Product Name
CIS Hardened Images® (AWS, Azure, Google Cloud)
Product Version
All
Date
Problem
| Info |
|---|
When utilizing CIS Hardened Images, how does CIS ensure the integrity of the AMIs or images delivered to AWS, Azure, and Google Cloud? |
Solution
The CIS Cloud team operates under a standard procedure of separation of duties to limit security risk. In addition to the noted separation of duties, no one person provides QA and publishing on the same product every month. A product and the associated CSP rotate each month to hinder error and security risk.
During the time that the CIS Cloud products are being “built,” the ability to access these machines is locked down to decreases the risk of outside interference during the time the machine is up and running. These machines are ephemeral and retained for a very limited amount of time. Following that time in their build cycle, the machines are all deallocated, generalized, syspreped, etc. These steps render the machines inaccessible and the machines' state cannot be altered.
The CIS Cloud products are reviewed for quality assurance with each monthly product release and includes the checking of keys, directories of security risk, etc. This output is maintained internally for historical reference if future review is necessary.
Each CSP scans images submitted to their marketplace. What is being scanned for varies by CSP. Most commonly, CSPs scan for known CVE’s and reject submission of an image if a CVE is resident.
Once the images are approved and exist within the CSP marketplace, they cannot be tampered with by CIS. Following submission, the images become the responsibility of the CSP housing them and the end user upon purchase to align with security patching, new CVE releases, etc.
CIS retains the latest three image versions in each CSP and deprecates older versions, where applicable, each month. This process decreases the likelihood an end user will purchase an out of date, less secure image. CSPs scan their marketplace images for CVEs and send notifications to CIS if any CIS images resident on the associated marketplace have a CVE. CIS will then take immediate action to comply with the CSP standard and remove that image from the marketplace.
In addition to sanitized build environments for production images, CIS adheres to security best practices across CSPs and platforms to further regulate build integrity. Security best practice includes strict attention and routine reviews to resources such as VPC segregation, security group audits, and the use of high-strength credentials on regular rotations. No single entity has control over internal topography and changes are logged while all sources-of-truth are maintained in version controlled environments.
| Note |
|---|
The Center for Internet Security, Inc. maintains compliance with System and Organization Controls (SOC) 2 Type II Audit , SOC for Cybersecurity, ISO 27001, and ISO 27701. |
Keywords; CIS Hardened Images
Content by Label
| Filter by label (Content by label) | ||||||
|---|---|---|---|---|---|---|
|
| Page Properties | ||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||
|