1. They are great to start with.
CIS Foundation Benchmarks for Amazon Web Services, Microsoft Azure and Google Cloud Platform are indeed available for you to download. If you’re just getting started with cloud security and compliance CIS benchmarks are great way to start. They are comprehensive with 50–100 policies per cloud provider, covering not just basic services such as compute and storage but for example AWS VPC, Azure SQL Database, or GCP Kubernetes.
2. You can be up and running with security and compliance posture assessment in few hours.
Many vendors including Cloudaware offer support for CIS Benchmarks out of the box. Cloudaware offers customers ability to deploy all policies within a benchmark using a single click.
Once benchmark is deployed, compliance tool such as Cloudaware will algorithmically validate how close your AWS, Azure or GCP environment complies with the given standard. So for 1–2 hours of work, you can have full assessment of your cloud security posture. Not bad at all!
3. Not all CIS policies are verifiable programmatically.
This is the biggest secret cloud security companies such as Cloudcheckr, CloudHealth and others do not want to talk about because they want you to believe that this can be fully automated. It cannot be and CIS actually states so:
About 15% of all CIS policies are not verified neither through an API nor through any kind of CLI tool. Anyone who is selling you fully automated compliance will end up selling you false sense of security.
4. You will need to be able customize some CIS policies.
For example, there is a CIS policy that looks for publicly accessible S3 buckets. What if you do have S3 buckets that are legitimately public. Out of the box CIS policies do not understand difference between HIPAA and non HIPAA or PCI and non PCI accounts. They do not understand or interpret your corporate tagging conventions. We recommend using a compliance engine such as Cloudaware where all of these nuances of cloud security management can be customized by cloning and editing policy. As a matter of fact, Cloudaware is the only compliance engine that allows you to develop and run entirely custom policies.
5. Some obvious policies are missing from CIS Benchmarks.
Take these ones such as AWS RDS Instances in public subnet
There are dozens of other examples where useful and no nonsense policies are missing from CIS. Nevertheless, CIS Foundations benchmarks is still the best place to start with your cloud security.