DEV Community

Sedat SALMAN for AWS Community Builders

Posted on • Updated on

AWS Security Stories #03: CIS Controls

The CIS (Center for Internet Security) is a non profit organization and its main purpose to form security policies, decisions by supplying controls and benchmarks called CIS Controls and CIS benchmarks.

Formerly known as the SANS Critical Security Controls (SANS Top 20) are now officially called the CIS Critical Security Controls (CIS Controls). These are a set of controls (with CIS v8 some controls are consolidated and combined so the number of controls decreased from 20 to 18) to mitigate the cyber attacks to the network.

Implementing the CIS Critical Security Controls in your organization can effectively help you:

  • Develop a security program and framework for your organization
  • Focus on most important and effective security controls
  • Comply with other frameworks easily including NIST, ISO 27001, NERC CIP or IEC 62443

You can find the summary of the security controls as below:

CIS Control 1: Inventory and Control of Enterprise Assets — 5 Safeguard
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, network devices; Internet of Things (IoT) devices; and servers)

CIS Control 2: Inventory and Control of Software Assets — 7 Safeguard
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network

CIS Control 3: Data Protection — 14 Safeguard
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

CIS Control 4: Secure Configuration of Enterprise Assets and Software — 12 Safeguard
Establish and maintain the secure configuration of enterprise assets (end-user devices, network devices; IoT devices; and servers) and software.

CIS Control 5: Account Management — 6 Safeguard
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

CIS Control 6: Access Control Management — 8 Safeguard
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

CIS Control 7: Continuous Vulnerability Management — 7 Safeguard
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure

CIS Control 8: Audit Log Management — 12 Safeguard
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

CIS Control 9: Email and Web Browser Protections — 7 Safeguard
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

CIS Control 10: Malware Defenses — 7 Safeguard
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

CIS Control 11: Data Recovery — 5 Safeguard
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

CIS Control 12: Network Infrastructure Management — 8 Safeguard
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

CIS Control 13: Network Monitoring and Defense — 11 Safeguard
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

CIS Control 14: Security Awareness and Skills Training — 9 Safeguard
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

CIS Control 15: Service Provider Management — 7 Safeguard
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

CIS Control 16: Application Software Security — 14 Safeguard
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

CIS Control 17: Incident Response Management — 9 Safeguard
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

CIS Control 18: Penetration Testing — 5 Safeguard
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Critical Security Controls (CIS Controls). In an effort to assist enterprises of every size, IGs are divided into three groups. They are based on the risk profile and resources an enterprise has available to them to implement the CIS Controls.

Every enterprise should start with IG1. IG1 is defined as “essential cyber hygiene,” the foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks. Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

Here, I stop giving details with CIS and turn to AWS. As a matter of fact, if you want to implement CIS Controls in AWS, your life is much easier.

You can measure the security level of your systems with the AWS benchmarks first published by the CIS. The CIS website contains the following benchmarks for you.

Amazon Linux Benchmarks

  • CIS Amazon Linux 2 Benchmark
  • CIS Amazon Linux 2 STIG Benchmark
  • CIS Amazon Linux Benchmark

AWS Benchmarks

  • CIS Amazon Web Services Foundations Benchmark
  • CIS AWS End User Compute Services Benchmark
  • CIS Amazon Web Services Three-tier Web Architecture Benchmark

Other Benchmarks related with AWS

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark

This benchmarks will help you to apply controls on AWS Services.

Image description

if you do now want to deal with this, you can also access OS images on which these controls are applied within the AWS marketplace.

https://www.cisecurity.org/cis-hardened-images/amazon/
https://aws.amazon.com/marketplace/seller-profile?id=dfa1e6a8-0b7b-4d35-a59c-ce272caee4fc&ref=dtl_B078SH1GP1

In cases where these images do not meet what you want, you can access detailed explanations from the links below showing which AWS Config Rules should be applied according to which IG.

IG1: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis-critical-security-controls-v8.html

IG2: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis-critical-security-controls-v8-ig2.html

IG3: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis-critical-security-controls-v8-ig3.html

Although AWS helps you a lot in implementing CIS controls, it is beneficial to have detailed information about security standards, especially in order to ensure compliance deeply and to better match AWS’s security features and standards. With resource capability, the CIS Controls can be a good starting point for you.

Top comments (0)