CIS AWS Foundations Benchmark 5.0
The CIS AWS Foundations Benchmark is a set of security best practices published by the Center for Internet Security (CIS). It is one of the most widely adopted security baselines for AWS environments and is frequently referenced during security audits, customer questionnaires, and regulatory assessments.
Guardian Pro supports version 5.0 of the CIS AWS Foundations Benchmark, with hundreds of automated checks mapped to the benchmark's controls.
What the CIS Benchmark Covers
The CIS AWS Foundations Benchmark is organised into sections that cover the foundational security configurations every AWS account should have in place:
1. Identity and Access Management (IAM)
Controls in this section focus on ensuring that access to your AWS environment follows the principle of least privilege:
- Root account security (MFA, access key restrictions)
- IAM password policy enforcement (length, complexity, rotation)
- MFA requirements for IAM users with console access
- Access key rotation and unused credential cleanup
- IAM policy best practices (avoiding inline policies, wildcard permissions)
2. Storage
These controls evaluate the security of your data storage services:
- S3 bucket public access restrictions
- S3 bucket encryption (server-side encryption at rest)
- S3 bucket logging and versioning
- EBS volume encryption
3. Logging
Logging controls ensure that you have adequate audit trails across your AWS environment:
- CloudTrail enabled in all regions with log file validation
- CloudTrail log encryption
- S3 bucket access logging for CloudTrail buckets
- CloudWatch Logs integration
4. Monitoring
Monitoring controls verify that you have alerting configured for critical security events:
- Metric filters and alarms for unauthorized API calls
- Console sign-in alerts (especially without MFA)
- Root account usage alerts
- IAM policy change monitoring
- CloudTrail configuration change alerts
- VPC changes, security group changes, and network gateway alerts
5. Networking
Network-related controls evaluate your VPC and network security configurations:
- Default security group restrictions (no unrestricted ingress/egress)
- VPC flow logging
- Restricting SSH and RDP access to known IP ranges
- Network ACL best practices
How Guardian Pro Evaluates CIS Controls
Guardian Pro maps its automated checks to each CIS control. When a scan runs, every relevant check is evaluated across your entire AWS environment. The results determine each control's status:
| Status | Meaning |
|---|---|
| PASS | Every automated check mapped to this control is passing across all evaluated resources |
| FAIL | At least one check is detecting an issue on one or more resources |
| NOT APPLICABLE | The control targets a service or configuration not present in your environment |
Some CIS controls recommend configurations that are organisational decisions rather than binary right-or-wrong settings (for example, password policy length). Guardian Pro evaluates these against the CIS-recommended values, but you may choose to create an exception if your organisation has a documented alternative standard.
Viewing Your CIS Compliance Score
After subscribing to the CIS framework (see Subscribing to Frameworks), your CIS compliance score appears on the Compliance Dashboard. The score represents the percentage of CIS controls that are currently passing.
To drill into specific areas:
- Open the Compliance Dashboard.
- Click on the CIS AWS Foundations Benchmark 5.0 score card.
- Use the controls list to see the status of each individual control.
- Filter by status (PASS, FAIL, NOT APPLICABLE) to focus on gaps.
- Filter by section (IAM, Storage, Logging, Monitoring, Networking) to review a specific domain.
Common CIS Failures and How to Fix Them
Here are the CIS controls that most commonly fail in AWS environments, along with guidance on resolving them:
Root Account MFA Not Enabled
CIS Control: Ensure MFA is enabled for the root account.
This is one of the most critical controls. If your root account does not have MFA enabled, it represents a significant security risk.
Resolution: Enable MFA on the root account through the AWS Console under IAM > Security credentials. Hardware MFA tokens provide the strongest protection, but virtual MFA (such as an authenticator app) is also acceptable.
CloudTrail Not Enabled in All Regions
CIS Control: Ensure CloudTrail is enabled in all regions.
Many environments only enable CloudTrail in their primary region, leaving activity in other regions unaudited.
Resolution: Enable a multi-region trail in CloudTrail. Guardian Pro can remediate this automatically through the Action Centre.
Default Security Groups Allow Traffic
CIS Control: Ensure the default security group restricts all traffic.
The default security group in each VPC often retains permissive rules that were added during initial setup.
Resolution: Remove all inbound and outbound rules from default security groups. Create purpose-specific security groups for your resources instead.
Access Keys Not Rotated
CIS Control: Ensure access keys are rotated within 90 days.
Stale access keys increase the window of exposure if credentials are compromised.
Resolution: Rotate access keys regularly and consider migrating to IAM roles where possible.
Click on any failing CIS control in the Compliance Dashboard to jump directly to the Action Centre with the relevant findings pre-filtered. From there, you can remediate issues one at a time or use bulk actions to address multiple resources at once.
Preparing for a CIS-Based Audit
If you are using the CIS benchmark for an audit or security assessment, Guardian Pro provides several features to help:
- Export a compliance report in PDF or CSV format showing your current CIS compliance posture.
- Attach evidence to controls that require manual verification using the evidence management feature.
- Document exceptions for any controls where you have accepted the risk or implemented a compensating control. See Managing Exceptions.
- Show trends to demonstrate continuous improvement over time using the compliance trends view.
The CIS benchmark is updated periodically. Guardian Pro tracks the latest supported version and updates its control mappings accordingly. Check the Compliance Dashboard for the current version number.