Embrace Continuous Security and Ensure CIS Compliance for Your AWS, Always9 May 2017
By 2021, cybercrime damages will cost the world $6 trillion annually, predicts Cybersecurity Ventures. The dramatic rise in internet crime, right from ransomware epidemic and under-protected Internet of Things (IoT) devices to more sophisticated cyber-attacks, are coercing the businesses across the globe to embrace continuous security and stringent compliance. And if you are on public cloud, especially AWS, then CIS Compliance (Centre for Internet Security Compliance) for your AWS is a must.
Are you a AWS customer, AWS auditor, AWS system integrator, AWS partner, or a AWS consultant looking to implement this continuous security compliance for your AWS? Then look no further. Botmetric’s Security & Compliance has now imbibed CIS AWS Framework best practices to benchmark its audits ecosystem. This ensures CIS compliance for your AWS cloud.
Importance of CIS Compliance For Your AWS
For 16 years, Centre for Internet Security (CIS) benchmarks have been the de facto standard for prescriptive, industry-accepted best practices for securely configuring traditional IT components. Due to exponential increase in the adoption of AWS cloud, CIS came up with several benchmarks customized for AWS. These best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures. This is the first-time CIS has issued a set of security best practices specific to an individual cloud service provider — AWS.
The release of the CIS AWS Foundations Benchmark into this existing ecosystem marks one of the many milestones for the maturation of the cloud and its suitability for sensitive and regulated workloads.
CIS AWS Foundations Benchmark Overview
The CIS benchmark for AWS provides prescriptive guidance for configuring security options for a basic set of foundational AWS services. Here’re the list of services that are within the scope of this benchmark:
- AWS Identity and Access Management (IAM)
- AWS Config
- AWS CloudTrail
- AWS CloudWatch
- AWS Simple Notification Service (SNS)
- AWS Simple Storage Service (S3)
- AWS VPC (Default)
Further, this benchmark is divided into four sections-:
AWS CIS IAM (Identity and Access Management) Benchmark
Imagine this: AWS is like a territory and can be accessed only through few keys. The keys that give access to this territory would be the “root” account. The root account, however, has unrestricted access to all resources in the AWS account and it must be fiercely guarded and its use limited.
The CIS policies for IAM provides recommendations to limit the use of such root account, and if used, provides necessary monitoring guidance to prevent unauthorized use. In addition, it also recommends using multi-factor authentication (MFA), disabling inactive accounts, and having a very strong password policy.
AWS CIS Logging Benchmark (CloudTrail, CloudWatch, S3, AWS Config)
The use of logging API calls is an important recommendation in CIS benchmark. It recommends that all AWS API calls should be logged via CloudTrail, and CloudTrail should be configured to send logs to S3 and CloudWatch for long term and real-time analysis respectively. The logs should be encrypted, and the encryption keys should be rotated on a regular basis.
AWS CIS Monitoring Benchmark (CloudTrail, CloudWatch, SNS)
Monitoring an AWS account is critical to prevent and detect unauthorized use of the account. The benchmark recommends generating alerts by using a combination of metric filters and alarms. Some of the events to monitor and generate alerts against include non-MFA enabled accounts logged in via the console, root account usage, failed authentication attempts, unauthorized changes to IAM, S3, AWS Config and network configuration.
AWS CIS Networking Benchmark (Default VPC)
The networking section of CIS benchmarks make recommendations for configuring security related aspects of the default virtual private cloud (VPC). The recommendations include prohibiting security groups from allowing unfettered ingress access to remote console services such as SSH and RDP from 0.0.0.0/0. The recommendations also ensure the default security group restricts all traffic by default.
How Botmetric Can Help?
Botmetric’s Security & Compliance automatically audits your infrastructure as per AWS CIS Benchmark policies. This ensure complete CIS compliance of your AWS infra, without you going through complex process or studying docs.
With Botmetric, you can:
- Implements foundational security measures in your AWS account that removes guesswork for security professionals
- Audits complete AWS infra as per all the aforementioned CIS benchmarks and best practices
- Evaluates security of your AWS account for continuous security
- Performs additional audit ecosystem into your environment
The below GIF will guide you on how to go about CIS compliance on Botmetric:
Go to Botmetric Audit Report, select CIS Foundation Policy from policy dropdown and check how your AWS cloud infrastructure security stacks up against this policy.
Who should be using CIS Benchmarks
- AWS Customers
- AWS Auditors
- AWS System Integrators
- AWS Partners
- AWS Consultants
Get compliant with CIS framework and best practices for your AWS cloud. Go beyond the high-level security guidance already available, with Botmetric. Perform additional audits of your cloud infrastructure automatically as per AWS CIS benchmark policies, and stay sentinel to vulnerabilities.
If you’re already on Botmetric, do try the CIS Benchmark today to secure and benchmark your AWS cloud security. To know more about continuous security, read the blog post Continuous Security: A Necessity on Cloud.