Create AWS Accounts and Align to the CIS AWS Foundations Benchmark with Stax
By Rowan Udell, Principal Solutions Architect – Stax
By Kelly Griffin, Sr. Partner Success Manager – AWS
In this post, we will examine the CIS AWS Foundations Benchmark, exploring how it can help organizations operate securely whilst examining the common challenges businesses face in its implementation. We will then look at how Stax can offer a solution to speed up Amazon Web Services (AWS) account creation while adhering to the CIS AWS Foundations Benchmark.
Creating and configuring AWS accounts securely can be a time-consuming and tedious exercise. Competing priorities can result in rushed or inconsistent process, impacting security, agility, and velocity.
To avoid this point of security failure, we recommend creating a process that aligns teams on a common security standard. Starting at the baseline is the CIS AWS Foundations Benchmark by the Center for Internet Security (CIS). This represents a sensible, rational, and achievable standard for security that all AWS customers can benefit from, regardless of their size, industry, or application.
Stax is an AWS Cloud Management Tools Competency Partner and managed platform that accelerates secure AWS outcomes through prefabricated patterns, proactive guardrails, and data insights.
What is the CIS AWS Foundations Benchmark?
The Center for Internet Security (CIS) is an AWS Partner as well and nonprofit that aims to make “the connected world a safer place for people, businesses, and governments.”
As part of this goal, CIS creates and maintains a variety of technical benchmarks for different types of technology, like operating systems (including different distributions of Linux, Windows, and more), server software (such as Tomcat, BIND, and Kubernetes), and cloud providers including AWS.
The CIS AWS Foundations Benchmark represents a great starting point for your security in the cloud, but you will have to apply it yourself.
AWS provides the tools and services you need to secure your cloud environment, but it can’t deploy those services on your behalf due to the AWS Shared Responsibility Model, which states that security and compliance is a shared responsibility between AWS and the customer.
The benchmark is provided for free and contains hundreds of pages of detail that is not unique to a particular customer or scenario. Getting started with the benchmark can be intimidating.
Part of the challenge is finding the people with the experience and skills to create these accounts, as well as the time to do so. While your team can learn by “doing,” security is an area where learning on the job can be costly—not just in terms of money but also in reputational risk.
When AWS customers find difficulty in following a security baseline, they incur technical debt that can cause security issues and slow down velocity. Business and technology owners need confidence their environment is optimal, and that teams are solving business needs without sacrificing good security.
Configuring and securing your AWS accounts is the first step to being secure on AWS.
Security and compliance are not “set and forget” projects but rather an ongoing, always-on program of work. This means verification of your AWS environment and keeping up to date with changes from both AWS and the CIS benchmark. By doing so, organizations can ensure their security doesn’t suffer drift or inconsistencies.
Without guardrails to enforce good practices, and automation to validate and report on the state of your environment, issues and blind spots can creep in to an environment and cause issues when it comes time to audit or troubleshoot an issue.
Stax Offers a Solution
Stax offers an account management solution that allows developers to create a secure AWS account in just 10 minutes. This is a task that would normally take days and multiple people resources.
With Stax, the AWS account will be:
- Aligned with the CIS AWS Foundations Benchmark.
- Aligned with the AWS Well-Architected Framework.
- Integrated into your multi-account AWS environment.
- Properly configured for logging and eventing.
- Automatically maintained and updated in line with AWS security updates and fixes.
The premise of the Stax platform is to spend less time on AWS and instead focusing energy on building further up the stack to solve core business problems with velocity. In the figure below, you can see a dashboard highlighting the compliance against a specific rule (showing CIS Benchmark). This dashboard provides a quick view to determine the current posture as, well as highlighting areas that need improvement.
Figure 1 – Example CIS Stax rules report.
Building on Stax doesn’t mean you’re limited to the CIS benchmark, either. You can layer additional Stax Rule Bundles to service-specific best practice recommendations, or you can deploy AWS Config Conformance Packs in your accounts to meet new or evolving compliance standards.
Figure 2 – Stax CIS Benchmark Rule Bundles.
What is Stax?
Stax was born out of the lessons and experience gained from nearly a decade spent delivering enterprise-grade cloud solutions to hundreds of AWS customers. It was here the Stax founders realized they could help accelerate the requirements for cloud migrations and automate maintenance by providing a secure and compliant, feature-rich platform to help businesses operate on the AWS Cloud.
The Stax platform provides:
- Prefabricated foundations that accelerate implementation.
- Powerful automation that simplifies tasks and helps build the platform faster.
- Process repeatability that removes human error.
- Ready-made dashboards that can be customized for specific needs.
- Off the shelf alerting that is proactive and real-time.
- Pre-packaged capabilities for a range of uses from industry and regulatory standards to experiential bundles.
- Cost control, tagging, and simplified administration.
Stax’s native cloud management platform is built by developers, for developers, helping free them up to deliver higher value work for their companies.
Because Stax is native to AWS, all AWS accounts created by Stax align to the CIS AWS Foundations Benchmark and AWS Well-Architected Framework by default. Stax leverages AWS services and maintains those services so they are up to date with the latest security features and improvements.
Stax offers accelerated, simple, and secure AWS account creation, adoption, and management, to support a multi-account approach to AWS.
How to Create an AWS Account with Stax
You just need to decide the name for the account, and which account type you want to assign. A new account will be created in 10 minutes that is integrated with your environment.
The account type determines which of your Stax user groups have access to the account and the guardrails that will be applied. You can add tags to the account and Stax will make sure those tags are applied to all of the reporting on that account.
How Does Stax Account Management Work?
Stax account management uses AWS-native services like AWS Organizations, AWS Identity and Access Management (IAM), AWS CloudTrail, Amazon GuardDuty, and others to provision, integrate, and harden accounts in your AWS environment, as well as apply guardrail policies.
Once deployed, Stax Rules verifies your accounts to ensure they stay in line with the CIS benchmark. Since Stax provides account management as a service, Stax ensures the functionality stays up to date with changes from AWS, giving you an evergreen cloud foundation to build your applications on.
Stax also keeps track of different versions of the CIS AWS Foundations Benchmark and makes them available when you’re ready to update your security posture.
The CIS AWS Foundations Benchmark provides a security baseline for organizations operating on AWS. A goal for all organizations should be adhering to the CIS AWS Foundations Benchmark, but doing so can be difficult without the right people.
Creating and configuring AWS accounts securely can be a time-consuming and tedious exercise. If not properly executed, this can result in rushed or inconsistent process, impacting security, agility, and velocity.
Stax enables organizations to create secure AWS accounts that comply with the CIS AWS Foundations Benchmark in minutes.
Stax – AWS Partner Spotlight
Stax is an AWS Competency Partner and managed platform that accelerates secure AWS outcomes through prefabricated patterns, proactive guardrails, and data insights.