💾 Archived View for capsule.adrianhesketh.com › 2022 › 11 › 02 › meeting-cis-aws-foundations-require… captured on 2023-01-29 at 02:28:13. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
The CIS AWS Foundations Benchmark is a set of best practices that are commonly adopted by organsiations.
Using the CIS Foundations Benchmark allows teams to understand and improve their security posture.
The full list of "controls" that make up the benchmark are available in AWS documentation.
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html
However, there's no need to check everything yourself because AWS Security Hub provides automated analysis, and provides an easy-to-understand score.
When you first switch AWS Security Hub, it can be a bit intimidating, because of the volume of critical and high failures, even on a brand new AWS account.
Disappointingly, the out-of-the-box configuration of AWS doesn't pass its own best practice. EBS volume setup, IAM user password policies, and S3 configuration fail immediately, so cloud teams will have to do some work straight away.
For each AWS account I setup, I usually run in a few changes with Terraform because CDK doesn't support "account level" options.
This little section of code implements the following controls:
resource "aws_ebs_encryption_by_default" "default_encryption" {
enabled = true
}
resource "aws_iam_account_password_policy" "IamPasswordPolicy" {
hard_expiry = false
allow_users_to_change_password = true
max_password_age = 90
minimum_password_length = 14
password_reuse_prevention = 24
require_lowercase_characters = true
require_numbers = true
require_symbols = true
require_uppercase_characters = true
}
resource "aws_s3_account_public_access_block" "BlockPublicAccess" {
block_public_acls = "true"
ignore_public_acls = "true"
block_public_policy = "true"
restrict_public_buckets = "true"
}
Every new AWS account includes a "default VPC" in each region.
However, these default VPCs are not configured according to best practice since they lack VPC Flow Logging, so it's common practice to simply delete them from new AWS accounts.
https://gist.github.com/jokeru/e4a25bbd95080cfd00edf1fa67b06996
The default security group on any new VPC always fails checks relating to unrestricted ingress and egress.
It's a bit unweildy to access the default Security Group in CDK [0], so I wrote a program to automate the tightening of the security groups [1].
It's common practice to set up AWS Control Tower to prevent the use of root accounts, but AWS Security Hub can't detect that this is in place, so to clear this warning you have you have to disable your security control to allow root users to be used, login as root to configure MFA on the user, and then re-disable root users.
Many of the CIS benchmark controls enforce alerting on suspicious or unusual actions, for example, using the root user, or changing firewall rules.
I've covered this in a separate post [2].
The default configuration of AWS will need some work to meet CIS AWS Foundations Benchmarks, but a lot of progress can be made by applying some configuration, and using scripts to automate the resolution.
Alerting on AWS Security Hub notifications with OpsGenie
Migrating Go and Node.js Fargate tasks and Lambda functions to Graviton ARM processors with CDK