~ 3 min read

CIS Benchmark for AWS v1.5 released - What is new

New CIS benchmark for AWS v1.5 is out. Here’s an update on what all changed in the latest version.

New CIS benchmark for AWS v1.5 is out. Here’s a quick summary of  what changed in the latest version. Read on to get the full details on the new benchmark: ‍

  • 2 new recommendations for RDS
  • 1 new service (EFS) addition with 1 recommendation
  • 1 new recommendation added to Monitoring
  • 1 new recommendation added to Networking
  • 1 existing recommendation under Logging section updated

Introduction

CIS (Center for Internet Security) publishes benchmarks that provide secure configuration best practices for various IT systems and cloud infrastructures. These benchmarks are developed by the CIS team along with a wider community of technology vendors, subject matter experts, and others.

These benchmarks are considered the global best practices for security  for any organisation implementing secure configuration for their cloud infrastructure.

CIS and AWS publish the CIS AWS Foundations benchmark.This benchmark is used by AWS’s customers across the world as a way to validate their security posture. 

A brand new version of Benchmark v1.5.0 was published on 12 August 2022. The Kloudle team has done the hard work and is happy to share what’s new in the latest benchmark, what is updated and what is removed for your easy perusal.

What’s new

5 new recommendations have been added under different sections and subsections of the benchmark.

Here are the details:

  1. In the Storage section of the benchmark, under Relational Database Service (RDS), 2 new recommendations have been added. This includes:
  2. Recommendation to enable Auto Minor Version Upgrade feature for RDS instances
  3. Recommendation to restrict public access to RDS instances
  4. New service - Elastic File System (EFS) has been introduced under Storage section with 1 recommendation to enable encryption for EFS file systems
  5. 1 new recommendation has been added to the Monitoring section of the benchmark that advises users to enable AWS Security Hub
  6. 1 new recommendation has been added to the Networking section of the benchmark which advises users to not allow ingress from ::/0 (all IPv6 addresses) to the remote server administration ports like 22 and 3389 in the security groups. This is in addition to the already existing recommendation to disallow unrestricted ingress from all IPv4 addresses to these ports

What got updated

CIS recommendation number 3.8, which suggests us to enable automated rotation of customer created CMKs every year, has been updated to be more specific to enable automated rotation of customer created symmetric CMKs, since key rotation cannot be enabled for asymmetric CMKs on AWS KMS.

What got removed

Nothing! The latest version of the benchmark has everything included from the previous version with minor updates and new recommendation additions.

;