What is CIS Benchmarks ?
Center for Internet Security (CIS) Benchmark for AWS is the best practices & recommendations for the secure configuration of AWS Accounts. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by the government, industry, academia, and business. The Benchmark recommendation document provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. Specific Amazon Web Services in scope for this document include:
- AWS Identity and Access Management (IAM)
- AWS Config
- AWS CloudTrail
- AWS CloudWatch
- AWS Simple Notification Service (SNS)
- AWS Simple Storage Service (S3)
- AWS VPC (Default)
The CIS AWS Foundation document v1.2.0 enlist 49 recommendations categorized across features into
- IAM
- Logging
- Monitoring
- Networking
How does one test for compliance with the Benchmarks ?
Manually validating each recommendation across your AWS account can be cumbersome and exhaustive. This approach may be prone to human errors and with the growing number of resources across your AWS account, it would be nearly impossible to timely test the compliance.
Automated compliance check is the only option that can timely deliver the compliance checks on your AWS account. With AWS SDKs, CLI and API’s available, any approach can be used to automate the compliance checks for CIS Benchmarks.
An Example –
Recommendation 2.3 – Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)
Description: CloudTrail logs a record of every API call made in your AWS account. These log files are stored in an S3 bucket. It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.
Manual Steps via the Management Console
1. Go to the Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/home
2. In the API activity history pane on the left, click Trails
3. In the Trails pane, note the bucket names in the S3 bucket column
4. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
5. For each bucket noted in step 3, right-click on the bucket and click Properties
6. In the Properties pane, click the Permissions tab.
7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
8. Ensure no rows exist that have the Grantee set to Everyone or the Grantee set to Any Authenticated User.
9. If the Edit bucket policy button is present, click it to review the bucket policy.
10. Ensure the policy does not contain a Statement having an Effect set to Allow and a Principal set to “*” or {“AWS” : “*”}
Automated Approach using CLI –
1. Get the name of the S3 bucket that CloudTrail is logging to:
aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'
2. Ensure the AllUsers principal is not granted privileges to that <bucket>:
aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `http://acs.amazonaws.com/groups/global/AllUsers` ]'
3. Ensure the AuthenticatedUsers principal is not granted privileges to that <bucket>:
aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `http://acs.amazonaws.com/groups/global/Authenticated Users` ]'
4. Get the S3 Bucket Policy
aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail>
