Securing the cloud through industry consensus

Creating security leading practices for Amazon Web Services.

By Tim Sandage
April 1, 2016
Elevator Elevator (source: Pixabay)

As enterprise organizations continue to migrate critical regulated workloads into the cloud, the need to increase security capabilities—through secure design, deployment, and uninterrupted security alignment with a continuous development and deployment process (e.g. DevOps)—increases the importance of implementing continuous security behaviors and ultimately is becoming a non-negotiable practice.

With this idea in mind several industry organizations and security practitioners across the globe worked together to develop the first cloud-focused security benchmarks for setting up a foundational account design within Amazon Web Services (AWS)—the Center for Internet Security (CIS) AWS Foundational Benchmarks.

Learn faster. Dig deeper. See farther.

Join the O'Reilly online learning platform. Get a free trial today and find answers on the fly, or master something new and useful.

Learn more

The rationale behind the benchmarks

The goal of the consensus review process, comprised of subject matter experts (SMEs), was to create a leading security practice that could be used for any AWS workload as an initial foundation level for securing an AWS account. The consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal.

Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark development. During this phase, SMEs convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase begins after the benchmark has been published. During this phase, all feedback provided by the Internet community is reviewed by the consensus team for incorporation in the benchmark. Once completed, each benchmark goes through a final review to determine if the recommendation should be “Scored” or “Not Scored.” Documenting a scoring status indicates whether compliance with the given recommendation impacts the assessed target’s benchmark score. The following scoring statuses are used in each AWS CIS benchmark:

  • Scored: Failure to comply with “Scored” recommendations will decrease the final benchmark score. Compliance with “Scored” recommendations will increase the final benchmark score.

  • Not Scored: Failure to comply with “Not Scored” recommendations will not decrease the final benchmark score. Compliance with “Not Scored” recommendations will not increase the final benchmark score.

The result of the AWS CIS foundational benchmark is over 40 high-level security guidelines that provide AWS users with clear, step-by-step implementation and assessment procedures for how best to secure their initial/post account setup. An example of a benchmark is the recommendation to secure and/or disable the “root” user in the login credential you used to create your AWS account, as shown below:

Ensure no root account access key exists (Scored)

Description: The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.

Rationale: Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.

Audit: Perform the following to determine if the root account has access keys.

Via the AWS Console

  1. Login to the AWS Management Console.

  2. Click Services.

  3. Click IAM.

  4. Click on Credential Report

  5. This will download an .xls file which contains credential usage for all IAM users within an AWS Account—open this file.

  6. For the <root_account> user, ensure the access_key_1_active and access_key_2_active fields are set to FALSE.

Via CLI (Command Line Interface)

  1. Run the following commands:

    aws iam generate-credential-report

    aws iam get-credential-report --query 'Content' --output text | base64 -D

  2. For the <root_account> user, ensure the access_key_1_active and access_key_2_active fields are set to FALSE.

Remediation: Perform the following to delete or disable active root access keys being used

Via the AWS Console

  1. Sign in to the AWS Management Console as Root and open the IAM console at

  2. Click on Account Name >value< at the top left and select Security Credentials from the drop down list.
  3. On the pop out screen, click on Continue to Security Credentials.
  4. Click on Access Keys (Access Key ID and Secret Access Key).
  5. Under the Status column, if there are any keys that are active:
  1. Click on Make Inactive – (temporarily disable Key – may be needed again)
  2. Click Delete – (deleted keys cannot be recovered)

Is this approach right for you?

As stated, these benchmarks are intended to outline a consensus-based process from multiple SMEs on how to securely configure an AWS initial and post account setup, which can be leveraged to meet and/or exceed multiple industry leading security standards (e.g., PCI-DSS, FISMA, ISO).

The result removes guesswork for security professionals about how to implement foundational security measures in an AWS account. The prescribed best practices make implementation of core AWS security measures straightforward for security teams and AWS account owners.

Additionally, audit teams can consistently evaluate the security of an AWS account. The best practices greatly reduce complexity when managing risk and auditing the use of AWS for critical, audited, and regulated systems.

Another tool for your toolbox

In addition to the CIS AWS Foundations Benchmarks, AWS also released the AWS Config Rules repository, a community-based source of custom AWS Config Rules. This new repository gives you a streamlined way to automate your assessment and compliance against the CIS best practices for security of AWS resources. AWS Config Rules is a service that provides automated, periodic security and compliance checking of AWS resources, and affords customers the ability to forego manual inspection of security configurations.

The AWS Config Rules repository accelerates automated compliance checking by allowing customers to tap into the collective ingenuity and expertise of the AWS community. Below is an example Config Rule that aligns with the above referenced AWS CIS Benchmark.

Ensure Access Key Disabled on Root Account

Description: Checks that the Root Account’s Access Keys have been disabled.


To get started using the AWS CIS Foundational Benchmarks or the AWS Config Rules in your AWS account, see the AWS CIS Benchmarks and AWS Config Rules repository.

Post topics: Security