Back to Details

auditing-cloud-with-cis-benchmarks

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Auditing Cloud with CIS Benchmarks

基于CIS基准的云环境安全审计

When to Use

适用场景

  • When performing initial security audits of cloud environments against industry-standard benchmarks
  • When preparing for SOC 2, ISO 27001, or regulatory audits that reference CIS controls
  • When establishing a measurable security baseline for new cloud accounts or subscriptions
  • When tracking compliance improvement over time with periodic reassessment
  • When evaluating the security posture of acquired or inherited cloud environments
Do not use for runtime threat detection (see detecting-cloud-threats-with-guardduty), for application-level security testing (see conducting-cloud-penetration-testing), or for compliance frameworks not based on CIS (refer to specific regulatory skill files).
  • 针对云环境执行基于行业标准基准的初始安全审计时
  • 准备参考CIS控制项的SOC 2、ISO 27001或合规性审计时
  • 为新云账户或订阅建立可衡量的安全基线时
  • 通过定期重新评估跟踪合规性改进情况时
  • 评估收购或继承的云环境安全状况时
不适用场景:运行时威胁检测(请参考detecting-cloud-threats-with-guardduty)、应用级安全测试(请参考conducting-cloud-penetration-testing),或非基于CIS的合规框架(请参考特定监管技能文件)。

Prerequisites

前置条件

  • Read-only access to target cloud accounts (AWS SecurityAudit policy, Azure Reader role, GCP Viewer role)
  • Prowler, ScoutSuite, or cloud-native CSPM tools installed and configured
  • Understanding of CIS benchmark structure: sections, controls, profiles (Level 1 and Level 2)
  • Remediation access for implementing fixes (separate from audit credentials)
  • 拥有目标云账户的只读访问权限(AWS SecurityAudit策略、Azure Reader角色、GCP Viewer角色)
  • 已安装并配置Prowler、ScoutSuite或云原生CSPM工具
  • 了解CIS基准结构:章节、控制项、配置文件(Level 1和Level 2)
  • 拥有实施修复的权限(与审计凭证分离)

Workflow

工作流程

Step 1: Select Appropriate CIS Benchmark Version

步骤1:选择合适的CIS基准版本

Choose the correct benchmark version for each cloud provider. Current versions as of 2025 include CIS AWS Foundations Benchmark v5.0, CIS Azure Foundations Benchmark v4.0, and CIS GCP Foundations Benchmark v4.0.
CIS Benchmark Coverage Areas:
+-------------------+-------------------------+------------------------+
| Section           | AWS v5.0                | Azure v4.0             |
+-------------------+-------------------------+------------------------+
| Identity & Access | IAM policies, MFA, root | Azure AD, RBAC, PIM    |
| Logging           | CloudTrail, Config      | Activity Log, Diag     |
| Monitoring        | CloudWatch alarms       | Defender, Sentinel     |
| Networking        | VPC, SG, NACLs         | NSG, ASG, Firewall     |
| Storage           | S3 encryption, access   | Storage encryption     |
| Database          | RDS encryption          | SQL TDE, auditing      |
+-------------------+-------------------------+------------------------+

CIS Profile Levels:
  Level 1: Practical security settings that can be implemented without significant
           performance impact or reduced functionality
  Level 2: Defense-in-depth settings that may reduce functionality or require
           additional planning for implementation
为每个云提供商选择正确的基准版本。截至2025年的当前版本包括CIS AWS基础基准v5.0、CIS Azure基础基准v4.0和CIS GCP基础基准v4.0。
CIS Benchmark Coverage Areas:
+-------------------+-------------------------+------------------------+
| Section           | AWS v5.0                | Azure v4.0             |
+-------------------+-------------------------+------------------------+
| Identity & Access | IAM policies, MFA, root | Azure AD, RBAC, PIM    |
| Logging           | CloudTrail, Config      | Activity Log, Diag     |
| Monitoring        | CloudWatch alarms       | Defender, Sentinel     |
| Networking        | VPC, SG, NACLs         | NSG, ASG, Firewall     |
| Storage           | S3 encryption, access   | Storage encryption     |
| Database          | RDS encryption          | SQL TDE, auditing      |
+-------------------+-------------------------+------------------------+

CIS Profile Levels:
  Level 1: Practical security settings that can be implemented without significant
           performance impact or reduced functionality
  Level 2: Defense-in-depth settings that may reduce functionality or require
           additional planning for implementation

Step 2: Run Automated Assessment with Prowler

步骤2:使用Prowler运行自动化评估

Execute comprehensive CIS benchmark scans using Prowler for automated control evaluation across AWS, Azure, and GCP.
bash
undefined
使用Prowler执行全面的CIS基准扫描,对AWS、Azure和GCP的控制项进行自动化评估。
bash
undefined

AWS CIS v5.0 assessment

AWS CIS v5.0 assessment

prowler aws
--compliance cis_5.0_aws
--profile audit-account
--output-formats json-ocsf,html,csv
--output-directory ./cis-audit-$(date +%Y%m%d)
prowler aws
--compliance cis_5.0_aws
--profile audit-account
--output-formats json-ocsf,html,csv
--output-directory ./cis-audit-$(date +%Y%m%d)

Azure CIS v4.0 assessment

Azure CIS v4.0 assessment

prowler azure
--compliance cis_4.0_azure
--subscription-ids "sub-id-1,sub-id-2"
--output-formats json-ocsf,html,csv
--output-directory ./cis-audit-azure-$(date +%Y%m%d)
prowler azure
--compliance cis_4.0_azure
--subscription-ids "sub-id-1,sub-id-2"
--output-formats json-ocsf,html,csv
--output-directory ./cis-audit-azure-$(date +%Y%m%d)

GCP CIS v4.0 assessment

GCP CIS v4.0 assessment

prowler gcp
--compliance cis_4.0_gcp
--project-ids "project-1,project-2"
--output-formats json-ocsf,html,csv
--output-directory ./cis-audit-gcp-$(date +%Y%m%d)
prowler gcp
--compliance cis_4.0_gcp
--project-ids "project-1,project-2"
--output-formats json-ocsf,html,csv
--output-directory ./cis-audit-gcp-$(date +%Y%m%d)

Multi-account AWS scan using ScoutSuite

Multi-account AWS scan using ScoutSuite

scout suite aws
--profile audit-account
--report-dir ./scout-report
--ruleset cis-5.0
--force
undefined
scout suite aws
--profile audit-account
--report-dir ./scout-report
--ruleset cis-5.0
--force
undefined

Step 3: Interpret Results and Prioritize Remediation

步骤3:解读结果并优先修复

Analyze audit results by section and severity. Prioritize Level 1 controls first as they represent fundamental security hygiene, then address Level 2 controls for defense in depth.
bash
undefined
按章节和严重性分析审计结果。优先处理Level 1控制项(它们代表基础安全卫生),然后处理Level 2控制项以实现纵深防御。
bash
undefined

Parse Prowler results for failed controls

Parse Prowler results for failed controls

cat ./cis-audit-/prowler-output-.json |
jq '[.[] | select(.StatusExtended == "FAIL")] | group_by(.CheckID) | map({control: .[0].CheckID, description: .[0].CheckTitle, failed_resources: length, severity: .[0].Severity}) | sort_by(-.failed_resources)'
cat ./cis-audit-/prowler-output-.json |
jq '[.[] | select(.StatusExtended == "FAIL")] | group_by(.CheckID) | map({control: .[0].CheckID, description: .[0].CheckTitle, failed_resources: length, severity: .[0].Severity}) | sort_by(-.failed_resources)'

Generate compliance score by section

Generate compliance score by section

cat ./cis-audit-/prowler-output-.json |
jq 'group_by(.Section) | map({ section: .[0].Section, total: length, passed: [.[] | select(.StatusExtended == "PASS")] | length, failed: [.[] | select(.StatusExtended == "FAIL")] | length, score: (([.[] | select(.StatusExtended == "PASS")] | length) / length * 100 | round) })'
undefined
cat ./cis-audit-/prowler-output-.json |
jq 'group_by(.Section) | map({ section: .[0].Section, total: length, passed: [.[] | select(.StatusExtended == "PASS")] | length, failed: [.[] | select(.StatusExtended == "FAIL")] | length, score: (([.[] | select(.StatusExtended == "PASS")] | length) / length * 100 | round) })'
undefined

Step 4: Remediate Critical and High Controls

步骤4:修复关键和高优先级控制项

Address failed controls starting with the highest impact items. Use AWS Config remediation, Azure Policy, or Terraform to apply fixes systematically.
bash
undefined
从影响最高的项开始处理未通过的控制项。使用AWS Config修复、Azure Policy或Terraform系统地应用修复。
bash
undefined

CIS 1.4: Ensure no root account access key exists

CIS 1.4: Ensure no root account access key exists

aws iam list-access-keys --user-name root
aws iam list-access-keys --user-name root

If keys exist, delete them

If keys exist, delete them

aws iam delete-access-key --user-name root --access-key-id AKIAEXAMPLE
aws iam delete-access-key --user-name root --access-key-id AKIAEXAMPLE

CIS 2.1.1: Ensure S3 bucket default encryption is enabled

CIS 2.1.1: Ensure S3 bucket default encryption is enabled

for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do aws s3api put-bucket-encryption --bucket "$bucket"
--server-side-encryption-configuration '{ "Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}] }' 2>/dev/null && echo "Encrypted: $bucket" || echo "FAILED: $bucket" done
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do aws s3api put-bucket-encryption --bucket "$bucket"
--server-side-encryption-configuration '{ "Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}] }' 2>/dev/null && echo "Encrypted: $bucket" || echo "FAILED: $bucket" done

CIS 3.1: Ensure CloudTrail is enabled in all regions

CIS 3.1: Ensure CloudTrail is enabled in all regions

aws cloudtrail create-trail
--name organization-trail
--s3-bucket-name cloudtrail-logs-bucket
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/key-id
aws cloudtrail start-logging --name organization-trail
aws cloudtrail create-trail
--name organization-trail
--s3-bucket-name cloudtrail-logs-bucket
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/key-id
aws cloudtrail start-logging --name organization-trail

CIS 4.x: Configure CloudWatch metric filters and alarms

CIS 4.x: Configure CloudWatch metric filters and alarms

aws logs put-metric-filter
--log-group-name CloudTrail/DefaultLogGroup
--filter-name UnauthorizedAPICalls
--filter-pattern '{ ($.errorCode = "UnauthorizedAccess") || ($.errorCode = "AccessDenied*") }'
--metric-transformations metricName=UnauthorizedAPICalls,metricNamespace=CISBenchmark,metricValue=1
undefined
aws logs put-metric-filter
--log-group-name CloudTrail/DefaultLogGroup
--filter-name UnauthorizedAPICalls
--filter-pattern '{ ($.errorCode = "UnauthorizedAccess") || ($.errorCode = "AccessDenied*") }'
--metric-transformations metricName=UnauthorizedAPICalls,metricNamespace=CISBenchmark,metricValue=1
undefined

Step 5: Establish Continuous Compliance Monitoring

步骤5:建立持续合规监控

Deploy automated compliance monitoring to detect configuration drift between periodic audits. Use AWS Security Hub, Azure Policy, or GCP Security Command Center.
bash
undefined
部署自动化合规监控,以检测定期审计之间的配置漂移。使用AWS Security Hub、Azure Policy或GCP Security Command Center。
bash
undefined

AWS: Enable CIS v5.0 in Security Hub

AWS: Enable CIS v5.0 in Security Hub

aws securityhub batch-enable-standards
--standards-subscription-requests '[ {"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/5.0.0"} ]'
aws securityhub batch-enable-standards
--standards-subscription-requests '[ {"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/5.0.0"} ]'

Azure: Assign CIS benchmark policy initiative

Azure: Assign CIS benchmark policy initiative

az policy assignment create
--name cis-azure-benchmark
--scope "/subscriptions/<sub-id>"
--policy-set-definition "1a5bb27d-173f-493e-9568-eb56638dbd0e"
--params '{"effect": {"value": "AuditIfNotExists"}}'
az policy assignment create
--name cis-azure-benchmark
--scope "/subscriptions/<sub-id>"
--policy-set-definition "1a5bb27d-173f-493e-9568-eb56638dbd0e"
--params '{"effect": {"value": "AuditIfNotExists"}}'

Schedule periodic Prowler assessments

Schedule periodic Prowler assessments

Run weekly via cron or CI/CD pipeline

Run weekly via cron or CI/CD pipeline

0 2 * * 1 prowler aws --compliance cis_5.0_aws --output-formats csv --output-directory /opt/audits/weekly-$(date +%Y%m%d)
undefined
0 2 * * 1 prowler aws --compliance cis_5.0_aws --output-formats csv --output-directory /opt/audits/weekly-$(date +%Y%m%d)
undefined

Key Concepts

核心概念

TermDefinition
CIS BenchmarkPrescriptive security configuration guidelines developed by the Center for Internet Security through community consensus
Level 1 ProfilePractical security controls implementable without significant performance or functionality impact, representing security hygiene
Level 2 ProfileDefense-in-depth controls that may restrict functionality and require careful planning before implementation
Foundations BenchmarkCIS benchmark specifically for cloud providers covering IAM, logging, monitoring, networking, and storage security
Control IDUnique numerical identifier for each CIS recommendation (e.g., 1.4 for root access key checks, 2.1.1 for S3 encryption)
Compliance ScorePercentage of CIS controls in a passing state, tracked over time to measure security posture improvement
Automated AssessmentTool-driven evaluation of CIS controls using cloud provider APIs to check resource configurations against benchmark requirements
Remediation RunbookDocumented step-by-step procedure for fixing a specific failed CIS control, including pre-checks and validation
术语定义
CIS Benchmark由互联网安全中心(CIS)通过社区共识制定的规范性安全配置指南
Level 1 Profile可在不显著影响性能或功能的情况下实施的实用安全控制项,代表基础安全卫生
Level 2 Profile纵深防御控制项,可能限制功能,实施前需仔细规划
Foundations Benchmark专门针对云提供商的CIS基准,涵盖IAM、日志、监控、网络和存储安全
Control ID每个CIS建议的唯一数字标识符(例如,1.4对应根访问密钥检查,2.1.1对应S3加密)
Compliance Score通过状态的CIS控制项占比,随时间跟踪以衡量安全状况的改进
Automated Assessment利用云提供商API进行的工具驱动型CIS控制项评估,检查资源配置是否符合基准要求
Remediation Runbook针对特定未通过CIS控制项的分步修复文档,包括预检查和验证步骤

Tools & Systems

工具与系统

  • Prowler: Open-source cloud security tool performing 300+ checks including CIS benchmark assessments for AWS, Azure, and GCP
  • ScoutSuite: Multi-cloud security auditing tool with CIS benchmark rule sets generating HTML reports
  • AWS Security Hub: Native AWS service supporting CIS AWS Foundations Benchmark as a security standard
  • Azure Policy: Governance service with built-in CIS benchmark policy initiatives for automated compliance monitoring
  • GCP Security Command Center: Native GCP service evaluating configurations against CIS GCP Foundations Benchmark
  • Prowler:开源云安全工具,可执行300多项检查,包括针对AWS、Azure和GCP的CIS基准评估
  • ScoutSuite:多云安全审计工具,带有CIS基准规则集,可生成HTML报告
  • AWS Security Hub:AWS原生服务,支持将CIS AWS基础基准作为安全标准
  • Azure Policy:治理服务,内置CIS基准策略计划,用于自动化合规监控
  • GCP Security Command Center:GCP原生服务,评估配置是否符合CIS GCP基础基准

Common Scenarios

常见场景

Scenario: Pre-Audit CIS Assessment for SOC 2 Certification

场景:SOC 2认证前的CIS评估

Context: A SaaS company pursuing SOC 2 Type II certification needs to demonstrate cloud security controls aligned to CIS benchmarks. The auditor requires evidence of continuous compliance monitoring across 45 AWS accounts.
Approach:
  1. Run Prowler CIS v5.0 assessment across all 45 accounts to establish the baseline compliance score
  2. Export results to CSV and categorize failures by section (IAM, Logging, Monitoring, Networking)
  3. Map each CIS control to the relevant SOC 2 Trust Services Criteria (CC6.1, CC6.6, CC7.1, etc.)
  4. Remediate all Level 1 control failures within 30 days and Level 2 within 60 days
  5. Enable CIS v5.0 in AWS Security Hub for continuous monitoring and automated drift detection
  6. Generate weekly compliance reports showing improvement trajectory for the auditor
  7. Document exceptions for controls intentionally not implemented with risk acceptance justification
Pitfalls: Remediating controls without testing in a staging environment first can break production workloads. Ignoring Level 2 controls entirely weakens the audit narrative even if they are not strictly required.
背景:一家追求SOC 2 Type II认证的SaaS公司需要展示与CIS基准对齐的云安全控制项。审计师要求提供45个AWS账户的持续合规监控证据。
方法
  1. 在所有45个账户上运行Prowler CIS v5.0评估,建立基准合规分数
  2. 将结果导出为CSV,并按章节(IAM、日志、监控、网络)分类未通过项
  3. 将每个CIS控制项映射到相关的SOC 2信任服务标准(CC6.1、CC6.6、CC7.1等)
  4. 在30天内修复所有Level 1控制项的未通过问题,60天内修复Level 2的问题
  5. 在AWS Security Hub中启用CIS v5.0,进行持续监控和自动化漂移检测
  6. 生成每周合规报告,向审计师展示改进趋势
  7. 记录未实施控制项的例外情况,并提供风险接受理由
注意事项:未在 staging 环境测试就修复控制项可能会破坏生产工作负载。完全忽略Level 2控制项会削弱审计说服力,即使它们不是严格要求的。

Output Format

输出格式

CIS Benchmark Audit Report
============================
Cloud Provider: AWS
Benchmark Version: CIS AWS Foundations Benchmark v5.0
Accounts Assessed: 45
Assessment Date: 2025-02-23
Tool: Prowler v4.3.0

OVERALL COMPLIANCE SCORE: 74%

COMPLIANCE BY SECTION:
  1. Identity and Access Management:  68% (41/60 controls passed)
  2. Storage:                         82% (28/34 controls passed)
  3. Logging:                         91% (20/22 controls passed)
  4. Monitoring:                      55% (18/33 controls passed)
  5. Networking:                      78% (32/41 controls passed)

TOP FAILED CONTROLS (by affected accounts):
  [1.4]   Root account has active access keys           - 3/45 accounts
  [1.5]   MFA not enabled for root account              - 2/45 accounts
  [2.1.1] S3 default encryption not enabled             - 12/45 accounts
  [3.1]   CloudTrail not multi-region                   - 8/45 accounts
  [4.3]   No alarm for root account usage               - 28/45 accounts
  [5.1]   VPC flow logs not enabled                     - 15/45 accounts
  [5.4]   Security groups allow 0.0.0.0/0 ingress      - 22/45 accounts

REMEDIATION PRIORITY:
  Critical (Fix within 7 days):  Root access keys, missing root MFA
  High (Fix within 30 days):     S3 encryption, CloudTrail, VPC flow logs
  Medium (Fix within 60 days):   CloudWatch alarms, security group restrictions
  Low (Fix within 90 days):      Level 2 controls, informational items
CIS Benchmark Audit Report
============================
Cloud Provider: AWS
Benchmark Version: CIS AWS Foundations Benchmark v5.0
Accounts Assessed: 45
Assessment Date: 2025-02-23
Tool: Prowler v4.3.0

OVERALL COMPLIANCE SCORE: 74%

COMPLIANCE BY SECTION:
  1. Identity and Access Management:  68% (41/60 controls passed)
  2. Storage:                         82% (28/34 controls passed)
  3. Logging:                         91% (20/22 controls passed)
  4. Monitoring:                      55% (18/33 controls passed)
  5. Networking:                      78% (32/41 controls passed)

TOP FAILED CONTROLS (by affected accounts):
  [1.4]   Root account has active access keys           - 3/45 accounts
  [1.5]   MFA not enabled for root account              - 2/45 accounts
  [2.1.1] S3 default encryption not enabled             - 12/45 accounts
  [3.1]   CloudTrail not multi-region                   - 8/45 accounts
  [4.3]   No alarm for root account usage               - 28/45 accounts
  [5.1]   VPC flow logs not enabled                     - 15/45 accounts
  [5.4]   Security groups allow 0.0.0.0/0 ingress      - 22/45 accounts

REMEDIATION PRIORITY:
  Critical (Fix within 7 days):  Root access keys, missing root MFA
  High (Fix within 30 days):     S3 encryption, CloudTrail, VPC flow logs
  Medium (Fix within 60 days):   CloudWatch alarms, security group restrictions
  Low (Fix within 90 days):      Level 2 controls, informational items