AWS Foundations Benchmarks

Overview

The CIS Amazon Web Services Foundations Benchmark v 1.3.0 forms one part of Sysdig’s comprehensive Cloud Security Posture Management (CSPM) and Compliance tools. The AWS CIS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment.

We’ve included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based when available.

Enable CIS AWS Foundations Benchmarks

Prerequisites

  • Sysdig Secure (SaaS)

  • Workloads running in the AWS environment, including EKS, Fargate, etc. for which you want to verify best security practices and compliance

Deploy: using a simple CloudFormation Template in the AWS Console. See Deploy Sysdig Secure for cloud on AWS

Using AWS Foundations Benchmarks

The checks and reports for AWS Benchmarks differ from Host Benchmarks in the following ways:

  • No scheduling: The check is automatically deployed daily; the user does not choose a particular schedule, nor to “run now.”

  • Tasks and Reports combined:

    There is a single page displaying:

    • The chosen AWS account, region, and date when report date

    • The curated list of controls that are run (left panel)

    • The daily report, with its pass/fail details and any recommended remediation steps

Reviewing an AWS CIS Report

  1. Log in to Sysdig Secure and select Compliance > AWS Foundations Benchmark.

  2. Select the relevant report:

    Account id: From the drop-down menu, choose one of the accounts where you deployed the CFT and enabled the AWS Benchmarks feature.

    Region: Choose the AWS region of the account you want to check (not necessarily the region where your Sysdig Secure is installed)

    Date: Choose a report date. Checks are run once per 24 hours.

  3. Review the daily report (right panel).

    Note the following:

    • % of Resources Passed: Of the controls implemented by Sysdig, this is the percentage that passed.

    • Resources Passing: Every control checks multiple resources (e.g., hundreds of S3 buckets, etc.). This figure displays an aggregated count of all the resources over all the controls.

    • Resources Failing: Choose this figure to review a consolidated list of all failed controls with their remediation recommendations.