AWS Cloud

CIS AWS Foundations Benchmark v2.0 - Securing AWS cloud resources

CloudYali Team
February 10, 2024
5 min read

he cloud has become an integral part of modern-day tech infrastructure, and with that comes the need for tight security measures. The CIS AWS Benchmark is one of the most comprehensive security compliance standards for AWS cloud environments. It provides guidelines for configuring AWS services securely and is widely recognized as a benchmark for cloud security best practices. We are excited to announce that our product now supports CIS AWS Foundations Benchmark v2.0

Even though it is a major version (the earlier version was v1.5.0), there are no major changes in recommendations. CIS AWS Foundations Benchmark v2.0 includes 2 new recommendations, 1 recommendation removed, and updates to the descriptions and remediation steps of some recommendations.

New recommendations

1.22 Ensure access to AWSCloudShellFullAccess is restricted

AWS CloudShell is a browser-based shell, where you can quickly and securely access AWS Command Line Interfaces (CLIs), PowerShell, Bash, and other tools from a preconfigured and pre-authenticated browser-based shell environment.

AWS CloudShell command prompt
AWS CloudShell

The AWS-managed policy AWSCloudShellFullAccess uses the wildcard (*) character to give the IAM identity (user, role, or group) full access to CloudShell and its features. The AWS credentials you used to sign in to the console are instantly accessible in a new shell session.

Within the CloudShell environment, a user has sudo permissions and can access the internet. CloudShell allows file upload and download capability between a user's local system and the CloudShell environment. So it is possible to install file transfer software (for example) and move data from CloudShell to external internet servers, thus opening a data exfiltration channel for malicious cloud admins.

As a best practice, administrators can define policies that specify the specific operations that users can execute with the shell environment at a granular level. This new recommendation helps cloud admins identify IAM roles with the AWSCloudShellFullAccess policy attached and adjust permissions per their requirements.

5.6 Ensure that EC2 Metadata Service only allows IMDSv2

This is my favorite recommendation. I have already covered the benefits of IMDSv2 in another blog post. I strongly recommend ensuring that all EC2 instances use IMDSv2. This recommendation helps cloud admins to identify EC2 instances with IMDSv1. AWS released IMDSv2 in Nov 2019, and it is surprising that CIS took almost 3.5 years to include this critical recommendation in one of the most followed benchmarks.

Removed recommendation

2.1.1 Ensure all S3 buckets employ encryption-at-rest

Starting January 2023, S3 will automatically apply server-side encryption (SSE-S3) to each new object, unless a different encryption option has been specified. However, existing buckets that currently use S3 default encryption will not be affected. It's important to note that the new default encryption will not apply to objects that existed in the buckets before the change in encryption settings. This creates a tricky situation where some objects may remain unencrypted while new objects are encrypted. It's important to consider that, from now onwards, there will always be some kind of encryption for the bucket, but this CIS recommendation has been removed.

CloudYali supports CIS AWS Foundations Benchmark v2.0

We perform daily security compliance checks for AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark v2.0. These checks are performed for each CloudYali managed AWS account every day. Upon successful completion, a CSV report is generated and made available for download for the next 48 hours. Users can use these reports further in their workflows. Additionally, all security compliance control findings are available in a dedicated Compliance tab in the CloudYali console.

CloudYali CIS AWS Foundations Benchmark v2.0
CloudYali Security Compliance

If you're looking for an easy way to fulfil your AWS Cloud compliance needs, please signup for with a free CloudYali trial.

CloudYali Team

Stay Informed

Get the latest updates, news, and exclusive offers delivered to your inbox.

By clicking Sign Up, you agree to our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong. Please try again.

Discover Our Featured Blogs

Stay up to date with our informative blog posts.


[Part 1] The Least Privilege Principle and IAM in AWS

The principle of least privilege (PoLP) is easier to understand until you put it into practice. In this series, we will discuss PoLP, how to set up accounts and guardrails, what tools to use, what process to follow, what technical and managerial challenges you may encounter, how to tackle them, and so on.
Nishant Thorat
April 16, 2024
5 min read
User Access Management

Streamlining AWS Access for Growing Startups

As your startup scales on AWS, managing access control becomes crucial. This blog post provides a roadmap for securing your cloud environment. You'll learn about the limitations of basic IAM users, the benefits of centralized identity management, and the capabilities of AWS IAM Identity Center with Just-In-Time access. By the end, you'll have a clear strategy to secure your AWS environment while maintaining agility.
Nishant Thorat
April 15, 2024
5 min read
AWS Cloud

Understanding Instance MetaData Service (IMDS)

Instance metadata service (IMDS) provides sensitive information. Understand IMDSv1 weakness and how IMDSv2 improves security. Identify IMDSv1 enabled instances across your cloud.
Nishant Thorat
February 11, 2024
5 min read