Skip to content

CIS AWS Benchmark v5.0.0

Best for: Any organization running workloads on AWS that wants a recognized security baseline. CIS benchmarks are referenced by auditors across SOC 2, FedRAMP, PCI DSS, and HIPAA engagements as evidence of configuration hardening. If your company undergoes third-party security assessments, auditors will frequently map findings back to CIS controls.

Mandatory?Voluntary security baseline
Who validates?Self-assessment or third-party
RenewalNo fixed cycle
ScopeAWS cloud environments; three Implementation Groups (IGs)

๐Ÿ› Center for Internet Security (CIS) ยท CIS AWS Benchmark v5.0.0 Official source โ†’

Get Started

module "..." {
  source  = "cisv500.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • CloudTrail Configuration: Validates multi-region trail enablement, read/write event capture, S3 data event logging, object-level read and write event logging, log file validation, KMS CMK encryption, and trail bucket protections including access logging and MFA Delete. Ten controls total.
    • EBS Encryption at Rest: Checks that EBS encryption by default is enabled at the account level, that all attached volumes are encrypted, and that encryption at rest is enforced across all EBS volumes. Three controls.
    • EC2 Instance Security: Runs 3 controls verifying that IAM instance profiles are attached to all EC2 instances, including publicly accessible ones, and that IMDSv2 is enforced.
    • AWS Config Coverage: Confirms AWS Config is enabled across all regions and that the configuration recorder has no failed log deliveries. Two controls.
    • Account Contact Information: Runs 2 controls checking that a security alternate contact is registered and that account contact details are maintained.

  • What you handle

    • CloudTrail Configuration: Defining alerting thresholds on CloudTrail log anomalies, integrating with SIEM, and establishing incident response procedures when tampering is detected.
    • EBS Encryption at Rest: Migrating pre-existing unencrypted volumes, selecting appropriate KMS key policies, and documenting key ownership and rotation schedules.
    • EC2 Instance Security: Reviewing the actual IAM policies attached to instance profiles for least privilege. compliance.tf confirms a profile exists but does not evaluate the breadth of permissions granted.
    • AWS Config Coverage: Defining and maintaining AWS Config rules for your specific compliance requirements, managing Config rule remediation actions, and budgeting for Config recording costs at scale.
    • Account Contact Information: Periodically validating that the contact information is accurate and that named contacts are still employed and reachable. This requires a manual process outside of automated scanning.

Controls by Category

Data Protection and Encryption (2 controls)

Account-level EBS encryption defaults must be enabled in every region, and all existing volumes need to be encrypted, not just new ones. The most common gap is legacy volumes created before the account-level default was turned on. Migrating them requires creating encrypted snapshots and replacing the original volumes, which teams routinely defer.

Attached EBS volumes should have encryption enabled compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module

Identity and Access Management (2 controls)

The key check here is whether EC2 instances rely on IAM instance profiles rather than embedded long-term credentials, and whether IMDSv2 token-based access is enforced to block SSRF-based credential theft. Common finding: instances launched from older AMIs or launch templates still default to IMDSv1.

EC2 instances should have IAM profile attached compliance.tf module EC2 instances should use IMDSv2 compliance.tf module

Logging and Monitoring (3 controls)

This is the largest control group in CIS AWS v5.0.0. Assessors check for a multi-region trail capturing both read and write management events, S3 data event logging, log file validation, and KMS encryption of trail logs. A frequent gap: organizations enable CloudTrail but neglect S3 object-level data events, which are required for CIS sections 3.8 and 3.9. AWS Config must be active in all regions, and auditors confirm the recorder has no delivery failures.

At least one enabled trail should be present in a region CloudTrail trail logs should be encrypted with KMS CMK CloudTrail trail log file validation should be enabled
Additional Controls (20)

AWS IAM (4)

Ensure IAM password policy requires a minimum length of 14 or greater Ensure IAM password policy prevents password reuse Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

Amazon EC2 (1)

Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module

Amazon EFS (2)

EFS file system encryption at rest should be enabled compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module

Amazon RDS (7)

RDS DB clusters should have automatic minor version upgrade enabled RDS DB clusters should be configured for multiple Availability Zones compliance.tf module RDS DB instance automatic minor version upgrade should be enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS DB instances should prohibit public access compliance.tf module

Amazon S3 (5)

S3 bucket MFA delete should be enabled compliance.tf module S3 buckets object logging should be enabled S3 buckets should prohibit public read access compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module

  • CIS AWS Benchmark v4.0.0 โ€” ๐ŸŸข High overlap (85%)

    CIS v5.0.0 supersedes v4.0.0. Most controls carry forward with updated guidance and refined check logic. v5.0.0 adds controls for newer AWS services and retires some legacy checks. Organizations currently on v4.0.0 should migrate.

  • NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (40%)

    CIS AWS controls map to a subset of NIST 800-53 Rev 5 control families, particularly AU (Audit and Accountability), SC (System and Communications Protection), and AC (Access Control). NIST 800-53 is far broader, covering organizational policies and physical security that CIS AWS does not address.

  • SOC 2 โ€” ๐ŸŸก Medium overlap (30%)

    SOC 2 trust service criteria, especially CC6 and CC7, partially overlap with CIS logging, encryption, and access controls. CIS scan results are commonly submitted as SOC 2 audit evidence for infrastructure hardening, but SOC 2 requires extensive policy, HR, and vendor management controls outside CIS scope.

Frequently Asked Questions

Does CIS AWS v5.0.0 apply to my organization?

If you run any workloads on AWS, yes. CIS benchmarks are voluntary, but auditors for SOC 2, HIPAA, FedRAMP, and PCI DSS frequently use CIS as a reference baseline. Even without an external audit mandate, applying the benchmark reduces your attack surface. No minimum size, revenue, or industry requirement exists.

What changed between CIS AWS v4.0.0 and v5.0.0?

v5.0.0 updates control definitions to reflect current AWS service capabilities, adds controls for newer services, and refines check criteria for existing ones. Some controls were renumbered or consolidated. If you already pass v4.0.0, expect a small number of new findings, primarily around updated encryption and logging expectations. Review the CIS changelog published alongside the benchmark PDF for a full delta.

How long does it take to achieve full compliance with the benchmark?

For a greenfield AWS account with infrastructure-as-code, one to two weeks of focused effort is realistic. For a brownfield environment with years of accumulated configuration drift, budget four to eight weeks. The hardest controls to remediate are MFA Delete on CloudTrail S3 buckets (requires root credentials), migrating unencrypted EBS volumes, and enforcing IMDSv2 across all instances without breaking legacy workloads.

Can I scope the benchmark to specific AWS accounts in an Organization?

Yes. Run powerpipe against individual accounts or aggregate across accounts using multi-account connection configurations. CIS recommends applying the benchmark to every account, but you can prioritize production accounts and treat dev and sandbox environments on a different schedule.

Is there a certification for passing the CIS benchmark?

No. CIS does not issue certifications. You generate a compliance report showing pass/fail status for each control and submit it as evidence during other audits, such as SOC 2 or ISO 27001. Some organizations publish their CIS compliance posture to customers via trust portals.