How To

Real-time AWS v3.0.0 CIS Benchmark assessments

Assess your security posture with automated AWS CIS v3.0.0 assessments that provide real-time dashboard updates and instant alerts.

Turbot Team
5 min. read - May 15, 2024
Assess your security posture with automated AWS CIS v3.0.0 assessments that provide real-time dashboard updates and instant alerts.

Center for Internet Security (CIS) benchmarks for AWS are widely used by cloud teams as guidance to configure their AWS accounts securely. The latest iteration, AWS CIS v3.0.0, includes over 60 recommendations to evaluate your posture against best practices.

Turbot Guardrails now supports the AWS CIS v3.0.0 Benchmark. Use it to enable continuous monitoring of your cloud environment's security posture, and to ensure compliance with industry standards as resources are created and modified.

Go beyond CIS reporting with Guardrails

Traditional compliance assessments rely on periodic scans of your environment, which only give you a point-in-time view of your security posture. But the cloud is dynamic, resources change rapidly, misconfigurations and security gaps can happen anytime.

Turbot Guardrails evaluates your AWS resources against the CIS v3.0.0 Benchmark in real-time. As resources are created or modified, Guardrails instantly assesses them for compliance and provides a view of your security posture that's always current.

Key Features of Turbot Guardrails' CIS Benchmark controls:

  1. Instant Evaluation. As new AWS resources are created or modified, Guardrails immediately assesses them against the relevant CIS controls, providing instant feedback on your compliance status.
  2. Real-time Alerts. Stay informed about critical changes in your compliance posture with real-time alerts. Guardrails can send notifications to Slack, MS Teams, and email, so you and your team always know when benchmarks aren't green.
  3. Take action. By default, Guardrails will alert on misconfigurations. You can use Guardrails' quick actions to fix mistakes, and you can set continuous enforcement.
  4. Controlled Attestations. Some CIS controls are manual and require attestations. Track evidence of your reviews and set reminders to re-evaluate the control next audit period.
  5. Set Exceptions. Not all organizations require every CIS Benchmark recommendation. Set time-based exceptions to ignore recommendations per account or per resource when not applicable.
  6. Comprehensive Reporting. See an always up-to-date view of your compliance status, from sections of the benchmark to per-resource compliance, in the Guardrails console. Generate detailed reports, including CSV exports for easy sharing and analysis.

How to monitor AWS CIS v3.0.0 using Guardrails

Install the AWS CIS mods

To get started, install the @turbot/cis and the @turbot/aws-cisv3-0 mods.

Enable the AWS CIS Benchmark

Once installed, set the policy for AWS > CIS v3.0 to Check: All CIS Benchmarks.

Enable AWS CIS v3.0.0 Policy

Guardrails will immediately assess all applicable resources for compliance with AWS CIS Benchmark v3.0.0.

AWS CIS v3.0.0 Benchmark

Assess your CIS adherence

See control status for each benchmark section.

AWS CIS v3.0.0 S3 recommendations

In this example, 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)’ we can see all the AWS S3 buckets are reporting in ALARM and OK states.

AWS CIS v3.0.0 2.1.4 recommendation

In some cases you may need to suppress or ignore the control on a resource. With any Guardrails policy you can set time-based exceptions for one or many resources.

AWS CIS v3.0.0 Exception

In this case we set the policy to Skip the acme-demo-5 bucket for 30 days. This bucket now shows it's in a skipped state and will be reassessed automatically after the expiration period.

AWS CIS v3.0.0 Skipped Recommendation

Instant AWS CIS alerts

When creating or updating cloud resources, Guardrails instantly provides feedback on the state of the recommendation. In this example we created acme-demo-6 which was instantly discovered and evaluated for CIS compliance.

AWS CIS v3.0.0 Alert

Beyond alerts in the Turbot Guardrails console, you and your team members can subscribe to alerts via email, MS Teams or Slack alerts.

AWS CIS v3.0.0 Alert in Slack

Take action on your CIS alerts

Guardrails quick actions provide direct links to the Guardrails console where you can immediately apply fixes. This enables workflows that keep human approvers in the loop.

AWS CIS v3.0.0 Guardrails Quick Action

In Instant AWS CIS v3.0.0 Benchmark compliance we show how you can go further by setting guardrails that continuously enforce CIS recommendations with no human intervention.

See it in action

Level up your security posture with Guardrails

Elevate your compliance game with Turbot Guardrails and experience real-time adherence to the AWS CIS v3.0.0 Benchmark. With real-time awareness of your security posture, and flexible reporting, Guardrails makes it quick and easy to address any deviation from best practices.

Turbot Guardrails also supports assessments for Azure and GCP. Try all the CIS Benchmarks, using the 14-day free trial, to gain instant feedback on your adherence to CIS recommendations.