Cloud Security Foundations
CIS Benchmarks & Compliance Frameworks
4 min read
Security frameworks provide structured guidance for cloud configurations. The Center for Internet Security (CIS) Benchmarks are the most widely adopted, offering prescriptive controls that map to regulatory requirements.
Understanding CIS Benchmarks
CIS Benchmarks are community-driven security guidelines developed by thousands of security professionals worldwide. They cover 100+ technologies across eight categories:
| Category | Examples |
|---|---|
| Cloud Providers | AWS, Azure, GCP, Alibaba Cloud |
| Operating Systems | Windows Server, Ubuntu, RHEL, macOS |
| Container Platforms | Docker, Kubernetes, EKS, AKS, GKE |
| Databases | SQL Server, PostgreSQL, MongoDB |
| Network Devices | Cisco, Palo Alto, Juniper |
| Desktop Software | Microsoft Office, Chrome, Edge |
| Mobile Devices | iOS, Android |
| Server Software | Apache, Nginx, IIS |
Benchmark Levels
CIS Benchmarks use two security levels:
Level 1 - Foundational Security:
- Basic security hardening
- Minimal impact on functionality
- Essential for all organizations
- Example: Enable MFA for root/admin accounts
Level 2 - Defense in Depth:
- Enhanced security controls
- May reduce functionality or convenience
- For security-conscious organizations
- Example: Restrict all public access by default
Cloud-Specific CIS Foundations Benchmarks
AWS Foundations Benchmark (v3.0.0)
Key control categories:
| Section | Focus Area | Key Controls |
|---|---|---|
| 1 | Identity & Access | MFA, password policy, access keys |
| 2 | Storage | S3 public access, encryption |
| 3 | Logging | CloudTrail, Config, Flow Logs |
| 4 | Monitoring | CloudWatch alarms, metric filters |
| 5 | Networking | Security groups, VPC flow logs |
Critical controls:
# CIS AWS 1.5 - Ensure MFA is enabled for root account
- Control: "1.5"
Description: "Hardware MFA for root user"
Severity: Critical
# CIS AWS 2.1.1 - Ensure S3 buckets have server-side encryption
- Control: "2.1.1"
Description: "Enable default encryption on all buckets"
Severity: High
Azure Foundations Benchmark (v2.1.0)
Key control categories:
| Section | Focus Area | Key Controls |
|---|---|---|
| 1 | Identity & Access | MFA, conditional access, PIM |
| 2 | Microsoft Defender | Defender for Cloud settings |
| 3 | Storage | Secure transfer, encryption |
| 4 | Database | TDE, firewall rules |
| 5 | Logging | Diagnostic settings, Activity Log |
| 6 | Networking | NSGs, private endpoints |
| 7 | Virtual Machines | Disk encryption, endpoint protection |
GCP Foundations Benchmark (v2.0.0)
Key control categories:
| Section | Focus Area | Key Controls |
|---|---|---|
| 1 | Identity & Access | Security key enforcement, API keys |
| 2 | Logging & Monitoring | Cloud Audit Logs, alerts |
| 3 | Networking | Firewall rules, private access |
| 4 | Compute | Shielded VMs, serial port |
| 5 | Storage | Uniform bucket access |
| 6 | Cloud SQL | Public IP, backups |
| 7 | BigQuery | Dataset access |
Compliance Mapping
CIS Benchmarks map to major regulatory frameworks:
| Framework | Requirement | CIS Mapping |
|---|---|---|
| PCI DSS | Requirement 8 (Authentication) | CIS IAM controls |
| HIPAA | Technical Safeguards | CIS encryption, access controls |
| SOC 2 | CC6.1 (Logical Access) | CIS IAM section |
| NIST 800-53 | AC (Access Control) | CIS IAM, network controls |
| GDPR | Article 32 (Security) | CIS encryption, logging |
| FedRAMP | Various controls | Full CIS benchmark alignment |
Implementing CIS Benchmarks
Using Automated Tools
Manual benchmark compliance is impractical. Use these tools:
# Prowler - AWS CIS Benchmark scanning
prowler aws --compliance cis_3.0_aws
# ScoutSuite - Multi-cloud assessment
scout aws --report-dir ./output
# Trivy - IaC scanning against CIS
trivy config --compliance cis-1.23 ./terraform
Infrastructure as Code Compliance
Build compliance into your deployment:
# Terraform - AWS S3 with CIS controls
resource "aws_s3_bucket" "compliant" {
bucket = "my-compliant-bucket"
}
resource "aws_s3_bucket_versioning" "compliant" {
bucket = aws_s3_bucket.compliant.id
versioning_configuration {
status = "Enabled" # CIS 2.1.3
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "compliant" {
bucket = aws_s3_bucket.compliant.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256" # CIS 2.1.1
}
}
}
resource "aws_s3_bucket_public_access_block" "compliant" {
bucket = aws_s3_bucket.compliant.id
block_public_acls = true # CIS 2.1.5.1
block_public_policy = true # CIS 2.1.5.2
ignore_public_acls = true # CIS 2.1.5.1
restrict_public_buckets = true # CIS 2.1.5.2
}
Beyond CIS: Other Frameworks
| Framework | Focus | Use Case |
|---|---|---|
| NIST CSF 2.0 | Risk management | Enterprise governance |
| ISO 27001 | Information security | International certification |
| SOC 2 | Trust services | SaaS providers |
| CSA CCM | Cloud controls | Cloud-specific governance |
| AWS Well-Architected | AWS best practices | AWS environments |
Building a Compliance Program
- Identify requirements: Which regulations apply?
- Map to CIS: Use CIS as baseline, map to specific requirements
- Automate scanning: Continuous compliance monitoring
- Remediate findings: Prioritize by risk
- Document evidence: Maintain audit trail
- Review regularly: Benchmarks update; so should your controls
Next module: We'll dive deep into IAM security—the most critical area for cloud protection. :::