New InsightCloudSec 合规 Pack for CIS AWS基准2.0.0

最后更新于2023年12月28日星期四14:33:47 GMT

The Center for Internet Security (CIS) recently released version two of their AWS Benchmark. CIS AWS基准2.0.0 brings two new recommendations and eliminates one from the previous version. The update also includes some minor formatting changes to certain recommendation descriptions.

In this post, we’ll talk a little bit about the “why” behind these changes. 我们还将看看如何使用InsightCloudSec的新, out-of-the-box compliance pack to implement and enforce the benchmark’s recommendations.

什么是新的，什么是改变的，为什么

版本2.0.0 of the CIS AWS Benchmark included two new recommendations:

• Ensure access to AWSCloudShellFullAccess is restricted
  这是CIS的一个重要补充, this recommendation focuses on restricting access to the AWSCloudShellFullAccess policy, which presents a potential path for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS的文档 describes how to create a more restrictive IAM policy that denies file transfer permissions.
• 请确保EC2元数据服务只支持IMDSv2
  Users should be using IMDSv2 to avoid leaving your EC2 instances susceptible to Server-Side Request Forgery (SSRF) attacks, IMDSv1严重故障.

The update also included the removal of the previous recommendation:

• 确保所有S3桶都使用静态加密
  这项建议已被删除，因为 AWS now encrypts all new objects by default as of January 2023. It’s important to note that this only applies to newly created S3 buckets. So, if you’ve got some buckets that have been kicking around for a while, make sure they are employing encryption-at-rest and that it can not be inadvertently turned off at some point down the line.

随着这些变化, CIS also made a few minor changes related to the wording in some of the benchmark titles and descriptions.

ICS如何帮助我在我的环境中实现这一点?

Available as a compliance pack within InsightCloudSec right out-of-the-box, Rapid7 makes it easy for teams to scan their AWS environments for compliance against the recommendations and controls outlined in the CIS AWS Benchmark. If you’re not yet using InsightCloudSec today, be sure to check out the 文档页面在这里, which will guide you through getting started with the platform.

一旦你开始运行, scoping your compliance assessment to a specific pack is as easy as 4 clicks. First, from the 合规 Summary page  you’ll want to select your desired benchmark. 在本例中，当然是CIS AWS基准2.0.0.

From there, we can select the specific cloud or clouds we want to scan.

And because we’ve got our badging and tagging strategies in order (right…….RIGHT?!)我们可以进一步研究. For this example, let’s focus on the production environment.

You’ll get some trending insights that show how your organization as a whole, as well as how specific teams and accounts are doing and whether or not you’re seeing the improvement over time.

Finally, if you’ve got a number of cloud accounts and/or clusters running across your environment, 你甚至可以把范围缩小到那个层次. 在本例中，我们将选择all.

一旦你设置好了过滤器, you can apply and get real-time insight into how well your organization is adhering to the CIS AWS Benchmark. 和其他族群一样, you can see your current compliance score overall along with a breakdown of the risk level associated with each instance of non-compliance.

如你所见, it’s fairly simple to assess your cloud environment for compliance with the CIS AWS Benchmark with a cloud security tool like InsightCloudSec. If you’re just starting your cloud security journey or aren’t really sure where to start, utilizing an out-of-the-box compliance pack is a great way to set a foundation to build off of.

In fact, Rapid7 recently partnered with AWS to help organizations in that very situation. Using a combination of market-leading technology and hands-on expertise, our AWS Cloud Risk Assessment provides a point-in-time understanding of your entire AWS cloud footprint and its security posture.

评估期间, our experts will inspect your cloud environment for more than 100 distinct risks and misconfigurations, 包括公开的资源, 缺乏加密, and user accounts not utilizing multi-factor authentication. 在这次评估的最后, your team will receive an executive-level report aligned to the AWS Foundational Security Best Practices, 参与一个读出呼叫, and discuss next steps for executing your cloud risk mitigation program alongside experts from Rapid7 and our services partners.