Introduction to CIS Benchmark
What is it? Why should you use it

Peter Kolka

Adoption of public cloud has been growing almost exponentially. While it is true that vendors, like AWS spend obscene amounts of money on securing the cloud infrastructure they provide, the shared responsibility model exists and will continue to exist for a reason. Unfortunately, the growth in adoption and plethora of solutions available, does not go in pair with awareness of risks and best practises within engineering teams. But there is some order to this chaos.

CIS Benchmark – what is it?

Center for Internet Security
Let’s start with a bit of background. The 
Center for Internet Security (CIS) is a well-established, non-profit organisation that has developed its own CIS Standards and CIS Benchmarks for all types of IT systems, including the public cloud and specifically AWS. Their programme provides neat, unbiased and most importantly, consensus-based industry best practices to help businesses of pretty much any size assess and improve their security and is by now considered an undisputed global standard.

The benchmarks themselves are fairly simple too – they’re configuration baselines for securely configuring a system. They allow businesses to quantify their security posture and provide a way to demonstrate their level of compliance with particular security frameworks, including the NIST Cybersecurity Framework (CSF) and the ISO 27000 series of standards, PCI DSS, HIPAA, and others. Whilst passing the benchmarks does not mean an automatic accreditation for the above standards, adhering to the principles of CIS is very likely to make the certification processes themselves much easier, providing tangible evidence of the steps taken.

Why should I use the CIS Benchmark standard for my AWS cloud setup?


Security professionals have been using CIS templates and hardening guides for some time now. The CIS Benchmark is a great baseline standard for AWS and continuously evolves with the help of the CIS SecureSuite members and Consensus Community. By using its benchmarks, scoring methods and guidelines for your own business, you will also be helping safeguard the wider community against cyber threats.

But while the greater good is all-important (the only long-term solution), let’s get onto some practical (and valid!) motivations that may be driving you right now:

  • you will be able to establish where you stand without disruptive changes (or expensive recuitments) to the current state of affairs – get the data first
  • once you know your position, you’ll have a much clearer path towards the desired outcome as well as the required cultural shift to make those checks and validations systematically
  • everything is represented in the most non-geek language possible, allowing for efficient buy-in from all stakeholders

Is it difficult to get started?

CIS benchmarks provide two security settings:

  • Level 1 recommends essential basic security requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2 recommends security settings for environments requiring greater security that could result in some reduced functionality.
    No alt text provided for this image

CIS Level 2

Go beyond CIS

Given your interest in CIS benchmarks, you’re likely in a process of establishing a security baseline for your business, perhaps for the first time.

If something’s too good to be true it usually is, and it’s hard to deny that CIS can at times feel fairly generic, with a ‘one side fits all’ spirit that omits recommendations applicable to the newer systems (a downside of the consensus mechanism).

So while CIS is certainly an excellent foundation, no standard is perfect. A number of key elements of infrastructure cybersecurity are not in the scope of the AWS benchmark, and this can include areas such as ensuring no secrets are stored in Lambda functions variables or ensuring that the RDS database storage is encrypted, so certainly not edge cases either.

For a broad and comprehensive security review of your technical estates which incorporates CIS benchmarks but is better tailored for modern infrastructure patterns (like serverless computing), consider solutions such as Exlabs Cloud Security Audit where the recommendations provided in the completion report are structured to facilitate remediation of the identified security risks.

Such reports won’t just explain what needs to be done to harden the systems, they will also explain why. Add to it things like numeric scores, and the end package is the most jargon-free, simple-to-understand means of communication with colleagues who have limited knowledge and experience with information security, yet their buy-in is essential for the journey to be successful.

From the practical standpoint, to help ensure the process is not a rubberstamping exercise where the outcome lands in the drawer with a whole series of noble intentions either, every security recommendation getting broken down into several sections that explain why and how a particular recommendation should be implemented:

  1. A description that provides a high-level overview of the recommendation.
  2. A rationale that clarifies why it is important to implement the recommendation.
  3. A report that helps you evaluate and understand the impact of implementing a recommendation.
  4. The audit also identifies how to prove a recommendation has been implemented.
  5. Finally, the remediation will discuss steps to implement the recommendation.

In terms of added benefits, the report document can also serve as a formal letter of attestation for the cloud security evaluation of your product or the business. A comprehensive audit like this will not only increase the peace of mind of any technical leader but also demonstrate to any stakeholder that responsible actions have been taken to mitigate the risks, making that client or investor meeting much easier.