Embrace Continuous Security and Compliance on AWS with CIS Security Benchmarks

By 2021, cybercrime damages will cost the world $6 trillion annually, predicts Cybersecurity Ventures. The dramatic rise in internet crime, right from ransomware epidemic and under-protected Internet of Things (IoT) devices to more sophisticated cyber-attacks, are coercing the businesses across the globe to embrace continuous security and stringent compliance. And if you are on public cloud, especially AWS, then CIS Compliance (Centre for Internet Security Compliance) for your AWS is a must.

Are you a AWS customer, AWS auditor, AWS system integrator, AWS partner, or a AWS consultant looking to implement this continuous security compliance for your AWS, then look no further. Botmetric’s Security & Compliance has imbibed CIS AWS Framework best practices now to benchmark its audits ecosystem to ensure CIS compliance.

Importance of CIS Compliance For Your AWS

For 16 years, Centre for Internet Security (CIS) benchmarks have been the de facto standard for prescriptive, industry-accepted best practices for securely configuring traditional IT components. Due to exponential increase in the adoption of AWS cloud, CIS came up with several benchmarks customized for AWS. These best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures. This is the first-time CIS has issued a set of security best practices specific to an individual cloud service provider — AWS.

The release of the CIS AWS Foundations Benchmark into this existing ecosystem marks one of many milestones for the maturation of the cloud and its suitability for sensitive and regulated workloads.

CIS AWS Foundations Benchmark Overview

The CIS benchmark for AWS provides prescriptive guidance for configuring security options for a basic set of foundational AWS services. Here’s the list of services that are within the scope of this benchmark:

• AWS Identity and Access Management (IAM)
• AWS Config
• AWS CloudTrail
• AWS CloudWatch
• AWS Simple Notification Service (SNS)
• AWS Simple Storage Service (S3)
• AWS VPC (Default)

Further, this benchmark is divided into four sections-:

AWS CIS IAM (Identity And Access Management) Benchmark

Imagine this: if AWS was a territory and can be accessed only through few keys. Then these keys that give access to this territory would be the “root” account. The root account, however, has unrestricted access to all resources in the AWS account and it must be fiercely guarded and its use limited.

The CIS policies for IAM provides recommendations to limit the use of the root account, and if used, provides necessary monitoring guidance to prevent unauthorized use. In addition, it also recommends using multifactor authentication (MFA), disabling inactive accounts, and having a very strong password policy.

AWS CIS Logging Benchmark (CloudTrail, CloudWatch, S3, AWS Config)

The use of logging API calls is an important recommendation in CIS benchmarks. It recommends that all AWS API calls should be logged via CloudTrail, and CloudTrail should be configured to send logs to S3 and CloudWatch for long term and real-time analysis respectively. The logs should be encrypted, and the encryption keys should be rotated on a regular basis.

AWS CIS Monitoring Benchmark (CloudTrail, CloudWatch, SNS)

Monitoring an AWS account is critical to prevent and detect unauthorized use of the account. The benchmark recommends generating alerts by using a combination of metric filters and alarms. Some of the events to monitor and generate alerts against include non-MFA enabled accounts logged in via the console, root account usage, failed authentication attempts, unauthorized changes to IAM, S3, AWS Config and network configuration.

AWS CIS Networking Benchmark (Default VPC)

The networking section of CIS benchmarks make recommendations for configuring security related aspects of the default virtual private cloud (VPC). The recommendations include prohibiting security groups from allowing unfettered ingress access to remote console services such as SSH and RDP from 0.0.0.0/0, and also ensuring that the default security group restricts all traffic by default.

How Botmetric Can Help?

Botmetric’s Security & Compliance automatically audits your infrastructure as per AWS CIS Benchmark policies. This ensure complete CIS compliance of your AWS infra, without you going through complex process or studying docs.

With Botmetric, you can:

• Implements foundational security measures in your AWS account that removes guesswork for security professionals
• Audits complete AWS infra as per all the aforementioned CIS benchmarking
• Evaluates security of your AWS account for continuous security
• Performs additional audit ecosystem into your environment

The below GIF will guide you on how to go about CIS compliance on Botmetric:

Go to Botmetric Audit Report, select CIS Foundation Policy from policy dropdown and check how your AWS cloud infrastructure security stacks up against this policy.

Who should be using CIS Benchmarks

• AWS Customers
• AWS Auditors
• AWS System Integrators
• AWS Partners
• AWS Consultants

The Wrap-Up

Get compliant with CIS framework and best practices for your AWS cloud. Go beyond the high-level security guidance already available, with Botmetric. Perform additional audits of your cloud infrastructure automatically as per AWS CIS benchmark policies, and stay sentinel to vulnerabilities.

If you’re already on Botmetric, do try the CIS Benchmark today to secure and benchmark your AWS cloud security.

If you’ve found this article helpful, feel free to share. Connect with us on Twitter, facebook, LinkedIn, for more industry updates!

This article was originally published on Botmetric Blog.