To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.

Overview

All CIS Benchmarks focus on technical configuration settings used to maintain and/or increase the security of the addressed technology, and they should be used in conjunction with other essential cyber hygiene tasks like:

• Monitoring the base operating system for vulnerabilities and quickly updating with the latest security patches
• Monitoring applications and libraries for vulnerabilities and quickly updating with the latest security patches In the end, the CIS Benchmarks are designed as a key component of a comprehensive cybersecurity program. This document provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. Some of the specific Amazon Web Services in scope for this document include:
• AWS Identity and Access Management (IAM)
• IAM Access Analyzer
• AWS Config
• AWS CloudTrail
• AWS CloudWatch
• AWS Simple Notification Service (SNS)
• AWS Simple Storage Service (S3)
• Elastic Compute Cloud (EC2)
• Relational Database Service (RDS)
• AWS VPC
• To obtain the latest version of this guide, please visit https://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at BenchmarkInfo@cisecurity.org.

Profiles

The following configuration profiles are defined by this Benchmark:

Level 1

Items in this profile intend to:

• be practical and prudent;
• provide security focused best practice hardening of a technology; and
• limit impact to the utility of the technology beyond acceptable means.

Level 2

This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:

• are intended for environments or use cases where security is more critical than manageability and usability
• acts as defense in depth measure
• may impact the utility or performance of the technology
• may include additional licensing, cost, or addition of third party software