What changed in the new CIS v1.4 Benchmark for AWS
CIS just released an updated version (v1.4) of their CIS benchmark for AWS, it was nice to see that the open source community was the first to implement the new controls in their scanning tool: Here is a summary of the changes with commentary:
New recommendation to implement MFA delete on buckets — Reading the policy intent shows that this is recommended for "sensitive and classified" buckets, but automated scanning will now likely check against all buckets, and you can only have MFA delete on when versioning is on...
New recommendation to check for RDS encryption — Most surprising thing about this to me is that this is the first RDS check for CIS... A lot more opportunity space here.
New mapping of all of the benchmark controls to CIS Controls v8 — That was a lot of work, nice!
Implementing AWS config in all regions was moved to a level 2 control — Definitely because there is additional cost associated with enabling it.
Unused credentials time limit changed from 90 days to 45 — This stemmed from new guidance in CIS Controls v8. It always struck me that 90 days is arbitrarily long for this, 6 weeks seems like a reasonable time period that balances productivity vs security a bit better.
New recommendation to ensure all data in Amazon S3 has been discovered, classified and secured 'when required' — The remediation section just shows how to enable Amazon Macie for your buckets, but many orgs will have their own tooling/approach here.
The rest of the changes were mainly typos and changes to audit/remediation procedures. The open source project I work on has codified the changes here: If you want to run a quick v1.4 scan on your account, download and run this command from the CLI: $ steampipe check benchmark.cis_v140
https://scrapbox.io/files/60c24126570e9e001d3682fe.png