CIS AWS Foundations Benchmark with AWS Security Hub
CIS AWS Foundations Benchmark
For the first time ever, the Center for Internet Security (CIS)has issued a set of security best practices specific to an individual cloud service provider via the CIS AWS Foundations Benchmark, the result of a partnership between the CIS and Amazon Web Services. These best practices, which are accepted throughout the industry, give concise, step-by-step instructions for AWS users.
Embracing these CIS Benchmarks will make your life easier in a number of ways:
- It removes the guesswork for security professionals: You no longer have to worry about the foundational security measures in your AWS infrastructure. These best practices ensure your core AWS security can be implemented in a straightforward fashion.
- Constantly evaluate security: These best practices reduce the complexity of managing risk and auditing the use of AWS for all kinds of systems, including critical, audited, and regulated.
- Integration into the security and audit ecosystem: CIS Benchmarks are interweaved into products developed by 20 security vendors, are referenced by FedRAMP and PCI DSS 3.2, and are included in the National Vulnerability Database National Checklist Program. Any of these audit processes can incorporate the AWS security best practices in order to integrate with tools and solutions.
These benchmarks are the gold standard for securely configuring traditional IT components, with an emphasis on foundational, testable, and architecture agnostic settings. The CIS Benchmarks cover AWS Identity and Access Management (IAM), AWS Config, AWS CloudTrail, AWS CloudWatch, AWS Simple Notification Service (SNS), AWS Simple Storage Service (S3), and AWS VPC.
AWS Security Hub
AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards like PCI-DSS, CIS Benchmark and AWS Foundational Security Best Practices.
AWS Security Hub collects security data from Guard Duty, Inspector, Config, Macie and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues.
How it works?
The following image is a good example to explain how AWS Security Hub works. It shows you the status of high-priority security alerts and compliance detected across multiple AWS services in a single, centralized management screen.
The following AWS services can be targeted for centralized management of AWS Security Hub.
1. Amazon GuardDuty
2. Amazon Inspector
3. IAM Access Analyzer
4. Amazon Macie
5. AWS Firewall Manager
AWS accounts and supported third-party partner products are also eligible. It also checks to see if your AWS environment is in general compliance based on the results of the analysis.
It’s nice to be able to perform the necessary monitoring on a regular basis in an easier and more understandable way. However, it should be noted that there is no automatic remediation function with integrated alerts in AWS Security Hub, so administrators will have to deal with security issues themselves.
Setting up AWS Security Hub
When you enable Security Hub from the console, you can also enable the supported security standards. When you enable Security Hub from the API, the CIS AWS Foundations Benchmark standard is enabled automatically. Many of the controls for the security standards rely on AWS Config service-level rules.
Security Hub provides controls for the following standards.
1. CIS AWS Foundations
2. Payment Card Industry Data Security Standard (PCI DSS 3.2.1)
3. AWS Foundational Security Best Practices
Analyze findings
After 24 hours, you can view the summary of the findings of the standard’s security check on Security Hub’s console. An example of the summary:
From the Security standards page, you can display a details page for the standard. You can only display details for an enabled standard and cannot display details for a disabled standard.
At the top of the details page is the overall score for the standard. The overall score is the percentage of passed controls relative to the number of enabled controls that have data.
Next to the overall score is a chart summarizing the control statuses. The chart shows the percentage of failed and passed controls. When you pause on the chart, the pop-up displays the number of failed controls for each severity, the number of controls with a status of Unknown, and the number of passed controls.
At the bottom of the details page is the list of controls for the standard. The control list is organised and sorted based on the current overall status of the control and the severity assigned to each control.
To display the list of controls for an enabled standard:
1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
2. In the Security Hub navigation pane, choose Security standards.
3. For the standard that you want to display the details for, choose View results
Enabling or Disabling Controls
When you enable a standard, all the controls for that standard are enabled by default. You can then disable and enable specific controls within an enabled standard.
When you disable a control, the following occurs:
1. The check for the control is no longer performed.
2. No additional findings are generated for that control.
The related AWS Config rules that Security Hub created are removed.
It can be useful to turn off security checks for controls that are not relevant to your environment.
For each finding, AWS Security Hub provides access to details to help you investigate the finding. You can display details about the finding resource and the related configuration rule. You can also view any notes added to the finding.
For each security check, you can view the related requirements of the security check against the CIS AWS Foundations Benchmark v1.2.0 standard in the Related requirements tab.
Resources contain information about the affected resources related to this security check.
In the Investigate column, you can view the timeline of the resource’s configuration on AWS Config. You can also view the relevant AWS Config rule here to understand better why the security check passed or failed.
Remediate findings
Now you have all the results of the security checks for each of the standards, you can prepare your AWS account for the CIS AWS Foundations Benchmark assessment by remediating each of the findings.
In each of the standard’s control, there is a link on how to remediate each of the control in the event of a failed security check.
After the remediation, the status will be evaluated again at the next cycle of security checks on the standard’s controls. It will either be Passed or Failed depending on the action taken.
Taking this a step further, combining AWS Security Hub and AWS Config with other AWS services such as AWS Lambda, we would be able to automate the remediation steps. For example, deactivate AWS Access Keys older than 90 days or disable IAM accounts that have not logged in to X days.
A recommended approach for Security Hub and AWS Config is to enable these services in all the AWS regions that are used by the organization. AWS Security Hub and AWS Config is a regional resource therefore it will only monitor the AWS region that it is enabled on.
