intermediate30 min readcompliance-securityUpdated: 2024-06-14

Enforcing CIS Benchmarks

Write policies to automate compliance checks for CIS security standards.

๐Ÿ“‹ Prerequisites

  • Strong understanding of a specific CIS Benchmark (e.g., AWS Foundations, Kubernetes).
  • Proficiency in a policy-as-code language like Rego (OPA) or Sentinel.
  • Experience with the target platform's (e.g., AWS, GCP, Kubernetes) resources and configurations.
  • Familiarity with JSON/YAML data structures representing cloud resources.

๐ŸŽฏ What You'll Learn

  • How to map CIS Benchmark controls to specific policy rules.
  • Techniques for parsing and evaluating cloud resource configurations.
  • Writing OPA/Rego policies for common CIS controls.
  • Implementing Sentinel policies for Terraform to enforce CIS standards.
  • Strategies for handling exceptions and customizations.
  • Integrating CIS policy checks into CI/CD pipelines for proactive enforcement.

๐Ÿท๏ธ Topics Covered

how to enforce cis benchmarks automaticallycis compliance automation with policy as codeautomated cis security controls implementationcis benchmark policy validation tutorialsecurity hardening automation best practicescis controls enforcement with opa rego

๐Ÿ’ก Why Automate CIS Enforcement?

Manually auditing against hundreds of CIS Benchmark controls is slow, error-prone, and doesn't scale. By translating these benchmarks into policies, you create an automated, repeatable, and continuous enforcement mechanism that ensures your infrastructure remains secure and compliant by default.

CIS Benchmarks Policy Automation: Control Mapping Tutorial

The first and most critical step is translating a human-readable CIS control into a machine-readable policy. This involves identifying the specific resource properties and values that determine compliance.

1๏ธโƒฃ Select a Control

CIS AWS Foundations Benchmark 1.1: "Avoid the use of the 'root' account."

โ†’

2๏ธโƒฃ Identify Target Data

The relevant data is in AWS IAM credential reports or CloudTrail logs that show root account activity.

โ†’

3๏ธโƒฃ Define Policy Logic

The policy should check if `(userIdentity.type == 'Root' and eventType != 'AwsServiceEvent')` exists in recent CloudTrail logs.

โ†’

4๏ธโƒฃ Write the Code

Implement the logic in a policy language like Rego to check the input data for violations.

Automated CIS Compliance Checking: OPA Implementation Guide

Open Policy Agent (OPA) with its language Rego is a powerful tool for enforcing custom policies against structured data like JSON. Here are examples for common CIS controls.

Example: CIS AWS 2.3 - Ensure CloudTrail Logging is Enabled

This control requires that CloudTrail is enabled in all regions. The policy below checks an array of AWS CloudTrail descriptions.

๐Ÿ“‹ Rego Policy for CloudTrail Logging

package cis.aws.v2_3

# Deny if any trail is not multi-region
deny[msg] {
    some i
    trail := input.aws_cloudtrail[i]
    not trail.is_multi_region_trail

    msg := sprintf("CloudTrail '%s' is not a multi-region trail.", [trail.name])
}

# Deny if any trail does not have log file validation enabled
deny[msg] {
    some i
    trail := input.aws_cloudtrail[i]
    not trail.log_file_validation_enabled

    msg := sprintf("CloudTrail '%s' does not have log file validation enabled.", [trail.name])
}

Example: CIS Kubernetes 5.1.1 - Ensure Container CPU Limits are Set

This policy checks Kubernetes Pod specifications to ensure every container has a CPU limit defined.

๐Ÿ›ก๏ธ Rego Policy for K8s CPU Limits

package cis.k8s.v5_1_1

deny[msg] {
    container := input.spec.containers[_]
    not container.resources.limits.cpu

    msg := sprintf("Container '%s' in Pod '%s' is missing CPU limits.", [container.name, input.metadata.name])
}

deny[msg] {
    container := input.spec.initContainers[_]
    not container.resources.limits.cpu
    
    msg := sprintf("Init container '%s' in Pod '%s' is missing CPU limits.", [container.name, input.metadata.name])
}

CIS Controls Implementation with OPA: Terraform Integration

Sentinel is ideal for enforcing policies on Infrastructure as Code, particularly within Terraform workflows. Policies are checked against the Terraform plan before infrastructure is applied.

Example: CIS GCP 6.3 - Ensure Default VPC Network Does Not Exist

This Sentinel policy checks a Terraform plan to prevent the creation or existence of the 'default' VPC network.

๐Ÿ“œ Sentinel Policy for Default VPC

import "tfplan/v2" as tfplan

# Rule to deny the 'default' network
main = rule {
    all tfplan.resource_changes as _, rc {
        rc.type is "google_compute_network" and
        rc.change.after.name is not "default"
    }
}

Example: CIS Azure 5.1.2 - Ensure Blob Storage Public Access is Disallowed

This policy inspects Azure Storage Account resources in a Terraform plan to block public blob access.

๐Ÿ”’ Sentinel Policy for Azure Public Blobs

import "tfplan/v2" as tfplan

# Rule to check all Azure storage accounts
main = rule {
  all tfplan.resource_changes as _, rc {
    rc.type is "azurerm_storage_account" and
    rc.change.after.allow_blob_public_access is false
  }
}

Security Baseline Policy Enforcement: Exception Management

No security standard fits every use case perfectly. A robust policy enforcement system must allow for documented and approved exceptions without disabling the control entirely.

๐Ÿท๏ธ Exception via Tagging

Allow resources with a specific, approved tag to bypass a policy check. 

# Rego example
# Allow exception if a specific tag is present
allow {
    input.tags.cis_exception == "approved_case_123"
}

๐Ÿ“„ External Data for Allow-listing

Maintain an external JSON or YAML file with a list of approved resource IDs that are exempt from a policy. 

# Rego checking against external data
import data.exceptions

# Deny if resource is not in the exception list
deny {
    not input.id in exceptions.s3_public_access
}

โš–๏ธ Scoped Enforcement

Apply stricter policies to production environments while allowing more flexibility in development environments. 

# Sentinel example
is_prod = rule {
    tfplan.variables.environment.value is "production"
}

# Only enforce rule in production
main = rule when is_prod { ... }

๐Ÿ’ก CIS Hardening Automation: Production Best Practices

  • Start with a Subset: Don't try to implement an entire CIS Benchmark at once. Start with the top 10-20 most critical controls.
  • Use Libraries: Leverage open-source policy libraries (e.g., from OPA's library, or public repositories) as a starting point rather than writing everything from scratch.
  • Prioritize Prevention: Focus on integrating checks into CI/CD pipelines (e.g., on `terraform plan`) to prevent non-compliant infrastructure from ever being deployed.
  • Make Violations Actionable: Ensure policy failure messages are clear, reference the specific CIS control number, and explain how to fix the issue.
  • Version Your Policies: Treat your CIS policies as code. Store them in Git, version them, and have a review process for changes.
  • Balance Enforcement and Flexibility: Implement a clear and auditable exception process. A system with no flexibility is a system that will be bypassed.
  • Combine with Detection: Use CI/CD for prevention, but also run the same policies against your live environment to detect configuration drift and manual changes.

Ready for the Next Step?

Now that you can enforce CIS benchmarks, dive into these related guides:

๐Ÿงช Testing Your Policies

Learn how to unit test and integration test your new CIS policies โ†’

๐Ÿ“Š Policy Monitoring

Continuously monitor your CIS compliance posture over time โ†’

๐Ÿ”ง Automated Remediation

Automatically fix CIS violations when they are detected โ†’