-- Leo's gemini proxy
-- Connecting to capsule.adrianhesketh.com:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini; charset=utf-8
The CIS AWS Foundations Benchmark is a set of best practices that are commonly adopted by organsiations.
Using the CIS Foundations Benchmark allows teams to understand and improve their security posture.
The full list of "controls" that make up the benchmark are available in AWS documentation.
However, there's no need to check everything yourself because AWS Security Hub provides automated analysis, and provides an easy-to-understand score.
When you first switch AWS Security Hub, it can be a bit intimidating, because of the volume of critical and high failures, even on a brand new AWS account.
Disappointingly, the out-of-the-box configuration of AWS doesn't pass its own best practice. EBS volume setup, IAM user password policies, and S3 configuration fail immediately, so cloud teams will have to do some work straight away.
For each AWS account I setup, I usually run in a few changes with Terraform because CDK doesn't support "account level" options.
This little section of code implements the following controls:
Ensure EBS volume encryption is enabled
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy prevents password reuse
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
resource "aws_ebs_encryption_by_default" "default_encryption" {
enabled = true
}
resource "aws_iam_account_password_policy" "IamPasswordPolicy" {
hard_expiry = false
allow_users_to_change_password = true
max_password_age = 90
minimum_password_length = 14
password_reuse_prevention = 24
require_lowercase_characters = true
require_numbers = true
require_symbols = true
require_uppercase_characters = true
}
resource "aws_s3_account_public_access_block" "BlockPublicAccess" {
block_public_acls = "true"
ignore_public_acls = "true"
block_public_policy = "true"
restrict_public_buckets = "true"
}
Every new AWS account includes a "default VPC" in each region.
However, these default VPCs are not configured according to best practice since they lack VPC Flow Logging, so it's common practice to simply delete them from new AWS accounts.
The default security group on any new VPC always fails checks relating to unrestricted ingress and egress.
It's a bit unweildy to access the default Security Group in CDK [0], so I wrote a program to automate the tightening of the security groups [1].
It's common practice to set up AWS Control Tower to prevent the use of root accounts, but AWS Security Hub can't detect that this is in place, so to clear this warning you have you have to disable your security control to allow root users to be used, login as root to configure MFA on the user, and then re-disable root users.
Many of the CIS benchmark controls enforce alerting on suspicious or unusual actions, for example, using the root user, or changing firewall rules.
I've covered this in a separate post [2].
The default configuration of AWS will need some work to meet CIS AWS Foundations Benchmarks, but a lot of progress can be made by applying some configuration, and using scripts to automate the resolution.
-- Response ended
-- Page fetched on Sun Apr 28 09:44:39 2024