Starting from $0.02 to $0.02/hr for software + AWS usage fees
The ability to launch instances hardened according to the trusted secure configuration baselines prescribed by the Center for Internet Security's (CIS) expert consensus teams is now available in the AWS Marketplace. Reduce cost, time, and risk by building your AWS solution with AMIs that are preconfigured to align with industry best practice for secure configuration. See more
Default configuration fails to log SSH sessions
By default, the /var/log/auth.log file is set to be owned by root. This prevents syslog from writing SSH session information to the file and important security information is lost. A plain vanilla Ubuntu 14.04 image sets the /var/log/auth.log file to be owned by the syslog user and that correctly logs SSH sessions out of the box. On this CIS AMI, once you change the owner of /var/log/auth.log back to the syslog user, then it starts logging as expected.
This is a very basic and critical bug for CIS to miss in their testing.
It's not bad
I'm not giving it 5 stars because it takes a lot to get 5 stars in my book, but it's definitely not bad. A lot of our production servers are based on this build and they run great, and they're secure. I've gone over bits and pieces of the guide and they all seem to be implemented in this build so it's a huge time saver.
The image type is limited
The options of t1 and t2 image types are not available during the instance creation even though they are listed in the product preview page. The smallest image type is m2.
Does not follow the latest CIS benchmark
If you follow the CIS benchmark https://benchmarks.cisecurity.org/tools2/linux/CIS_Ubuntu_14.04_LTS_Server_Benchmark_v1.0.0.pdf you can see that auditd needs to be enabled (and other auditing settings too). However, according to our tests, auditd was not installed on this image even though it claims to follow the CIS benchmark.