmarks for AWS
The Center for Internet Security (CIS) is a company that maintains cybersecurity standards for a wide variety of internet-connected technologies. The ultimate internet-connected technologies are cloud platforms! And Amazon’s AWS (Amazon Web Services) is one of the most popular cloud platforms around. Whether your organization has one cloud platform in your network or a multi-cloud network, there’s a good chance that AWS is one of the vendors in your technological ecosystem.
If your organization benefits from CloudDefense.AI CSPM (Cloud Security Posture Management), then you understand that the cloud is a vast potential cyber attack surface that must be properly managed in the wake of the ever evolving cyber threat landscape. I would also recommend using CIS Benchmarks to evaluate your AWS security configurations at least once or twice per year. If you fill out a form on CIS’s website, they will send you a PDF with the Benchmarks of your choice. But before you do that, here’s the TL;DR version to get you started. (TL;DR is the internet slang the kids these days use to mean “too long, didn’t read.” See, I’m with it!)
- It’s crucial to check your organization’s Identity and Access Management (IAM) in AWS. IAM is the gateway to acquiring privileged access to your AWS services and applications. Making sure that only authorized users have access to data that they’re supposed to be able to access is a central concept in cybersecurity. Your organization likely makes new user accounts at least every so often when an employee or contractor needs access to a new application or a new person is hired for a role. There is a dedicated AWS IAM application that an administrator can access to make sure your IAM records and settings are as secure as possible. CIS benchmarks in this area include (but aren’t limited to) maintaining current contact details for each user, making sure the root user and all other user accounts have MFA (multi-factor authentication) configured, eliminating the use of the root account for administrative and daily tasks (this is related to the principle of least privilege), and making sure that all passwords are complex by establishing an automated password policy that mandates passwords be 14 or more characters.
- All AWS customers have data stored in Amazon S3 buckets. It’s also highly likely that you have Amazon EC2 in your network, and you may have RDS (Relational Database Service) and EFS (Elastic File System) as well. Here are some of the important CIS Benchmarks for your AWS storage.
- Make sure your Amazon S3 buckets employ encryption-at-rest.
- Ensure all of your Amazon S3 stored data is discovered, classified, and secured as required. Make sure your S3 buckets block public access. Ensure that EBS Volume Encryption is enabled for all of your EC2 instances in all regions. Ensure that public access isn’t given to your RDS instances. And ensure that encryption is enabled for EFS file systems.
Robust logging is vital when it comes to securing your AWS services. Logs are required for monitoring any possible security-related event. Logs can be fed into automated systems for threat detection. But logging must be properly established first. Here are some of the CIS Benchmarks for AWS logging. Ensure CloudTrail is enabled in all regions. Ensure that the S3 bucket you use for CloudTrail logs isn’t publicly accessible. (That data is for your organization, not for possible cyber threat actors!) Ensure that AWS Config is enabled in all regions. Ensure that object-level logging for both read and write events are enabled for all of your S3 buckets. You should also make sure that CloudTrail trails are integrated with CloudTrail logs. Believe it or not, that’s an easy necessity to miss! Monitoring systems are where your logs are supposed to go into!
There are CIS Benchmarks
Here are some of the most important ones. Ensure a log metric filter and alarm exist for:
- Unauthorized API calls, logging into Management Console without MFA
- IAM policy changes
- All root account usage
- S3 bucket policy changes
- Security group changes
- VPC (virtual private cloud) changes
- NACL (Network Access Control Lists) changes
- Changes to network gateways
- AWS Management Console authentication failures.
- The last category of CIS Benchmarks for AWS is networking. There are just five of them. Ensure no NACLs allow ingress from 0.0.0.0/0 to remote server administration ports, ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports. Ensure no security groups allow ingress from ::/0 to remote server administration ports, ensure the default security group of every VPC restricts all traffic, and ensure that routing tables for VPC peering are configured for “least access.”
Conclusion
Automated tools can be very useful for improving your organization’s security posture when used properly. But you should still manually check your AWS configurations at least a couple of times per year to make sure you meet the CIS Benchmarks. The Benchmarks provide a good security baseline. From that baseline, I recommend improving your AWS security configuration from there! You would be surprised how often cyber threat actors both internal and external to organizations exploit very common cloud configuration vulnerabilities that can be mitigated by applying one of the CIS Benchmarks. You should always remember to do the basics!
Kim has a long history of conducting cybersecurity writing and research for Tripwire, AT&T Cybersecurity, Venafi, Kaspersky, and BlackBerry Cylance. She has also contributed to Infosecurity Magazine, Threatpost, Comodo’s blog, CCSI’s blog, CSO, CIO, Computerworld, Hacker Noon, The Threat Report, and 2600 Magazine.
