Meeting CIS AWS Foundations Benchmark requirements

The CIS AWS Foundations Benchmark is a set of best practices that are commonly adopted by organsiations.

Using the CIS Foundations Benchmark allows teams to understand and improve their security posture.

The full list of “controls” that make up the benchmark are available in AWS documentation.

• https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html

However, there’s no need to check everything yourself because AWS Security Hub provides automated analysis, and provides an easy-to-understand score.

Security hub out-of-the-box experience

When you first switch AWS Security Hub, it can be a bit intimidating, because of the volume of critical and high failures, even on a brand new AWS account.

Disappointingly, the out-of-the-box configuration of AWS doesn’t pass its own best practice. EBS volume setup, IAM user password policies, and S3 configuration fail immediately, so cloud teams will have to do some work straight away.

Terraform for account level things

For each AWS account I setup, I usually run in a few changes with Terraform because CDK doesn’t support “account level” options.

This little section of code implements the following controls:

• Ensure EBS volume encryption is enabled
• Ensure IAM password policy requires minimum length of 14 or greater
• Ensure IAM password policy prevents password reuse
• Ensure that S3 Buckets are configured with ‘Block public access (bucket settings)’
• Ensure that S3 Buckets are configured with ‘Block public access (bucket settings)’

resource "aws_ebs_encryption_by_default" "default_encryption" {
  enabled = true
}

resource "aws_iam_account_password_policy" "IamPasswordPolicy" {
  hard_expiry                    = false
  allow_users_to_change_password = true
  max_password_age               = 90
  minimum_password_length        = 14
  password_reuse_prevention      = 24
  require_lowercase_characters   = true
  require_numbers                = true
  require_symbols                = true
  require_uppercase_characters   = true
}

resource "aws_s3_account_public_access_block" "BlockPublicAccess" {
  block_public_acls = "true"
  ignore_public_acls = "true"
  block_public_policy = "true"
  restrict_public_buckets = "true"
}

Default VPCs

Every new AWS account includes a “default VPC” in each region.

However, these default VPCs are not configured according to best practice since they lack VPC Flow Logging, so it’s common practice to simply delete them from new AWS accounts.

• https://gist.github.com/jokeru/e4a25bbd95080cfd00edf1fa67b06996

Security groups

The default security group on any new VPC always fails checks relating to unrestricted ingress and egress.

It’s a bit unweildy to access the default Security Group in CDK [0], so I wrote a program to automate the tightening of the security groups [1].

• https://github.com/aws/aws-cdk/issues/1606 [0]

• https://github.com/a-h/default-security-group-tightener [1]

Root user hardware MFA

It’s common practice to set up AWS Control Tower to prevent the use of root accounts, but AWS Security Hub can’t detect that this is in place, so to clear this warning you have you have to disable your security control to allow root users to be used, login as root to configure MFA on the user, and then re-disable root users.

Alerts and notifications

Many of the CIS benchmark controls enforce alerting on suspicious or unusual actions, for example, using the root user, or changing firewall rules.

I’ve covered this in a separate post [2].

• /2022/11/03/alerting-on-security-hub-notifications-with-opsgenie/ [2]

Summary

The default configuration of AWS will need some work to meet CIS AWS Foundations Benchmarks, but a lot of progress can be made by applying some configuration, and using scripts to automate the resolution.