Browse the Repo

file-type-icon.circleci
file-type-icon.github
file-type-icon.patcher
file-type-icon_docs
file-type-iconcodegen
file-type-iconexamples
file-type-iconhooks
file-type-iconmodules
file-type-iconrfcs
file-type-icontest
file-type-icon.editorconfig
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconCONTRIBUTING.md
file-type-iconLICENSE.txt
file-type-iconREADME.adoc
file-type-iconrenovate.json
file-type-iconsetup.cfg
file-type-iconterraform-cloud-enterprise-private-module-...

Browse the Repo

file-type-icon.circleci
file-type-icon.github
file-type-icon.patcher
file-type-icon_docs
file-type-iconcodegen
file-type-iconexamples
file-type-iconhooks
file-type-iconmodules
file-type-iconrfcs
file-type-icontest
file-type-icon.editorconfig
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconCONTRIBUTING.md
file-type-iconLICENSE.txt
file-type-iconREADME.adoc
file-type-iconrenovate.json
file-type-iconsetup.cfg
file-type-iconterraform-cloud-enterprise-private-module-...
CIS Foundations Benchmark

CIS Foundations Benchmark

Modules and utilities certified by Gruntwork and CIS to comply with the CIS AWS Foundations Benchmark

Code Preview

Preview the Code

mobile file icon

README.adoc

down

CIS Benchmark Version maintained%20by gruntwork.io %235849a6

This repo contains the code for the Gruntwork Service Catalog for AWS that simplifies the process of achieving compliance with the Center for Internet Security (CIS) AWS Foundations Benchmark. The Benchmark is an objective, consensus-driven security guideline for AWS.

cis account architecture

The services in this repo are "wrappers" intended to be used in conjunction with the core modules in the Gruntwork.io Infrastructure as Code Library. The core modules are compliance-ready; that is, they can be configured in a manner that achieves compliance with the Benchmark. The services here "wrap" the compliance-ready modules by using the core modules as a source and passing configuration options that are appropriate for compliance.

Features

  • Enables AWS SecurityHub in all regions

  • Removes all expired SSL/TLS certificates stored in AWS IAM

  • Creates an AWS CloudTrail with CloudWatch Logs integration

  • Creates a series of CloudWatch Logs metrics filters to notify an SNS topic when suspicious events are logged

  • Create a set of IAM roles that can be used between accounts

  • Create IAM roles and groups with custom permissions and require MFA

  • Create a best-practices set of IAM groups

  • Enable a strong IAM password policy

  • Create a set of IAM roles for SAML identity providers

  • Adds a default set of Network ACLs to VPCs

Learn

Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. It is part of Gruntwork’s Infrastructure as Code Library. If you’ve never used the Infrastructure as Code Library before, make sure to read Introduction to Gruntwork!

Core concepts

For a comprehensive guide to achieving compliance using this repo, please refer to Achieve Compliance with the CIS AWS Foundations Benchmark. You should also review and download the Benchmark itself from CIS.

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

  • codegen: Code generation utilities that help generate services in this repo.

  • examples: This folder contains working examples of how to use the services.

  • test: Automated tests for the services and examples.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

  • examples folder: The examples folder contains sample code optimized for learning, experimenting, and testing (but not production usage).

Production deployment

Support

If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers Commercial Support via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, subscribe now. If you’re not sure, feel free to email us at support@gruntwork.io.

Contributions

Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.

License

Please see LICENSE.txt for details on how the code in this repo is licensed.

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Ready to hand off the Gruntwork?