compliance.tf
Compliance FrameworksCommon Frameworks

CIS Controls v8.0 IG1

Best for: Small and medium enterprises without dedicated security staff, particularly those handling sensitive data where cyber insurance applications, vendor questionnaires, or SOC 2 readiness work has surfaced CIS benchmarks. IG1 is the minimum expectation in most of those contexts, and many underwriters now ask about it explicitly. No dedicated security team, limited budget: IG1 is where you start.

Mandatory?Voluntary security baseline
Who validates?Self-assessment or third-party
RenewalNo fixed cycle
ScopeAll organizations; Implementation Group 1 (basic hygiene)

๐Ÿ› Center for Internet Security (CIS) ยท CIS Controls v8.0 IG1 (May 2021) Official source โ†’

Get Started

module "..." {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Encryption at Rest: Runs controls checking EBS volume encryption, EBS default encryption settings, and KMS CMK usage for CloudTrail logs. Detects unencrypted attached volumes and publicly restorable snapshots.
  • Logging and Monitoring: Validates CloudTrail multi-region trails, S3 data event logging, CloudWatch integration, log file validation, CloudFront access logs, and API Gateway stage logging. Checks CloudWatch log group retention against the 365-day threshold.
  • Network Exposure: Checks that Auto Scaling launch configurations do not assign public IPs and that DMS replication instances are not publicly accessible. Identifies resources with unnecessary internet-facing configurations.
  • Backup and Recovery: Validates AWS Backup plan existence with minimum 35-day retention, DynamoDB table inclusion in backup plans, and DynamoDB point-in-time recovery enablement.
  • Account Governance: Checks that the AWS account is part of AWS Organizations, validating centralized governance capability.

What you handle

  • Encryption at Rest: Defining and documenting your key management policy, configuring KMS key rotation schedules, and managing key access grants. Encryption coverage for services outside these checks (RDS, S3, EFS) is also on you.
  • Logging and Monitoring: Alerting rules on critical log events, regular log reviews, and incident escalation procedures based on log findings all fall outside Terraform policy checks. So does SIEM integration and threat detection rule configuration.
  • Network Exposure: Maintaining network architecture documentation, configuring VPC flow logs, managing security group rules beyond what these specific controls cover, and running periodic network access reviews.
  • Backup and Recovery: Restore testing, RTO and RPO documentation, and ensuring backup plans cover all in-scope data stores beyond DynamoDB and EBS are your responsibility.
  • Account Governance: Configuring service control policies, setting up cross-account access patterns, defining the OU structure, and managing member account lifecycle processes.

Controls by Category

Audit Log Management (CIS Control 8) (6 controls)

The most common finding here is CloudTrail trails that exist but lack log file validation (Safeguard 8.11) or are not integrated with a centralized log management solution like CloudWatch. Assessors also check that S3 data event logging captures object-level API activity, not just management events, and that log retention meets the 365-day threshold in Safeguard 8.10.

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have log file validation enabledCloudWatch log groups should have retention period of at least 365 dayscompliance.tf moduleAPI Gateway stages should have logging enabledCloudFront distributions access logs should be enabledcompliance.tf module

Data Protection (CIS Control 3) (2 controls)

Encryption at rest on all storage volumes and snapshots (Safeguard 3.11) is the primary check, along with whether sensitive data like audit logs uses customer-managed KMS keys rather than default AWS encryption. A frequent gap: EBS encryption by default is a regional setting, and organizations often enable it in their primary region but miss secondary regions. Public EBS snapshots are a high-severity finding every time.

Attached EBS volumes should have encryption enabledcompliance.tf moduleCloudTrail trails should have logs encrypted using a customer managed KMS key

Data Recovery (CIS Control 11) (2 controls)

DynamoDB point-in-time recovery is a consistent miss because it must be explicitly enabled per table. Assessors confirm that backup plans exist with defined retention periods (Safeguard 11.2), that the 35-day minimum retention threshold passes for all in-scope data stores, and may request evidence of a completed restore test.

Backup plans should have minimum frequency and minimum retention configuredDynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Secure Configuration of Enterprise Assets and Software (CIS Control 4) (1 control)

Auditors check that compute resources follow least-privilege network exposure (Safeguards 4.6 and 4.7). Launch configurations that assign public IPs directly to instances bypass load balancer controls and widen the attack surface. DMS replication instances left publicly accessible after a migration project are a recurring finding, the kind of temporary configuration that never gets cleaned up.

DMS replication instances should not be publicly accessiblecompliance.tf module
Additional Controls (36)

AWS IAM (1)

IAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (1)

Lambda functions should be in a VPCcompliance.tf module

Amazon EC2 (5)

EC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf module

Amazon EKS (1)

EKS clusters endpoint should restrict public accesscompliance.tf module

Amazon EMR (1)

EMR cluster Kerberos should be enabledcompliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf module

Amazon RDS (4)

RDS DB instance backup should be enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf module

Amazon Redshift (4)

Redshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (11)

S3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Amazon SageMaker (1)

SageMaker notebook instances should not have direct internet access

Amazon VPC (2)

VPC Security groups should only allow unrestricted incoming traffic for authorized portscompliance.tf moduleVPC subnet auto assign public IP should be disabledcompliance.tf module

Elastic Load Balancing (1)

ELB application and classic load balancer logging should be enabledcompliance.tf module

Other (2)

ES domains should be in a VPCElasticsearch domain should send logs to CloudWatch

Related Frameworks

NIST CSF v1.0 โ€” ๐ŸŸข High overlap (65%)

CIS v8.0 maps directly to NIST CSF functions. CIS provides specific technical controls that implement NIST CSF's higher-level categories. CIS publishes an official mapping document between CIS Controls v8 and NIST CSF.

NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (45%)

NIST 800-53 is far broader in scope with over 1,000 controls. CIS IG1's 56 safeguards map to a subset of 800-53 controls, primarily in the AC, AU, CM, CP, and SC families. Organizations subject to FedRAMP or FISMA use 800-53 as the authoritative source and treat CIS as an implementation accelerator.

SOC 2 โ€” ๐ŸŸก Medium overlap (40%)

SOC 2 Trust Services Criteria (especially CC6 and CC7) share requirements with CIS IG1's logging, access control, and configuration management safeguards. Many SOC 2 auditors accept CIS benchmark scan results as supporting evidence for common criteria points.

Frequently Asked Questions

Does CIS IG1 apply to my organization?
IG1 applies to any organization that wants a defensible cybersecurity baseline. No regulation mandates CIS adoption specifically, but IG1 shows up in cyber insurance applications, vendor security questionnaires, and SOC 2 readiness work. If you have fewer than 50 employees and no dedicated security team, CIS designed IG1 for you.
What is the difference between IG1, IG2, and IG3?
IG1 contains 56 safeguards covering essential cyber hygiene. IG2 adds 74 more (130 total) for organizations with moderate risk and some dedicated IT security staff. IG3 includes all 153 safeguards and targets organizations facing sophisticated adversaries. The groups are cumulative: IG2 includes all of IG1, and IG3 includes all of IG2.
Is there a formal CIS IG1 certification?
No. CIS Controls have no certification program; compliance is self-assessed. You can use CIS-CAT Pro (a licensed tool from CIS) or open-source tools like Steampipe and PowerPipe to generate assessment reports. Some organizations include CIS benchmark results in their SOC 2 evidence packages or share them with customers as proof of baseline controls.
How does CIS v8.0 differ from v8.1?
CIS v8.1 (June 2024) is a minor update. It clarified safeguard descriptions and added context to implementation guidance but did not change the control structure or numbering. The 18 control areas and the IG groupings are the same. If your tooling references v8.0, you are not materially behind.
How long does an initial CIS IG1 assessment take?
For a single AWS account, automated scanning with PowerPipe produces results in minutes. Remediation depends on your environment size. A typical small organization with 1 to 3 AWS accounts can reach IG1 compliance within 2 to 6 weeks, assuming no major architectural changes are needed. Most of that time goes to enabling encryption defaults, configuring CloudTrail correctly, and setting up backup plans.

CIS AWS Benchmark v6.0.0

Previous Page

NIST SP 800-171 Rev 2

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAudit Log Management (CIS Control 8) (6)Data Protection (CIS Control 3) (2)Data Recovery (CIS Control 11) (2)Secure Configuration of Enterprise Assets and Software (CIS Control 4) (1)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page