The Center for Internet Security (CIS) recently released an updated 2.0 version of their Amazon Web Services (AWS) Foundations benchmark. This updated release ships with several significant changes, including new security recommendations and the removal of outdated practices.
About the Center for Internet Security (CIS)
CIS is a nonprofit that develops IT system benchmarks to enhance cybersecurity readiness. Collaborating with various stakeholders, CIS continuously updates its benchmarks to respond to evolving security threats.
What's New in AWS Foundations 2.0
CIS benchmark updates typically include improvements to detection and remediation documentation, plus a few new security recommendations. However, the new 2.0 release broke tradition by introducing a whopping 11 new recommendations and removing two outdated ones.
Out with the old
The existing control
Ensure all S3 buckets employ encryption-at-rest has been removed from the benchmark as this is no longer necessary. In January of 2023 Amazon announced that all S3 buckets would be encrypted at rest by default without any user action required. This is a fantastic move for the security of S3 data, and eliminates a common security misconfiguration that needed to be corrected by administrators.
In with the new
Restrict Use of AWS CloudShell
A new control
Restrict use of AWS CloudShell aims to limit the potential risk of full access to Amazon’s remote shell feature. If you’re like me, this may have caused your heart to skip a beat, but don’t worry CIS isn’t suggesting disabling access to CloudShell outright. The new recommendation is that just the IAM policy
AWSCloudShellFullAccess be disabled.
AWSCloudShellFullAccess privileges offer unfettered access to the AWS account including the ability to upload and download files to local systems through CloudShell instances. Removing this level of access prevents a significant data exfiltration risk in AWS accounts.
Ensure EC2 Metadata Service Uses IMDSv2
Another large change is the addition of a new
Ensure that EC2 Metadata Service only allows IMDSv2 control to enforce the use of the new, and more secure, instance metadata service. IMDSv2 was introduced in 2019 to eliminate several major vulnerabilities in the existing instance metadata service that resulted in major security breaches. IMDSv2 uses session authentication, a low TTL, and HTTP PUT requests to prevent users outside your infrastructure from requesting instance metadata using misconfigured application firewalls, load balancers, or NAT appliances.
While this may seem like an obvious security win, updating instances to the new version is both time-consuming and can require updates to software such as configuration management systems. It’s well worth the effort, but this new control alone warrants the major version bump in the CIS benchmark.
Other Key Updates
The bulk of the change to the Amazon Web Services Foundations 2.0 benchmark comes in the form of updates to existing checks. In this release, there are 11 updated benchmarks that include improved risk descriptions as well as updated audit and remediation steps. Some of these changes are tweaks to account for changes to AWS, while others are significant improvements to help users more quickly resolve findings.
AWS Cloud Security and Compliance with Mondoo
Mondoo’s advanced security and compliance platform includes the updated Amazon Web Services Foundation 2.0 benchmark out of the box along with nearly 150 other CIS-certified benchmarks to secure your complete infrastructure from cloud to servers, SaaS, Kubernetes, and everything in between.
Schedule a meeting today to see how Mondoo continuously monitors your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks such as SOC2, HIPAA, PCI, and ISO 270001.