CIS AWS Foundations Benchmark

The Center for Internet Security (CIS) is a 501(c)(3) organization dedicated to enhancing the cyber-security readiness and response among public and private sector entities. Utilizing its strong industry and government partnerships, CIS combats evolving cyber-security challenges on a global scale and helps organizations adopt key best practices to achieve immediate and effective defenses against cyber attacks.

The CIS AWS Foundations Benchmark is a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures.

The Sumo Logic for CIS AWS Foundations Benchmark App maps to Section 3 (Monitoring) of the CIS AWS Benchmarks Foundation recommendations. Using the pre-configured alerts and dashboards, customers are able to alert on and gain operational visibility into their AWS security posture.

Log Types

The Sumo Logic App for CIS AWS Foundations Benchmark uses CloudTrail logs. For details on the specifics of which attributes are used, refer to Section 3 (Monitoring) of the CIS AWS Benchmarks Foundation.

Collecting Logs for the CIS AWS Foundation Benchmark App

Configure Collector and Source

The CIS AWS Foundation Benchmark App ingests AWS CloudTrail data. To collect logs for the CIS AWS Foundation Benchmark App, perform the following steps:

Add a Sumo Logic Hosted Collector to your Sumo Logic Org.
Configure an AWS CloudTrail Source.
Set your _sourceCategory (example: aws/cloudtrail).

Installing the CIS AWS Foundations Benchmark App

Now that you have configured CIS AWS Foundation Benchmark, install the Sumo Logic App for CIS AWS Foundation Benchmark to take advantage of the preconfigured searches and dashboards to analyze your data.

To install the app:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

From the App Catalog, search for and select the app.
Select the version of the service you're using and click Add to Library.

Version selection is applicable only to a few apps currently. For more information, see Installing the Apps from the Library.

To install the app, complete the following fields.
1. App Name. You can retain the existing name, or enter a name of your choice for the app. 
2. Data Source. Select either of these options for the data source. 
  - Choose Source Category, and select a source category from the list. 
  - Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory). 
3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.

For context regarding the CIS AWS Foundation Benchmark App, check out this blog where we describe the monitoring controls.

Viewing the CIS AWS Foundations Benchmark Dashboards

CIS AWS Foundations Benchmark App - Change Control

This Change Control Dashboard includes filters that you can use in Interactive Mode to further analyze your data.

Config Changes. Shows the count of configuration changes done by each user for the last 24 hours.

IAM Policy Changes. Shows the count of IAM policy changes done by each user for the last 24 hours.

CloudTrail Changes. Shows the count of CloudTrail changes done by each user for the last 24 hours.

Gateway Changes. Shows the count of Gateway changes done by each user for the last 24 hours.

Route Table Changes. Shows the count of Route Table changes done by each user for the last 24 hours.

Network ACL Changes. Shows the count of Network ACL changes done by each user for the last 24 hours.

Security Group Changes. Shows the count of Security Group changes done by each user for the last 24 hours.

VPC Changes. Shows the count of VPC changes done by each user for the last 24 hours.

S3 Bucket Policy Changes. Shows the count of S3 Bucket Policy changes done by each user for the last 24 hours.

CIS AWS Foundations Benchmark App - Access and Authentication

This Access and Authentication Dashboard includes filters that you can use in Interactive Mode to further analyze your data.

Console Logins without MFA. All users must be using multi-factor authentication. This Panel show the count of logins that are not using MFA, by user, for the last 24 hours.

Disabled and Scheduled Deletion of CMK. Shows the count of CMKs that are disabled or scheduled to be deleted, by user, for the last 24 hours.

Failed Console Logins. Shows the count of failed logins by user, for the last 24 hours.

Root Account Logins. Shows the count of "root" account logins, by user, for the last 24 hours.

Unauthorized AWS API Requests. Shows the count of unauthorized API requests, by user, for the last 24 hours.

Failed Console Logins by Location. Shows the count of failed logins by location, for the last 24 hours.

Outlier - Failed Console Logins. Identifies failed console logins outside of 3 standard deviations, for the last 24 hours.

Log Types​

Collecting Logs for the CIS AWS Foundation Benchmark App​

Configure Collector and Source​

Installing the CIS AWS Foundations Benchmark App​

Viewing the CIS AWS Foundations Benchmark Dashboards​

CIS AWS Foundations Benchmark App - Change Control​

CIS AWS Foundations Benchmark App - Access and Authentication​