How to Achieve CIS Compliance for AWS EC2

  1. Compliance
  2. How to Achieve CIS Compliance for AWS EC2

How to Achieve CIS Compliance for AWS EC2

CIS compliance is crucial for establishing strong security controls and safeguarding your cloud infrastructure against cyber threats. Pulumi can help you identify existing cloud resources that are not in compliance, and it can also enforce compliance policies proactively before infrastructure is deployed. Get started with Pulumi to use these compliance tools or speak with a Solutions Architect to get an expert consultation.

What is CIS Compliance?

CIS (Center for Internet Security) Compliance refers to the adherence to security best practices outlined by the CIS, a nonprofit organization that develops globally recognized security standards. These best practices are known as CIS Controls and CIS Benchmarks, which provide guidelines for securing various technologies and systems, including operating systems, cloud services, network devices, and software.

Key Aspects of CIS Compliance

  • Implementation of Controls: Start by implementing the CIS Controls relevant to your organization's size and risk profile.
  • Use CIS Benchmarks: Configure your systems and applications according to CIS Benchmarks.
  • Regular Audits: Continuously monitor and audit your systems to ensure ongoing compliance with CIS recommendations.
  • Automation Tools: Consider using CIS-CAT (CIS Configuration Assessment Tool) or other automation tools to assess and enforce compliance across your infrastructure.

Benefits of CIS Compliance

  • Standardized Security: Ensures that your organization follows industry-recognized security best practices.
  • Risk Reduction: Helps in reducing the attack surface by implementing critical security controls.
  • Compliance with Other Standards: CIS Controls and Benchmarks often overlap with other compliance frameworks like PCI-DSS, NIST, and ISO, making it easier to achieve multiple compliance goals simultaneously.
  • Improved Incident Response: By implementing CIS Controls, organizations are better equipped to detect, respond to, and recover from security incidents.

Pulumi Insights

Use Pulumi Insights to gain visibility into your cloud infrastructure's configuration to assess CIS compliance. Pulumi Insights is Intelligent Cloud Management. It helps you gain security, compliance, and cost insights into the entirety of your organization's cloud assets and automatically remediate issues.

Pulumi Copilot

Use Pulumi Copilot to assist configuring your infrastructure to make it compliance ready. You can tap into the Pulumi Copilot's deep understanding of your organization's context to gain visibility into the configuration of resources and assess their compliance.

Compliance Ready Policies

With comprehensive coverage of AWS, Pulumi Compliance Ready Policies provide an enhanced level of control and governance over your cloud resources. Pulumi Compliance Ready Policies empower you to enforce best practices, security standards, cost controls, and compliance requirements seamlessly within your infrastructure-as-code workflows.

What is EC2 resources?

Amazon EC2 (Elastic Compute Cloud) is a web service that provides scalable computing capacity in the cloud, allowing users to run virtual servers on-demand. It offers server instances, storage, and networking options to tailor the infrastructure to specific application needs.

What controls can I put in place to evaluate EC2 resources resources?

  • Amazon EBS snapshots should not be publicly restorable
  • VPC default security groups should not allow inbound or outbound traffic
  • Attached Amazon EBS volumes should be encrypted at-rest
  • Stopped EC2 instances should be removed after a specified time period
  • VPC flow logging should be enabled in all VPCs
  • EBS default encryption should be enabled
  • EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
  • Amazon EC2 instances should not have a public IPv4 address
  • Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service
  • Unused Amazon EC2 EIPs should be removed
  • Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
  • Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
  • Amazon EC2 subnets should not automatically assign public IP addresses
  • Unused Network Access Control Lists should be removed
  • Amazon EC2 instances should not use multiple ENIs
  • Security groups should only allow unrestricted incoming traffic for authorized ports
  • Security groups should not allow unrestricted access to ports with high risk
  • Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
  • Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
  • Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
  • Amazon EC2 paravirtual instance types should not be used
  • Amazon EC2 launch templates should not assign public IPs to network interfaces
  • EBS volumes should be covered by a backup plan
  • EC2 transit gateway attachments should be tagged
  • EC2 transit gateway route tables should be tagged
  • EC2 network interfaces should be tagged
  • EC2 customer gateways should be tagged
  • EC2 Elastic IP addresses should be tagged
  • EC2 instances should be tagged
  • EC2 internet gateways should be tagged
  • EC2 NAT gateways should be tagged
  • EC2 network ACLs should be tagged
  • EC2 route tables should be tagged
  • EC2 security groups should be tagged
  • EC2 subnets should be tagged
  • EC2 volumes should be tagged
  • Amazon VPCs should be tagged
  • Amazon VPC endpoint services should be tagged
  • Amazon VPC flow logs should be tagged
  • Amazon VPC peering connections should be tagged
  • EC2 VPN gateways should be tagged
  • EC2 Client VPN endpoints should have client connection logging enabled
  • EC2 transit gateways should be tagged
  • EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports
  • EC2 security groups should not allow ingress from ::/0 to remote server administration ports

Speak to a Solutions Architect to implement policy as code to manage EC2 resources for CIS compliance.

Talk to a Solutions Architect

Get in touch with our Solutions Architects to get all your resources in use with Pulumi Insights

Learn more

Discover the getting started guides, and learn about Pulumi concepts.

Explore Docs

Talk to a human

Have questions about Pulumi? We're happy to help.

Talk to a human