he cloud has become an integral part of modern-day tech infrastructure, and with that comes the need for tight security measures. The CIS AWS Benchmark is one of the most comprehensive security compliance standards for AWS cloud environments. It provides guidelines for configuring AWS services securely and is widely recognized as a benchmark for cloud security best practices. We are excited to announce that our product now supports CIS AWS Foundations Benchmark v2.0
Even though it is a major version (the earlier version was v1.5.0), there are no major changes in recommendations. CIS AWS Foundations Benchmark v2.0 includes 2 new recommendations, 1 recommendation removed, and updates to the descriptions and remediation steps of some recommendations.
1.22 Ensure access to AWSCloudShellFullAccess is restricted
AWS CloudShell is a browser-based shell, where you can quickly and securely access AWS Command Line Interfaces (CLIs), PowerShell, Bash, and other tools from a preconfigured and pre-authenticated browser-based shell environment.
The AWS-managed policy AWSCloudShellFullAccess uses the wildcard (*) character to give the IAM identity (user, role, or group) full access to CloudShell and its features. The AWS credentials you used to sign in to the console are instantly accessible in a new shell session.
Within the CloudShell environment, a user has sudo permissions and can access the internet. CloudShell allows file upload and download capability between a user's local system and the CloudShell environment. So it is possible to install file transfer software (for example) and move data from CloudShell to external internet servers, thus opening a data exfiltration channel for malicious cloud admins.
As a best practice, administrators can define policies that specify the specific operations that users can execute with the shell environment at a granular level. This new recommendation helps cloud admins identify IAM roles with the AWSCloudShellFullAccess policy attached and adjust permissions per their requirements.
5.6 Ensure that EC2 Metadata Service only allows IMDSv2
This is my favorite recommendation. I have already covered the benefits of IMDSv2 in another blog post. I strongly recommend ensuring that all EC2 instances use IMDSv2. This recommendation helps cloud admins to identify EC2 instances with IMDSv1. AWS released IMDSv2 in Nov 2019, and it is surprising that CIS took almost 3.5 years to include this critical recommendation in one of the most followed benchmarks.
2.1.1 Ensure all S3 buckets employ encryption-at-rest
Starting January 2023, S3 will automatically apply server-side encryption (SSE-S3) to each new object, unless a different encryption option has been specified. However, existing buckets that currently use S3 default encryption will not be affected. It's important to note that the new default encryption will not apply to objects that existed in the buckets before the change in encryption settings. This creates a tricky situation where some objects may remain unencrypted while new objects are encrypted. It's important to consider that, from now onwards, there will always be some kind of encryption for the bucket, but this CIS recommendation has been removed.
CloudYali supports CIS AWS Foundations Benchmark v2.0
We perform daily security compliance checks for AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark v2.0. These checks are performed for each CloudYali managed AWS account every day. Upon successful completion, a CSV report is generated and made available for download for the next 48 hours. Users can use these reports further in their workflows. Additionally, all security compliance control findings are available in a dedicated Compliance tab in the CloudYali console.
If you're looking for an easy way to fulfil your AWS Cloud compliance needs, please signup for with a free CloudYali trial.