CIS AWS Benchmark v5.0.0
Best for: Any organization running workloads on AWS that wants a recognized security baseline. CIS benchmarks are referenced by auditors across SOC 2, FedRAMP, PCI DSS, and HIPAA engagements as evidence of configuration hardening. If your company undergoes third-party security assessments, auditors will frequently map findings back to CIS controls.
| Mandatory? | Voluntary security baseline |
| Who validates? | Self-assessment or third-party |
| Renewal | No fixed cycle |
| Scope | AWS cloud environments; three Implementation Groups (IGs) |
π Center for Internet Security (CIS) Β· CIS AWS Benchmark v5.0.0 Official source β
Get Started
module "..." {
source = "cisv500.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- CloudTrail Configuration: Validates multi-region trail enablement, read/write event capture, S3 data event logging, object-level read and write event logging, log file validation, KMS CMK encryption, and trail bucket protections including access logging and MFA Delete. Ten controls total.
- EBS Encryption at Rest: Checks that EBS encryption by default is enabled at the account level, that all attached volumes are encrypted, and that encryption at rest is enforced across all EBS volumes. Three controls.
- EC2 Instance Security: Runs 3 controls verifying that IAM instance profiles are attached to all EC2 instances, including publicly accessible ones, and that IMDSv2 is enforced.
- AWS Config Coverage: Confirms AWS Config is enabled across all regions and that the configuration recorder has no failed log deliveries. Two controls.
- Account Contact Information: Runs 2 controls checking that a security alternate contact is registered and that account contact details are maintained.
What you handle
- CloudTrail Configuration: Defining alerting thresholds on CloudTrail log anomalies, integrating with SIEM, and establishing incident response procedures when tampering is detected.
- EBS Encryption at Rest: Migrating pre-existing unencrypted volumes, selecting appropriate KMS key policies, and documenting key ownership and rotation schedules.
- EC2 Instance Security: Reviewing the actual IAM policies attached to instance profiles for least privilege. compliance.tf confirms a profile exists but does not evaluate the breadth of permissions granted.
- AWS Config Coverage: Defining and maintaining AWS Config rules for your specific compliance requirements, managing Config rule remediation actions, and budgeting for Config recording costs at scale.
- Account Contact Information: Periodically validating that the contact information is accurate and that named contacts are still employed and reachable. This requires a manual process outside of automated scanning.
Controls by Category
Data Protection and Encryption (2 controls)
Account-level EBS encryption defaults must be enabled in every region, and all existing volumes need to be encrypted, not just new ones. The most common gap is legacy volumes created before the account-level default was turned on. Migrating them requires creating encrypted snapshots and replacing the original volumes, which teams routinely defer.
Identity and Access Management (2 controls)
The key check here is whether EC2 instances rely on IAM instance profiles rather than embedded long-term credentials, and whether IMDSv2 token-based access is enforced to block SSRF-based credential theft. Common finding: instances launched from older AMIs or launch templates still default to IMDSv1.
Logging and Monitoring (3 controls)
This is the largest control group in CIS AWS v5.0.0. Assessors check for a multi-region trail capturing both read and write management events, S3 data event logging, log file validation, and KMS encryption of trail logs. A frequent gap: organizations enable CloudTrail but neglect S3 object-level data events, which are required for CIS sections 3.8 and 3.9. AWS Config must be active in all regions, and auditors confirm the recorder has no delivery failures.
Additional Controls (20)
AWS IAM (4)
Amazon EC2 (1)
Amazon EFS (2)
Amazon RDS (7)
compliance.tf moduleRDS DB instance automatic minor version upgrade should be enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleAmazon S3 (5)
compliance.tf moduleS3 buckets should have object logging enabledS3 buckets should prohibit public read accesscompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf moduleRelated Frameworks
CIS AWS Benchmark v4.0.0 β π’ High overlap (85%)
CIS v5.0.0 supersedes v4.0.0. Most controls carry forward with updated guidance and refined check logic. v5.0.0 adds controls for newer AWS services and retires some legacy checks. Organizations currently on v4.0.0 should migrate.
NIST 800-53 Rev 5 β π‘ Medium overlap (40%)
CIS AWS controls map to a subset of NIST 800-53 Rev 5 control families, particularly AU (Audit and Accountability), SC (System and Communications Protection), and AC (Access Control). NIST 800-53 is far broader, covering organizational policies and physical security that CIS AWS does not address.
SOC 2 β π‘ Medium overlap (30%)
SOC 2 trust service criteria, especially CC6 and CC7, partially overlap with CIS logging, encryption, and access controls. CIS scan results are commonly submitted as SOC 2 audit evidence for infrastructure hardening, but SOC 2 requires extensive policy, HR, and vendor management controls outside CIS scope.