Did you know an AWS Account is only 39% CIS compliant by default?
That's why I've created a Python script (which is available free on my GitHub page) which will help you achieve CIS, PCI DSS, and AWS Security Best Practice compliance, all with just one command.
Behind the scenes it checks about 200 controls and with my script you will meet over 95% of those. Some items such as enabling hardware MFA are not possible with a script.
Behind the scenes it launching a nested CloudFormation stack with 10 sub-stacks. Then it uses Python (via the AWS boto3 SDK library) to do the following:
- Enable GuardDuty
- Remove Default Security Group Rules
- Update the Password Policy
- Enable S3 Secure Transport
- Enable PCI Standards
- Enable a VPC for the Control Tower Lambda function
You can download the script and find details on how run it here. NickTheSecurityDude GitHub
After you run the script, simply give SecurityHub about 24 hours to update.
The script will send both email notices as well Slack notifications in the event a control is detected out of compliance.
I will be doing a live demo of the script at the September 2021 Chicago AWS Security Meetup Group. Join me via Zoom on 9/21 at 7pm to view first hand how the script works and to ask any questions.