CIS AWS Benchmark v1.4.0¶

The Center for Internet Security (CIS) AWS Foundations Benchmark version 1.4.0 provides prescriptive guidance for establishing a secure baseline configuration of Amazon Web Services environments. This is the current version with updated controls reflecting the latest AWS security best practices and services. It is applicable to all organizations using AWS infrastructure.

Terraform Registry Subdomain: cis¶

module "..." {
  source  = "cis.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://cis.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• Attached EBS volumes should have encryption enabled
• S3 bucket logging should be enabled
• S3 bucket policy should prohibit public access
• S3 buckets should prohibit public write access
• S3 bucket versioning should be enabled
• S3 public access should be blocked at bucket levels

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with CIS AWS Benchmark v1.4.0 compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://cis.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=ebs_attached_volume_encryption_enabled,s3_bucket_logging_enabled"
}