By Samjhana Devkota, Professional Services Consultant – AWS
By Amir Hashem, Security Consultant – AWS
The Center for Internet Security (CIS) is an AWS ISV Partner and nonprofit organization responsible for the CIS Controls and CIS Benchmarks, which are globally recognized best practices for securing IT systems and data.
The implementation of these Benchmarks and Controls can help harden systems through various means, whether it be disabling unnecessary ports, eliminating unneeded services, and/or limiting administrative privileges.
The focus of this post is CIS Benchmarks and CIS Hardened Images. CIS Benchmarks are secure configuration guidelines that enable users to protect an operating system (OS), software, networks, and more, all of which are prone to cyber-attacks.
CIS Benchmarks can be applied on various platforms, including but not limited to Linux, iOS, and Microsoft Windows. CIS also offers CIS Hardened Images on AWS Marketplace, which are virtual machine images pre-configured to CIS Benchmark standards.
Purchasing a pre-hardened image is a great option, especially since you are ensured compliance with the CIS Benchmark, and deploying it would not require much maintenance on your end.
Using tens of thousands of instances at $0.02 per compute hour can be costly. Because of this, you may want to consider using the free PDF CIS Benchmarks to harden your operating systems in the cloud.
This post aims to shed light on the considerations needed when looking into building vs. buying a hardened image, and provides examples on how to leverage various tools from CIS to achieve this task.
Building a Hardened Virtual Image
Various OS Types
Before beginning the building process, it’s imperative to consider all of the operating systems that are present in your current environment. CIS Benchmarks are available for a majority of the most commonly used operating systems, and can be found on the CIS website.
Because of the vast varieties of operating systems, it can be difficult to consolidate building efforts for hardening.
Leveraging Build Kits
Build Kits are either a set of basic shell scripts (for UNIX and Linux systems) or group policy objects (for Microsoft Windows systems) that are built upon the corresponding CIS Benchmark’s “remediation” section.
They are used to assist in the automation of hardening systems. These are provided by CIS, granted your organization is a CIS SecureSuite member.
Build Kits are developed and released based on CIS SecureSuite member requests and development availability. Build Kits are not available for every OS at the moment; for example, there is no Build Kit currently available for Amazon Linux 2.
Every setting within a corresponding CIS Benchmark cannot be applied from a Build Kit due to the fact there are certain settings that can’t be managed though group policy objects (GPOs) or scripts.
In some instances, systems may not be able to become fully (100%) hardened. Additionally, as cautioned by CIS, it is crucial to thoroughly review the contents of a CIS Benchmark, as there may be some settings your organization needs to excuse itself from due to unique operational requirements.
Inadequate testing and review of a Build Kit’s functionality could potentially yield negative impact on an organization, so it’s important to thoroughly review the Benchmarks of interest and understand each standard.
Initial Hardening Effort
As explained in the previous section, there could be a case where an OS does not have a corresponding Build Kit already produced.
There are a few other options for hardening the operating system:
- Creating a manual or automated procedure – A CIS Benchmark outlines every step that needs to be taken for even a single setting to be properly configured. To harden an OS, you can manually input commands to resolve each setting.
The guidance stated in the Benchmark assumes that operations will be performed as the root user. Another way to approach this task is to automate the manual task through a series of scripts that can be executed on the machines. This would reduce the time it takes to harden a single operating system and eliminate manual efforts, but would also require time and effort to create scripts to accomplish the task.
- Leveraging open source scripts – There are already some open source scripts available that claim to accomplish CIS hardening, although not verified by CIS nor AWS. Based on our research and testing, open source scripts that utilized Ansible playbooks and Python scripts were available via Github.
After cloning the repository onto a test machine and running a playbook, the machine would have a majority of its settings changed to comply with the Benchmark. This was verified using scanning tool Amazon Inspector.
Results can definitely vary between using different scripts and repositories. The other caveat to using this method is that you may need to receive approval from your organization to use open source scripts, as well as for overall testing purposes.
Development Effort for Newly Published CIS Benchmarks
Building may yield an overall low cost compared to buying, but it’s important to keep in mind this also comes with an additional development effort when CIS publishes a new version of the CIS Benchmark for a specific operating system.
Skills Gap and Learning Code
There will need to be time taken to learn how to either create scripts or utilize open source scripts. For open source scripts, efforts are required to fully understand the functionalities, test on various Amazon Machine Images (AMIs), and then deploy it out to production machines.
Multiple members on the team need to be aware of how the scripts work and be confident in making changes to the code when a problem occurs, or when a particular setting does not meet the CIS Benchmark. Knowledge transfers are also imperative over time as a team may not retain its original members over a period of time.
CIS Hardening Scanning Tools
To check compliance with a CIS Benchmark, there are two notable scanning tools that can be used:
- Amazon Inspector – This is an automated security assessment service that has the ability to evaluate CIS Benchmarks against your machine(s). Inspector generates a finding with high severity for every CIS setting check that fails.
In order to use this service, an AWS-developed agent first needs to be installed in the operating system of the Amazon Elastic Compute Cloud (Amazon EC2) instances. This can be accomplished by running two simple commands.
After this, the machine should be detected by Inspector (seen on the GUI), and an assessment can be created to run on the machine. Pricing for Inspector is on a per-scan basis. To read more about Inspector’s functionalities and pricing, you can check out the FAQ page.
- CIS-CAT Pro Assessor – This is a tool provided for CIS SecureSuite members that can evaluate the security posture of a system against all the CIS Benchmarks it offers. It’s a Java application, and if using the GUI the JRE needed is embedded. A compatible JRE is only needed for command line activities or the centralized (in-network) workflow.
CIS-CAT Pro Assessor v4 has the ability to run locally/in-network, as well as assess remote target systems. A single scan, on average, efficiently completes in under two minutes. This program comes within the cost of CIS SecureSuite membership, so you have the ability to run as many scans as you’d like on any machine.
Buying a Hardened Virtual Image
Readily-Available CIS Hardened Images
AWS Marketplace has pre-hardened images published by CIS that conform with the corresponding CIS Benchmark.
A benefit to using pre-hardened images is the fact you don’t need to worry about patching the OS for vulnerabilities or open issues. This is handled by CIS, and you would be notified by AWS when a new update is available.
Additionally, CIS regularly updates the Images with operating system updates.
CIS offers these pre-configured virtual machine images at $0.02 per compute hour.
It’s important to analyze the cost differences of building and buying hardened images for each operating system you plan to use, as the factors for both vary vastly.
Whether you build or buy CIS Hardened Images, organizations have to consider IT automation which includes the lifecycle of the hardened Images. Areas that can be automated include:
- Scanning images for CIS Benchmark.
- Creating and distributing Golden AMI to different accounts within organization.
- Retiring/removing older images.
- Emergency updates for zero day vulnerabilities.
In this post, we discussed the relevance of hardening images based on the CIS Benchmarks, and identified multiple factors that contribute to building your own image and buying a CIS Hardened Image.
Center for Internet Security – AWS Partner Spotlight
CIS is an AWS ISV Partner that works with a volunteer community to develop the CIS Controls and CIS Benchmarks, which are globally recognized best practices for securing IT systems and data. CIS Hardened Images are virtual machine emulations preconfigured to provide secure, on-demand, and scalable computing environments in the cloud.
*Already worked with CIS? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.