Implementing CIS Benchmarks
Translate CIS security benchmarks into enforceable policies across AWS, Azure, and GCP using Policy as Code.
What You'll Learn
📋 Prerequisites
- Admin access to at least one major cloud provider (AWS, Azure, or GCP)
- Familiarity with the chosen cloud's policy service (e.g., AWS Config, Azure Policy)
- Experience with Infrastructure as Code (IaC), preferably Terraform
- Basic knowledge of OPA/Rego is helpful but not required
- A downloaded copy of the relevant CIS Benchmark PDF for reference
🎯 What You'll Learn
- How to interpret CIS Benchmark controls and map them to cloud services
- Implementing CIS policies for AWS using AWS Config and custom rules
- Enforcing CIS benchmarks in Azure with Azure Policy definitions and initiatives
- Applying CIS controls in GCP using Organization Policy and Security Health Analytics
- Writing cloud-agnostic CIS checks with OPA and Terraform
- Automating CIS compliance checks in a CI/CD pipeline
🏷️ Topics Covered
CIS Benchmarks Policy Automation: Complete Implementation Guide
The Center for Internet Security (CIS) Benchmarks are globally recognized best practices for securing IT systems and data. They provide detailed, step-by-step guidance to establish a secure baseline configuration. For cloud environments, CIS provides specific benchmarks for AWS, Azure, GCP, Kubernetes, and more. Implementing these benchmarks is a foundational step for any organization's security and compliance program.
🔒 Foundational Security
Provides a robust, consensus-developed security baseline to protect against common threats.
✅ Compliance Alignment
CIS Benchmarks map directly to major compliance frameworks like PCI DSS, HIPAA, and NIST.
🤖 Automation Ready
The prescriptive nature of the benchmarks makes them ideal for automation with Policy as Code.
Automated CIS Compliance Checking: AWS Implementation Tutorial
AWS provides managed conformance packs for CIS Benchmarks within AWS Config, which simplifies deployment. You can also implement individual controls as custom rules.
🔧 CIS AWS 1.2 - Ensure MFA is enabled for the 'root' user
This is a critical control. While checking the root user itself is manual, you can enforce MFA for all other IAM users with a custom AWS Config Rule.
aws-config-mfa-rule.yaml
# AWS Config Rule to enforce MFA on all IAM Users
Resources:
MfaEnabledRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: "iam-user-mfa-enabled"
Description: "Checks if AWS IAM users have multi-factor authentication (MFA) enabled. Maps to CIS AWS Foundations v1.4.0, Control 1.4."
Source:
Owner: "AWS"
SourceIdentifier: "IAM_USER_MFA_ENABLED"
Scope:
ComplianceResourceTypes:
- "AWS::IAM::User"🔧 CIS AWS 2.3.1 - Ensure CloudTrail logs are encrypted at rest
This policy uses a `deployIfNotExists` effect to automatically enable KMS encryption on CloudTrail if it's missing.
azure-policy-cloudtrail-encryption.json
{
"if": {
"field": "type",
"equals": "Microsoft.Insights/diagnosticSettings"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.KeyVault/vaults/keys",
"existenceCondition": {
"field": "Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType",
"equals": "Dedicated"
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
// ARM template to deploy a KMS key for encryption
}
}
}
}
}
}CIS Controls Implementation with OPA: Azure Security Automation
Azure Security Center provides built-in CIS benchmark compliance assessments. You can enforce these recommendations using Azure Policy.
🔧 CIS Azure 1.1.0 - Ensure multifactor authentication is enabled for all users in administrative roles
This policy audits for administrative accounts that do not have MFA enabled.
azure-policy-admin-mfa.json
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Security/assessments"
},
{
"field": "Microsoft.Security/assessments/status.code",
"in": [ "NotApplicable", "Healthy" ]
},
{
"field": "name",
"equals": "1f208148-3566-408a-b825-357a796b7ffc"
}
]
},
"then": {
"effect": "audit",
"details": {
"type": "Microsoft.Security/complianceResults",
"name": "MFAOnAdminRoles",
"displayName": "MFA should be enabled on accounts with owner permissions",
"description": "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources."
}
}
}CIS Benchmark Kubernetes Policies: Google Cloud Implementation
Google Cloud's Security Health Analytics, part of Security Command Center, automatically scans your environment for compliance with a subset of CIS controls.
🔧 CIS GCP 1.5 - Ensure that separation of duties is enforced for KMS-related roles
This can be enforced with an Organization Policy that restricts which principals can be assigned to sensitive IAM roles.
gcp-iam-kms-policy.yaml
constraint: "constraints/iam.allowedPolicyMemberDomains"
listPolicy:
allowedValues:
- "C01abc234" # Customer ID for your primary Google Workspace domain
allValues: DENY💡 Security Baseline Policy Enforcement: CIS Hardening Automation
Start with the Official Docs
Always begin by reading the official CIS Benchmark PDF for your target platform to understand the rationale behind each control.
Leverage Native Tooling
Use cloud-native services like AWS Config, Azure Policy, and GCP Security Command Center as your first line of defense. They have built-in mappings to CIS controls.
Automate with Policy as Code
For controls not covered by native tools or for multi-cloud enforcement, use Terraform and OPA to create custom, automated checks.
Focus on Prevention
Integrate CIS compliance checks directly into your CI/CD pipelines to prevent non-compliant infrastructure from ever being deployed.
Compliance is Continuous
Don't treat CIS as a one-time audit. Use continuous monitoring tools to detect configuration drift and maintain your security posture over time.