Center for Internet Security Benchmarks for Amazon Web Services

An overview of CIS Benchmarks and the security recommendations they offer is the aim of this article. The Center for Internet Security has established the CIS Benchmarks as a collection of guidelines. This group contributes to the recommendations made for utilizing and safeguarding various servers, apps, and cloud providers.
I made an effort to enumerate the AWS Cloud-specific security standards. I firmly feel that it is a good practice to understand the standards regardless of the cloud we operate in today. As we all know, cloud providers may differ from one another, but they all fundamentally offer comparable services related to computation, storage, networking, and serverless functionalities.

The CIS Benchmarks for AWS are divided into multiple sections. But among those below four are the core sections we need to concentrate on initially.
1. Identity and Access Management
2. Logging
3. Monitoring
4. Networking

Identity and Access Management
1. IAM policies should not allow full “*” administrative privileges.
2. IAM users’ access keys should be rotated every 90 days or less.
3. The IAM root user access key should not used for normal operations.
4. MFA should be enabled for all IAM users that have a console password.
5. Unused IAM user credentials should be removed.
6. MFA should be enabled for the root user.
7. Ensure the IAM password policy requires at least one uppercase letter, lowercase, symbol, number, and length of 14 or greater.
8. Ensure the IAM password policy prevents password reuse.
9. Ensure the IAM password policy expires passwords within 90 days or less.
10. Ensure a support role has been created to manage incidents with AWS Support.

Logging
1. CloudTrail should be enabled and configured with at least one multi-region trail that includes read and write management events.
2. CloudTrail should have encryption at rest enabled.
3. CloudTrail log file validation should be enabled.
4. CloudTrail trails should be integrated with Amazon CloudWatch Logs.
5. Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible.
6. Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
VPC flow logging should be enabled in all VPCs.

Monitoring
1. A log metric filter and alarm should exist for usage of the “root” user
2. Ensure a log metric filter and alarm exist for unauthorized API calls
3. Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
4. Ensure a log metric filter and alarm exist for IAM policy changes
5. Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes
6. Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
7. Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-managed keys
8. Ensure a log metric filter and alarm exist for S3 bucket policy changes
9. Ensure a log metric filter and alarm exist for AWS Config configuration changes
10. Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL), Security Group Changes, and Network Gateways
11. Ensure a log metric filter and alarm exist for route table changes
12. Ensure a log metric filter and alarm exist for VPC changes

Networking
1. Limit network access to your applications using features like Security Groups.
2. They recommend disabling access to port 22 on any server, denying access to any attackers trying to use SSH to break in.
3. Ensuring your route tables are set up properly, so your subnets are only able to communicate with the services you expect.
4. Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22,3389.

We can use services like Security Hub to automate and standardize checking these benchmarks in your accounts. It is completely in your hands to make your cloud environment secure.