Today, we are happy to announce that the Center for Internet Security (CIS) has published the CIS AWS Foundations Benchmark, a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures. This is the first time CIS has issued a set of security best practices specific to an individual cloud service provider.
This is good news for a number of key reasons:
- CIS Benchmarks are technical industry best practices. This removes guesswork for security professionals about how to implement foundational security measures in your AWS account. The prescribed best practices make implementation of core AWS security measures straightforward for security teams and AWS account owners.
- Audit teams can consistently evaluate the security of an AWS account. The best practices greatly reduce complexity when managing risk and auditing the use of AWS for critical, audited, and regulated systems.
- These security checks can be integrated into the security and audit ecosystem. CIS Benchmarks are incorporated into products developed by 20 security vendors, are referenced by PCI 3.1 and FedRAMP, and are included in the National Vulnerability Database (NVD) National Checklist Program (NCP). AWS security best practices can now be integrated into these audit processes and will integrate seamlessly into these security vendor tools and solutions.
For 16 years, CIS Benchmarks have been the de facto standard for prescriptive, industry-accepted best practices for securely configuring traditional IT components. The release of the CIS AWS Foundations Benchmark into this existing ecosystem marks one of many milestones for the maturation of the cloud and its suitability for sensitive and regulated workloads.