DEV Community

Cover image for What's new in the CIS v2.0 benchmark for AWS
bob-bot for AWS Community Builders

Posted on

What's new in the CIS v2.0 benchmark for AWS

The Center for Internet Security (CIS) just released an updated version (v2.0) of their CIS AWS Benchmark. The new version of the benchmark includes 2 new recommendations, 1 removed, and updates to descriptions and remediation steps.

What are the latest major changes?

  • Added - 1.22 Ensure access to AWSCloudShellFullAccess is restricted:
    AWS CloudShell allows running CLI commands with full access, including file upload/download and sudo permissions. This presents a potential data exfiltration channel for malicious cloud admins. Restricting access and denying file transfer permissions through a more restrictive IAM policy is recommended. Personally, CloudShell is a great way to run commands in your account quickly and quickly enable tools like Steampipe. However, with any highly privileged role, boundary and lockdown permissions should be considered for the least privilege restrictions.

  • Added - 5.6 Ensure that EC2 Metadata Service only allows IMDSv2:
    Instance Metadata Service Version 2 (IMDSv2), which is a session-oriented method which provides temporary, frequently rotated credentials. Version 2 adds new protections to mitigate vulnerabilities from open website application firewalls, open reverse proxies, SSRF, etc. This is a common recommendation used across many other frameworks like NIST, FedRamp, and HIPAA.

  • Removed - 2.1.1 Ensure all S3 buckets employ encryption-at-rest:
    In Benchmark v1.5, the requirement for encryption-at-rest in S3 buckets (2.1.1) was removed since AWS now automatically encrypts all new objects using SSE-S3 as the default encryption setting since January 2023. Existing buckets with S3 Default Encryption remain unchanged, so you may want to still check for encryption-at-rest for legacy buckets. However, moving forward at a minimum all new buckets will be encrypted and you cannot remove encryption any longer. With the removal of the control, all other Storage recommendations have changed their IDs in section 2.0.

Try the new AWS CIS v2.0 controls!

The Steampipe AWS Compliance mod, is packed with hundreds of controls that check your AWS accounts for compliance with 25 benchmarks including NIST, PCI, HIPAA, SOC2, FedRAMP and more, now includes new controls for AWS CIS v2.0. If you're new to Steampipe, download Steampipe, install and configure the AWS plugin, and run these commands.

steampipe plugin update aws
git clone
cd steampipe-mod-aws-compliance
steampipe check aws_compliance.benchmark.cis_v200
Enter fullscreen mode Exit fullscreen mode

If you've already installed Steampipe and the AWS plugin, and cloned the AWS Compliance mod, then just do this.

cd steampipe-mod-aws-compliance
git pull
steampipe check aws_compliance.benchmark.cis_v200
Enter fullscreen mode Exit fullscreen mode

Here's a sample report in the console.

Steampipe AWS CIS v2.0 Benchmark console report

You can output results to formats including JSON, CSV, HTML, and ASFF, or use custom output templates to create new output formats.

To view the AWS CIS v2.0 benchmark report in your browser, run this command in the same cloned repo.

steampipe dashboard
Enter fullscreen mode Exit fullscreen mode

Then open http://localhost:9194 in your browser and view the dashboard.

Steampipe AWS CIS v2.0 Benchmark interactive dashboard

Extensible compliance controls

Steampipe delivers a full suite of tools to build, execute and share cloud configuration, compliance, and security frameworks using HCL + SQL! The community is constantly expanding the open source documentation and control coverage for CIS, PCI, HIPAA, NIST, and more. You can join the Steampipe Slack community to collaborate with other community members on your use cases.

Top comments (1)

rockjonn profile image
Rock Jonn

The updated CIS v2.0 benchmark for AWS brings valuable additions with recommendations for AWS CloudShell access and EC2 Metadata Service Version 2. Furthermore, the removal of the encryption-at-rest requirement in S3 buckets reflects AWS's enhanced default encryption settings. Steampipe's inclusion of CIS v2.0 compliance controls, along with its support for multiple frameworks, empowers users to effortlessly ensure compliance in their AWS environments. This combination of benchmark enhancements and the availability of tools like Steampipe greatly facilitates security and compliance management in AWS.