compliance.tf
Compliance FrameworksCommon Frameworks

CIS AWS Benchmark v6.0.0

Best for: Any AWS shop that needs a recognized configuration baseline. This covers enterprises whose customers demand evidence of cloud hardening, teams pursuing SOC 2 or FedRAMP (CIS controls provide supporting technical evidence but don't satisfy all required safeguards on their own), and regulated industries like financial services and healthcare that treat CIS as an accepted hardening standard. No size or revenue threshold.

Mandatory?Voluntary security baseline
Who validates?Self-assessment or third-party
RenewalNo fixed cycle
ScopeAWS cloud environments; three Implementation Groups (IGs)

🏛 Center for Internet Security (CIS) · CIS AWS Benchmark v6.0.0 Official source →

Get Started

module "..." {
  source  = "cis.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • CloudTrail Logging Configuration: Runs controls checking multi-region trail enablement, log file validation, KMS encryption of trail logs, S3 data event logging for read and write operations, and access logging on the CloudTrail destination bucket. Covers 10 of the CloudTrail-related controls in the benchmark.
  • EBS Encryption at Rest: Checks that EBS encryption by default is enabled at the account level, that attached volumes are encrypted, and that all EBS volumes (attached or not) use encryption. Three controls covered.
  • EC2 Instance Security Configuration: Validates that EC2 instances have IAM profiles attached (with additional scrutiny for publicly accessible instances) and that IMDSv2 is enforced. Three controls covered.
  • AWS Config Monitoring: Verifies that AWS Config is enabled across all regions and that the configuration recorder has no failed log deliveries. Two controls covered.
  • Account-Level Security Settings: Checks whether a security alternate contact is registered on the AWS account. Programmatic verification of contact registration status.

What you handle

  • CloudTrail Logging Configuration: Log retention policies, CloudWatch alarm configuration for specific API calls, and the investigation process when suspicious activity surfaces in logs are all yours to define. So is the incident response workflow triggered by log findings.
  • EBS Encryption at Rest: KMS key selection (AWS-managed vs. customer-managed), rotation schedules, and migrating any pre-existing unencrypted volumes to encrypted replacements.
  • EC2 Instance Security Configuration: The IAM policies attached to instance profiles need to follow least privilege, which requires reviewing what permissions each role grants. Also verify that application code doesn't rely on IMDSv1 before flipping the enforcement switch.
  • AWS Config Monitoring: Config rules beyond the baseline, compliance dashboard reviews, and SNS notifications for configuration drift are outside what automation covers here.
  • Account-Level Security Settings: Actually populating the contact fields with valid, monitored email addresses and phone numbers. Keeping contact information current when staff change. These are manual data entry tasks that cannot be fully automated.

Controls by Category

Data Protection - EBS Encryption (2 controls)

Most EBS findings here aren't about whether encryption by default is toggled on. It's the older volumes created before that setting was enabled that trip organizations up. Remediation means creating encrypted snapshots and replacing the originals, which takes real time in production environments.

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS volumes should have encryption at rest enabledcompliance.tf module

Identity and Access Management - EC2 (2 controls)

Instance profiles and IMDSv2 enforcement are the two things assessors focus on here, with extra scrutiny on publicly accessible instances. For IMDSv2, check that HttpTokens is set to 'required' in the instance metadata options. Legacy instances still allowing IMDSv1 are a common finding and a real exposure: SSRF vulnerabilities can be used to steal instance credentials via the metadata service.

EC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should use IMDSv2compliance.tf module

Logging - CloudTrail Configuration (3 controls)

Auditors confirm at least one multi-region trail captures both read and write management events, that log file validation is enabled to detect tampering, and that trail logs are encrypted with a customer-managed KMS key. A frequent gap: organizations have a trail enabled but it only covers one region, or log file validation was never turned on.

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should have logs encrypted using a customer managed KMS keyCloudTrail trails should have log file validation enabled
Additional Controls (20)

AWS IAM (4)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should prevent password reuseIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

Amazon EC2 (1)

EC2 instances should use IAM instance roles for AWS resource accesscompliance.tf module

Amazon EFS (2)

EFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon RDS (7)

RDS DB clusters should have automatic minor version upgrade enabledRDS DB clusters should be configured for multiple Availability Zonescompliance.tf moduleRDS DB instance automatic minor version upgrade should be enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf module

Amazon S3 (5)

S3 buckets should have MFA delete enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should prohibit public read accesscompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Related Frameworks

CIS AWS Benchmark v4.0.0🟢 High overlap (72%)

CIS v4.0.0 is an earlier major version. The immediate predecessor to v6.0.0 is v5.0.0. v6.0.0 retains many v4.0.0 era controls but adds newer requirements around IMDSv2 enforcement, account contact management, and expanded S3 data event logging. Organizations already compliant with v4.0.0 will still need to review incremental changes introduced in v5.0.0 and v6.0.0.

AWS Foundational Security Best Practices🟡 Medium overlap (55%)

AWS Foundational Security Best Practices (FSBP) partially overlaps with CIS v6.0.0 on CloudTrail, encryption, and Config controls. FSBP includes broader service coverage (Lambda, RDS, ECS) that CIS v6.0.0 does not address, while CIS includes account-level controls that FSBP skips.

NIST 800-53 Rev 5🟡 Medium overlap (30%)

CIS AWS controls map to a subset of NIST 800-53 Rev 5, primarily the AU (Audit and Accountability), SC (System and Communications Protection), and AC (Access Control) families. NIST 800-53 is far broader, covering organizational policy, physical security, and personnel controls that CIS does not address.

Frequently Asked Questions

Does CIS v6.0.0 apply to my organization?
If you run anything on AWS, yes. CIS benchmarks are voluntary, not regulatory mandates. However, auditors in SOC 2, FedRAMP, PCI DSS, and HIPAA assessments routinely reference them as evidence of a hardened baseline, and many enterprise procurement questionnaires ask directly whether CIS benchmarks are followed. There is no revenue or size threshold.
How does v6.0.0 differ from v4.0.0?
v6.0.0 adds controls for IMDSv2 enforcement on EC2 instances, account-level security contact registration, and expanded S3 object-level logging (separate read and write event controls). Several existing controls have updated audit procedures reflecting current AWS console and CLI interfaces. If you passed v4.0.0, expect to remediate a handful of new controls, primarily around instance metadata and account settings.
Can I get certified against CIS benchmarks?
No. CIS does not offer a certification program. You run assessments using tools like Powerpipe or CIS-CAT Pro, produce evidence reports, and those reports are consumed by auditors or customers as supporting documentation within a broader compliance program like SOC 2 or ISO 27001.
How long does initial remediation take?
For a single AWS account with moderate complexity, expect 2 to 4 weeks. CloudTrail and Config controls can be fixed in a day with Terraform. EBS encryption takes longer if you have existing unencrypted volumes that require snapshot, encrypt, and replace workflows. IMDSv2 enforcement requires application testing to confirm nothing depends on v1. Multi-account environments using AWS Organizations will take proportionally longer but benefit from deploying fixes via SCPs and StackSets.
What about the MFA delete requirement on the CloudTrail S3 bucket?
This is the single most operationally difficult control in the benchmark. MFA delete can only be enabled by the root user via the AWS CLI, not the console, and requires a hardware or virtual MFA device registered to the root account. Many organizations document a compensating control (versioning plus bucket policy restrictions) rather than enabling MFA delete, because it complicates legitimate bucket lifecycle operations. Discuss the approach with your auditor before implementation.

FedRAMP Moderate Baseline Rev 4

Previous Page

CIS Controls v8.0 IG1

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryData Protection - EBS Encryption (2)Identity and Access Management - EC2 (2)Logging - CloudTrail Configuration (3)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page