Skip to content

CIS Controls v8.0 IG1

Best for: Small and medium enterprises without dedicated security staff, particularly those handling sensitive data where cyber insurance applications, vendor questionnaires, or SOC 2 readiness work has surfaced CIS benchmarks. IG1 is the minimum expectation in most of those contexts, and many underwriters now ask about it explicitly. No dedicated security team, limited budget: IG1 is where you start.

Mandatory?Voluntary security baseline
Who validates?Self-assessment or third-party
RenewalNo fixed cycle
ScopeAll organizations; Implementation Group 1 (basic hygiene)

๐Ÿ› Center for Internet Security (CIS) ยท CIS Controls v8.0 IG1 (May 2021) Official source โ†’

Get Started

module "..." {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Encryption at Rest: Runs controls checking EBS volume encryption, EBS default encryption settings, and KMS CMK usage for CloudTrail logs. Detects unencrypted attached volumes and publicly restorable snapshots.
    • Logging and Monitoring: Validates CloudTrail multi-region trails, S3 data event logging, CloudWatch integration, log file validation, CloudFront access logs, and API Gateway stage logging. Checks CloudWatch log group retention against the 365-day threshold.
    • Network Exposure: Checks that Auto Scaling launch configurations do not assign public IPs and that DMS replication instances are not publicly accessible. Identifies resources with unnecessary internet-facing configurations.
    • Backup and Recovery: Validates AWS Backup plan existence with minimum 35-day retention, DynamoDB table inclusion in backup plans, and DynamoDB point-in-time recovery enablement.
    • Account Governance: Checks that the AWS account is part of AWS Organizations, validating centralized governance capability.

  • What you handle

    • Encryption at Rest: Defining and documenting your key management policy, configuring KMS key rotation schedules, and managing key access grants. Encryption coverage for services outside these checks (RDS, S3, EFS) is also on you.
    • Logging and Monitoring: Alerting rules on critical log events, regular log reviews, and incident escalation procedures based on log findings all fall outside Terraform policy checks. So does SIEM integration and threat detection rule configuration.
    • Network Exposure: Maintaining network architecture documentation, configuring VPC flow logs, managing security group rules beyond what these specific controls cover, and running periodic network access reviews.
    • Backup and Recovery: Restore testing, RTO and RPO documentation, and ensuring backup plans cover all in-scope data stores beyond DynamoDB and EBS are your responsibility.
    • Account Governance: Configuring service control policies, setting up cross-account access patterns, defining the OU structure, and managing member account lifecycle processes.

Controls by Category

Audit Log Management (CIS Control 8) (6 controls)

The most common finding here is CloudTrail trails that exist but lack log file validation (Safeguard 8.11) or are not integrated with a centralized log management solution like CloudWatch. Assessors also check that S3 data event logging captures object-level API activity, not just management events, and that log retention meets the 365-day threshold in Safeguard 8.10.

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CloudTrail trail log file validation should be enabled Log group retention period should be at least 365 days compliance.tf module API Gateway stage logging should be enabled CloudFront distributions access logs should be enabled compliance.tf module

Data Protection (CIS Control 3) (2 controls)

Encryption at rest on all storage volumes and snapshots (Safeguard 3.11) is the primary check, along with whether sensitive data like audit logs uses customer-managed KMS keys rather than default AWS encryption. A frequent gap: EBS encryption by default is a regional setting, and organizations often enable it in their primary region but miss secondary regions. Public EBS snapshots are a high-severity finding every time.

Attached EBS volumes should have encryption enabled compliance.tf module CloudTrail trail logs should be encrypted with KMS CMK

Data Recovery (CIS Control 11) (2 controls)

DynamoDB point-in-time recovery is a consistent miss because it must be explicitly enabled per table. Assessors confirm that backup plans exist with defined retention periods (Safeguard 11.2), that the 35-day minimum retention threshold passes for all in-scope data stores, and may request evidence of a completed restore test.

Backup plan min frequency and min retention check DynamoDB table point-in-time recovery should be enabled compliance.tf module

Secure Configuration of Enterprise Assets and Software (CIS Control 4) (1 control)

Auditors check that compute resources follow least-privilege network exposure (Safeguards 4.6 and 4.7). Launch configurations that assign public IPs directly to instances bypass load balancer controls and widen the attack surface. DMS replication instances left publicly accessible after a migration project are a recurring finding, the kind of temporary configuration that never gets cleaned up.

DMS replication instances should not be publicly accessible compliance.tf module
Additional Controls (36)

AWS IAM (1)

IAM password policies for users should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

AWS Lambda (1)

Lambda functions should be in a VPC compliance.tf module

Amazon EC2 (5)

EC2 instance should have EBS optimization enabled compliance.tf module EC2 instances should have IAM profile attached compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module

Amazon EKS (1)

EKS clusters endpoint should restrict public access compliance.tf module

Amazon EMR (1)

EMR cluster Kerberos should be enabled compliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater compliance.tf module

Amazon RDS (4)

RDS DB instance backup should be enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS DB instances should prohibit public access compliance.tf module

Amazon Redshift (4)

AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module

Amazon S3 (11)

S3 bucket cross-region replication should be enabled compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 buckets should have lifecycle policies configured compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 buckets with versioning enabled should have lifecycle policies configured compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module

Amazon SageMaker (1)

SageMaker notebook instances should not have direct internet access

Amazon VPC (2)

VPC Security groups should only allow unrestricted incoming traffic for authorized ports compliance.tf module VPC subnet auto assign public IP should be disabled compliance.tf module

Elastic Load Balancing (1)

ELB application and classic load balancer logging should be enabled compliance.tf module

Other (2)

ES domains should be in a VPC Elasticsearch domain should send logs to CloudWatch

  • NIST CSF v1.0 โ€” ๐ŸŸข High overlap (65%)

    CIS v8.0 maps directly to NIST CSF functions. CIS provides specific technical controls that implement NIST CSF's higher-level categories. CIS publishes an official mapping document between CIS Controls v8 and NIST CSF.

  • NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (45%)

    NIST 800-53 is far broader in scope with over 1,000 controls. CIS IG1's 56 safeguards map to a subset of 800-53 controls, primarily in the AC, AU, CM, CP, and SC families. Organizations subject to FedRAMP or FISMA use 800-53 as the authoritative source and treat CIS as an implementation accelerator.

  • SOC 2 โ€” ๐ŸŸก Medium overlap (40%)

    SOC 2 Trust Services Criteria (especially CC6 and CC7) share requirements with CIS IG1's logging, access control, and configuration management safeguards. Many SOC 2 auditors accept CIS benchmark scan results as supporting evidence for common criteria points.

Frequently Asked Questions

Does CIS IG1 apply to my organization?

IG1 applies to any organization that wants a defensible cybersecurity baseline. No regulation mandates CIS adoption specifically, but IG1 shows up in cyber insurance applications, vendor security questionnaires, and SOC 2 readiness work. If you have fewer than 50 employees and no dedicated security team, CIS designed IG1 for you.

What is the difference between IG1, IG2, and IG3?

IG1 contains 56 safeguards covering essential cyber hygiene. IG2 adds 74 more (130 total) for organizations with moderate risk and some dedicated IT security staff. IG3 includes all 153 safeguards and targets organizations facing sophisticated adversaries. The groups are cumulative: IG2 includes all of IG1, and IG3 includes all of IG2.

Is there a formal CIS IG1 certification?

No. CIS Controls have no certification program; compliance is self-assessed. You can use CIS-CAT Pro (a licensed tool from CIS) or open-source tools like Steampipe and PowerPipe to generate assessment reports. Some organizations include CIS benchmark results in their SOC 2 evidence packages or share them with customers as proof of baseline controls.

How does CIS v8.0 differ from v8.1?

CIS v8.1 (June 2024) is a minor update. It clarified safeguard descriptions and added context to implementation guidance but did not change the control structure or numbering. The 18 control areas and the IG groupings are the same. If your tooling references v8.0, you are not materially behind.

How long does an initial CIS IG1 assessment take?

For a single AWS account, automated scanning with PowerPipe produces results in minutes. Remediation depends on your environment size. A typical small organization with 1 to 3 AWS accounts can reach IG1 compliance within 2 to 6 weeks, assuming no major architectural changes are needed. Most of that time goes to enabling encryption defaults, configuring CloudTrail correctly, and setting up backup plans.