Browse the Repo

file-type-icon.circleci
file-type-icon_docs
file-type-iconcodegen
file-type-iconexamples
file-type-iconmodules
file-type-iconrfcs
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconCONTRIBUTING.md
file-type-iconREADME.adoc
file-type-iconsetup.cfg

Browse the Repo

file-type-icon.circleci
file-type-icon_docs
file-type-iconcodegen
file-type-iconexamples
file-type-iconmodules
file-type-iconrfcs
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconCONTRIBUTING.md
file-type-iconREADME.adoc
file-type-iconsetup.cfg
CIS Foundations Benchmark

CIS Foundations Benchmark

Modules and utilities certified by Gruntwork and CIS to comply with the CIS AWS Foundations Benchmark

Preview the Code

mobile file icon

README.adoc

down

CIS Benchmark Version maintained%20by gruntwork.io %235849a6

This repo contains a collection of Terraform wrapper modules and standalone utilities that simplify the process of achieving compliance with the Center for Internet Security (CIS) AWS Foundations Benchmark. The Benchmark is an objective, consensus-driven security guideline for AWS. Gruntwork is a CIS SecureSuite member. These modules have been certified for compliance by CIS.

cis account architecture

The Terraform modules in this repo are "wrapper" modules intended to be used in conjunction with the core modules in the Gruntwork.io Infrastructure as Code Library. The core modules are compliance-ready; that is, they can be configured in a manner that achieves compliance with the Benchmark. The modules here "wrap" the compliance-ready modules by using the core modules as a source and passing configuration options that are appropriate for compliance.

Features


  • Enables AWS Config in all regions

  • Creates an AWS CloudTrail with CloudWatch Logs integration

  • Creates a series of CloudWatch Logs metrics filters to notify an SNS topic when suspicious events are logged

  • Create a set of IAM roles that can be used between accounts

  • Create IAM roles and groups with custom permissions and require MFA

  • Create a best-practices set of IAM groups

  • Enable a strong IAM password policy

  • Create a set of IAM roles for SAML identity providers

Learn


icon

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

For a comprehensive treatment of how to use this repository for compliance with the Benchmark, please refer to the How to achieve compliance with the CIS AWS Foundations Benchmark guide. You should also review and download the Benchmark itself from CIS.

Repo organization

Deploy


Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

  • examples folder: The examples folder contains sample code optimized for learning, experimenting, and testing (but not production usage).

Production deployment

Support


If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers Commercial Support via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, subscribe now. If you’re not sure, feel free to email us at support@gruntwork.io.

Contributions


Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.

Please see Contributing to the Gruntwork Infrastructure as Code Library for instructions.

License


Please see LICENSE.txt for details on how the code in this repo is licensed.

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Ready to hand off the Gruntwork?