CIS Benchmarking and Kube-bench
In this blog we are getting an abbreviated form of information's about CIS Benchmark process which aws provides and recommending.
What is CIS Benchmarking ?
The Center for Internet Security (CIS) is a nonprofit that developed the CIS AWS Foundations Benchmark. It is a set of best practices for security and it can be applicable for all the IT systems that a company uses in AWS.
How to use CIS Benchmarking?
CIS Benchmarks are security best practice guidelines that are specific to vendor products. Ranging from operating systems to cloud services and networks devices, the settings that are applied from a benchmark protect the specific systems that your organization use.
You can use the CIS AWS Foundations Benchmark v1.2 frameworks in AWS Audit Manager to help you prepare for CIS audits. You can also customize these frameworks and their controls to support internal audits with specific requirements.
Why CIS Benchmarks are important?
Tools such as the CIS Benchmarks are important because they outline security best practices, developed by security professionals and subject matter experts, for deploying over 25 different vendor products. These best practices are a good starting point for creating a new product or service deployment plan or for verifying that existing deployments are secure.
When you implement CIS Benchmarks, you can better secure your legacy systems against common and emerging risks by taking steps such as these:
* Disabling unused ports
* Removing unnecessary app permissions
* Limiting administrative privileges
IT systems and applications also perform better when you disable unnecessary services.
Examples of CIS Benchmarks
There are certain examples for CIS Benchmarking steps and admins can follow the step-by-step CIS AWS Foundations Benchmark guidelines.
* set up a strong password policy for AWS Identity and Access Management (IAM).
* Password policy enforcement
* multi-factor authentication (MFA) usage
* disabling root
* ensuring access keys are rotated every 90 days
etc..
What is the benefits of CIS Benchmark practices in an organization?
It provide organizations with a proven framework for security configurations so that companies can avoid trial-and-error scenarios. CIS Benchmarks are the only best practice guides that are globally recognized and accepted by governments, businesses, research, and academic institutions alike.
Its cost-effective since CIS Benchmark documentation is freely available for anyone to download and implement. Your company can get up-to-date, step-by-step instructions for all kinds of IT systems at no cost. You can achieve IT governance and avert financial and reputational damage from preventable cyberthreats.
Regulatory compliance
CIS Benchmarks align with major security and data privacy frameworks such as these:
* National Institute of Standards and Technology (NIST) Cybersecurity Framework
* Health Insurance Portability and Accountability Act (HIPAA)
* Payment Card Industry Data Security Standard (PCI DSS)
Is there any tools to run CIS Benchmarks in EKS?
Well, yes we have a tool named as Kube-bench to run CIS benchmarks. Kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
https://www.cisecurity.org/benchmark/kubernetes
The tests are configured with yaml manifests, so its easy to update when there is an update or change in the standards.
There are multiple ways to run kube-bench/ It can run inside a pod but will need access to the host’s PID namespace to check running processes and to some directories in hosts where config and other files are stored.
$ kubectl apply -f job.yaml
job.batch/kube-bench created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j89s9 0/1 ContainerCreating 0 3s
# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j89s9 0/1 Completed 0 15s
# The results are held in the pod’s logs
kubectl logs kube-bench-j89s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
It is recommended to run kube-bench regularly to identify security vulnerabilities and configuration issues that may exists in the cluster.
If the worker nodes are not identical in type and configurations , better to run benchmarks on all nodes. In this case instead of a pod, benchmarks can run as a daemonset to check all nodes against CIS benchmarks.
For reference:
https://github.com/aquasecurity/kube-bench
