Measuring Your AWS Security with CIS Benchmark

Measuring Your AWS Security with CIS Benchmark

CIS Benchmarking Opens the Path for Security-Conscious AWS Services

If you haven’t done so already, it’s just a matter of time before you migrate at least a portion of your technology infrastructure to the cloud using Amazon Web Services (AWS). AWS is the most popular cloud service out there, so it’s possible, even likely, that shadow IT within your organization has already deployed services without IT department knowledge.

While AWS makes many cloud services easy to use, controlling access to your applications and data can be both complex and difficult. It is so easy for developers to deploy that process and procedures can get circumvented. Compounding these challenges is the ever-changing cloud infrastructure. The big advantage of public cloud is that it is scalable and elastic, so how you use cloud services changes all the time. Even if you get it right at first, that’s no guarantee of long term security.

So you need to leverage the cloud, but security is a concern. How do you get the most out of AWS without making assets and services vulnerable?

Do Security Concerns Affect Your AWS Usage?

Every organization has a unique strategy for cloud deployment. Some companies favor use of private servers; others rely on the cloud for more economical technology infrastructure. The real question is: are you using AWS the right way for your business or do security considerations hold you back?

Establishing security parameters on AWS can be daunting. AWS IAM security policies allow broad configuration parameters that are complex and not easy to manage. Especially if you’re managing multiple AWS accounts, it’s not surprising that misconfigurations are common. If you leverage the right tools, you can succeed at security while taking advantage of AWS efficiencies.

For example, let’s say you enabled AWS CloudTrail on your existing systems, but will your team remember to enable it on all new services? Did your team encrypt the CloudTrail logs and lock down that S3 bucket?

To reduce the risk of breaches and avoid sweating these issues, security-conscious organizations may default to limited use of cloud technology. They only deploy technology assets that do not represent a risk on the open Internet. Mission critical applications remain in the data center, keeping costs high, access limited and flexibility low.

Distrust of security keeps enterprises from making the best use of cloud services. This may not be noticed quarter to quarter by a large company accustomed to data center costs. However, growing organizations are learning that adopting cloud services gives them the flexibility to innovate and be competitive. That competitive advantage is available to any organization equipped to employ AWS.

To regain confidence and control over your security posture, you need to regularly review your AWS environment to ensure the settings you established at the start are still be applied and implemented. But, the security assessments and security audit checklists that you created for your datacenter environment don’t apply to the AWS cloud.

Enter The Center for Internet Security (CIS) AWS Foundations Benchmark.

Begin with CIS Benchmarks for AWS

The CIS AWS Foundations Benchmark removes the guesswork for security officials—offering a cost effective way to deploy and assess your AWS security measures with confidence. The CIS benchmarks represent consensus-based security best practices for organizations of all types—government, business, and industry.

Recognized as a trusted, independent authority, the CIS benchmarks are industry-accepted best practices for hardening standards and improving security. CIS benchmarks implement AWS security measures at a foundational level. It gives security teams and AWS account owners a straightforward blueprint for implementing core security protocols.

Better guidelines for security means risk management is less complex. Integrated into the security and audit ecosystem, CIS Benchmarks are incorporated into products developed by 20 security vendors—referenced by PCI 3.1 and FedRAMP, as well as included in the National Vulnerability Database (NVD) and National Checklist Program (NCP). They are also favored by compliance departments required to meet Federal Information Security Management Act (FISMA), Payment Card Industry (PCI), and the Health Insurance Portability and Accountability Act (HIPAA) standards.

CIS benchmarks clearly offer great benefit if you adopt them, but it can be difficult to monitor and maintain adherence over time in the dynamic environment that you often find running in AWS.

Automate CIS Benchmarking, Mitigate Risk in Real Time

Because of the valuable flexibility of cloud services, cloud usage is always changing, so you’re going to be constantly evolving your AWS security model. Audit teams require a way to consistently and reliably evaluate AWS security.  We know it’s hard to stay on top of security especially if your team is new to AWS, but an automated solution reduces complexity when managing risk for critical, audited, and regulated systems.

It is easy to get behind the security curve if you’re relying on manual inspection and remediation using the AWS Management Console. You will consume a fair amount of resources just dealing with complexity — and never get full visibility across all your AWS accounts. Even with the CIS benchmark to use as guidance, automation is an absolute necessity. Such tools are needed to continuously monitor cloud technology infrastructure and categorize risks according to CIS best practices. offers a new automation tool, The Evident Security Platform (ESP). This is a cloud security and compliance solution that continuously identifies and mitigates security misconfigurations in real time. ESP integrates into your security and audit ecosystem. The CIS benchmarks your AWS deployments, but it’s ESP providing continuous monitoring and validation that your environment adheres to the CIS Benchmark best practices. ESP also creates transparency, demonstrating how the risks in your cloud environment impact CIS benchmarks and if improvement has been made or is needed.

ESP ensures CIS benchmarks are incorporated into products developed by 20 security vendors, referenced by PCI 3.1 and FedRAMP, and included in the National Vulnerability Database (NVD) National Checklist Program (NCP). Security checks are now integrated into the security and audit ecosystem, seamlessly.

With full transparency at the most granular level, you can view the volume and severity of risk at the region and service-specific level and see when mistakes were made and by whom, so that your team members can be trained on proper procedures. Continuous security auditing against CIS benchmarks removes a big obstacle to optimal and secure AWS deployment.

Securing AWS is not an insurmountable obstacle. Hundreds (if not thousands) of organizations are deploying to AWS everyday. We built the Evident Security Platform so that enterprises can take advantage of cloud capabilities on AWS for even their security-conscious applications with confidence. The solution is continuous monitoring based on constantly updated signatures and directions to remediate any issues. With CIS AWS Foundations Benchmarking implemented via ESP, we we are making it easy for you to measure your AWS security against an industry-trusted standard.