Skip to content

CIS AWS Benchmark v1.4.0

Best for: Teams running AWS workloads that need a prescriptive security baseline. CIS benchmarks are routinely cited in SOC 2, FedRAMP, and PCI DSS audits as hardening evidence. v1.4.0 applies to teams that have not yet migrated to v1.5.0 or later. Financial services, healthcare, and government contractors favor CIS because auditors recognize the benchmarks. No revenue or size threshold applies; even a single AWS account benefits from this baseline.

Mandatory?Voluntary security baseline
Who validates?Self-assessment or third-party
RenewalNo fixed cycle
ScopeAWS cloud environments; two levels (L1/L2)

๐Ÿ› Center for Internet Security (CIS) ยท CIS AWS Benchmark v1.4.0 Official source โ†’

Get Started

module "..." {
  source  = "cis.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • CloudTrail Logging and Integrity: Runs automated checks for multi-region trail enablement, log file validation, KMS CMK encryption, and CloudWatch Logs integration. Covers 9 controls in the CloudTrail configuration category including S3 data event logging for both read and write operations.
    • CloudTrail S3 Bucket Security: Validates public access block settings, server access logging, and MFA Delete status on CloudTrail log buckets. Bucket policy and ACL configurations are evaluated against the CIS 3.3 requirements.
    • Encryption at Rest (EBS): Evaluates encryption status of all EBS volumes, both attached and detached. Flags unencrypted volumes and checks whether default EBS encryption is enabled at the account and region level.
    • AWS Config Enablement: Checks whether AWS Config is enabled across all regions and whether the configuration recorder is delivering logs successfully. Recorder status and delivery channel health are both evaluated.
    • Account and IAM Configuration: Flags missing security contact registration, stale account contact details, and EC2 instances without IAM instance profiles attached. Identifies instances relying on embedded credentials.

  • What you handle

    • CloudTrail Logging and Integrity: Log retention policies, alerting on CloudWatch metric filters (CIS Section 4 controls), and the incident response process that consumes CloudTrail data are out of scope for automated checks.
    • CloudTrail S3 Bucket Security: Enabling MFA Delete requires root credentials and a manual step that cannot be automated. Lifecycle policies for log archival and cross-account log aggregation architecture must be designed separately.
    • Encryption at Rest (EBS): Migrating existing unencrypted volumes requires creating encrypted snapshots and replacing volumes. KMS key policies, key rotation configuration, and cross-account key sharing require manual setup.
    • AWS Config Enablement: Custom AWS Config rules for organization-specific policies, Config aggregator setup for multi-account environments, and acting on Config compliance findings are outside what automated checks cover.
    • Account and IAM Configuration: compliance.tf can detect whether a contact field is populated, not whether the information is current. IAM policy least-privilege reviews and root account MFA configuration require manual attention.

Controls by Category

Section 1: Identity and Access Management (1 control)

Account contact information looks administrative, but auditors treat it as a security control: AWS uses those contacts during incident response, so stale or missing entries are a finding. For EC2, the question is whether instances rely on embedded access keys instead of instance profiles. Control 1.14 (security questions) is deprecated because AWS removed the feature.

EC2 instances should have IAM profile attached compliance.tf module

Section 2: Storage - Encryption at Rest (2 controls)

All EBS volumes, attached and unattached, must be encrypted. Enabling default EBS encryption at the account level per region is the cleanest fix, covering all new volumes automatically. Auditors will flag volumes that predate that setting, and they may trace snapshot lineage since snapshots created from unencrypted volumes are also unencrypted.

Attached EBS volumes should have encryption enabled compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module

Section 3: Logging - CloudTrail Configuration (4 controls)

This is the largest control group and the one where auditors spend the most time. They verify that at least one trail captures management events across all regions, that S3 data events are logged for both read and write operations, and that log file integrity validation is enabled. Common failures: trails configured for a single region, missing CloudWatch Logs integration (CIS 3.4), and trails using default SSE-S3 encryption instead of a KMS CMK. Auditors request screenshots or API output from 'aws cloudtrail describe-trails' and 'aws cloudtrail get-trail-status'.

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CloudTrail trail logs should be encrypted with KMS CMK CloudTrail trail log file validation should be enabled
Additional Controls (17)

AWS IAM (4)

Ensure IAM password policy requires a minimum length of 14 or greater Ensure IAM password policy prevents password reuse Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

Amazon EC2 (1)

Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module

Amazon RDS (1)

RDS DB instance encryption at rest should be enabled compliance.tf module

Amazon S3 (10)

S3 bucket default encryption should be enabled compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket MFA delete should be enabled compliance.tf module S3 buckets object logging should be enabled S3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module

  • CIS AWS Benchmark v1.5.0 โ€” ๐ŸŸข High overlap (90%)

    Direct successor to v1.4.0. v1.5.0 added controls around S3 account-level public access block and updated IAM guidance. Most v1.4.0 controls carry forward with minor rewording. Migration effort is low.

  • CIS AWS Benchmark v3.0.0 โ€” ๐ŸŸข High overlap (65%)

    v3.0.0 restructured sections significantly and added controls for EC2, EKS, and additional networking requirements. Many v1.4.0 CloudTrail and Config controls persist but with updated recommendations. Organizations should plan a gap assessment before upgrading.

  • AWS Foundational Security Best Practices โ€” ๐ŸŸก Medium overlap (55%)

    AWS Foundational Security Best Practices partially overlaps with CIS v1.4.0 on CloudTrail, encryption, and Config but includes broader service coverage (RDS, Lambda, ECS) that CIS v1.4.0 does not address. CIS is prescriptive with specific configuration values; AWS FSBP uses AWS-defined severity levels.

Frequently Asked Questions

CIS v1.4.0 is deprecated. Should I migrate to v1.5.0, v2.0.0, or v3.0.0?

Unless your auditor or customer contract specifies an intermediate version, go directly to v3.0.0. It reflects current AWS services and deprecates controls that no longer apply. The gap from v1.4.0 is real: sections were restructured and new EKS and networking controls were added, so budget time for a gap analysis. If you need a smaller step, v1.5.0 is the closest upgrade with roughly 90% overlap.

Is CIS certification required, or is this self-assessed?

CIS benchmarks are self-assessed. There is no CIS certification body or formal audit process. Organizations run benchmark scans using tools like Prowler, Steampipe, or compliance.tf and present results to auditors during SOC 2, ISO 27001, or PCI DSS assessments. Some contracts require CIS benchmark compliance as an obligation, but enforcement runs through the contracting party, not CIS.

What is the difference between Level 1 and Level 2 controls?

Level 1 controls are the 50 baseline settings in this mapping: broadly applicable, minimal operational impact. Level 2 adds defense-in-depth measures that may restrict functionality or require more implementation effort, such as VPC flow logging on all VPCs or detailed IAM password policy settings. Most organizations implement Level 1 first and layer in Level 2 controls over time.

How long does it take to reach full compliance with CIS v1.4.0 Level 1?

For a single AWS account with a moderate existing security posture, expect 2 to 4 weeks of engineering effort. The time sinks are usually CloudTrail S3 data events (cost implications at scale), remediating existing unencrypted EBS volumes, and enabling AWS Config in every region. Greenfield accounts built with infrastructure-as-code can reach compliance in days by baking controls into Terraform modules from the start.

Does running compliance.tf checks satisfy the CIS benchmark requirement, or do I need additional evidence?

For internal governance, scan results showing configurations meet CIS specifications are usually sufficient. External auditors may also ask for remediation process documentation, change management records showing when controls were enabled, and evidence that scans run on a defined schedule. Keep historical scan results; point-in-time screenshots don't demonstrate continuous compliance.