AWS Partner Network (APN) Blog
Building Foundational Security and Compliance Capabilities in 10 Minutes with the CIS AWS Quick Start
By Andrew Robinson, Partner Solutions Architect at AWS
Security and compliance teams across Amazon Web Services (AWS) and the AWS Partner Network (APN) continue to make securing and monitoring your resources easier to implement and understand.
That’s the basis of the Center for Internet Security (CIS) Benchmark on AWS Quick Start developed by Accenture, an APN Premier Partner and Managed Service Provider (MSP) with the AWS Security Competency.
To help you get started, we created a new video offering step-by-step best practice guidance on how to deploy the CIS Benchmark Quick Start and build foundational security and continuous monitoring capabilities into your account, in just 10 minutes.
AWS Quick Starts allow users to quickly and consistently deploy secure environments on AWS for a variety of solutions, including DevOps, data and analytics, data lakes, security, and compliance. Quick Starts are built on AWS CloudFormation templates that provide a mechanism for rapid provisioning of services or application architectures.
In this post, we’ll introduce you to the new CIS Benchmark on AWS Quick Start, which was recently certified by CIS for both Level 1 and Level 2 controls.
Watch the Video (8:31)
Background
Working with APN Partners means deep collaboration to ensure our community provides you the most functionality. That collaboration is reflected in the CIS Benchmark on AWS Quick Start, which creates an environment aligned to the CIS AWS Foundations Benchmark.
CIS Benchmarks are consensus-based configuration guidelines developed by experts in U.S. government, business, industry, and academia to help organizations assess and improve security.
Customers can use the reference deployment to create a governance baseline of security controls that can be easily customized. Accenture led the effort to build this Quick Start to serve as a basis for deployments that are not strictly aligned to a compliance or regulatory framework such as PCI DSS or HIPAA.
To help you understand each control, we created a spreadsheet that maps the CIS control to the AWS services and configurations the Quick Start utilizes. It also features links to documentation, whitepapers, and guides that offer additional information and support. The security controls matrix (Excel spreadsheet) also states whether a control is your responsibility or a shared responsibility.
Architecture Details
The diagram below shows the CIS Benchmark Quick Start technical architecture:
Amazon Simple Storage Service (Amazon S3) is used to centrally store all of our logs that are generated by other services, such as AWS CloudTrail and AWS Config. By using Amazon S3, we can take advance of the service’s inherent availability, durability, and scalability to provide us with a central and secure location for our logs. The Amazon S3 buckets that store the logs are also encrypted using AES-256.
AWS CloudTrail provides you with an event history of activity within your AWS account, including those through the AWS Management Console, AWS Command Line Interface (CLI), or AWS Software Developer Kits (SDK). CloudTrail enables you to perform risk and operational audits, and helps you maintain your governance and compliance posture.
Amazon CloudWatch gives you a monitoring and management service that is closely integrated with CloudTrail. By sending your CloudTrail logs into Amazon CloudWatch, you’re able to build in logic to help you identify activity events as they happen in your account. You also use CloudWatch to provide alarms and event rules for specific occurrences within your AWS account.
Amazon Simple Notification Service (SNS) provides you with notifications from CloudWatch whenever an alarm is triggered or event rule is matched. These rules and alarms are based on CIS recommendations, and by using SNS you will automatically receive a notification.
The final puzzle piece is AWS Config, which allows you to asses, audit, and evaluate the configuration of AWS resources. The CIS Benchmark on AWS Quick Start uses a combination of built-in AWS Config rules, which are provided by AWS, and custom rules that are implemented as AWS Lambda functions. Some of these rules are assessed on a scheduled basis, and others are assessed on configuration changes.
Conclusion
The newly-updated CIS Benchmark on AWS Quick Start, security controls mapping, and deployment video guide are available now to help you quickly and consistently build foundational security and compliance capabilities into your account.
Check out the CIS Benchmark on AWS Quick Start >>
.
Accenture – APN Partner Spotlight
Accenture is an APN Premier Partner. They are a global professional services company that provides an end-to-end solution to migrate to and manage operations on AWS.
Contact Accenture | Practice Overview | Customer Success
*Already worked with Accenture? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.