AWS Inspector Reports on CIS Hardened Image®
Product Name
CIS Hardened Image® - AWS
Product Version
n/a
Date
Feb 21, 2024
Problem
We have purchased a CIS Hardened Image. However on running AWS Inspector Host Assessment we found a long list of issues related to CIS Benchmarks.
Background
An Amazon Inspector assessment can run a host assessment for:
Common vulnerabilities and exposures
Center for Internet Security (CIS) Benchmarks
Security best practices for Amazon Inspector
Example
An AWS Inspector assessment is run against a CIS Ubuntu Linux 18.04 LTS Benchmark - Level 1 instance. The AWS Inspector report shows there are 48 High, 1 Medium and 7 Informational Severity Issues detected.
Please see the chart below for an explanation of those AWS Inspector findings;
Count | Severity | Notes |
---|---|---|
48 | High |
|
1 | Medium |
|
7 | Informational |
To further investigate and reconcile those findings you will need to carefully look at the following;
Each CIS Hardened Image has a CIS-CAT Pro Assessor report on the Pass / Fail state of the hardened image according to the specific Benchmark recommendations. That report is in HTML format and is located at
/home/CIS_Hardening_Reports/
Each CIS Hardened Image has a exceptions listing for any CIS Benchmark recommendations that have not been applied and a rationale for that exception. That report is in text format and is located at
/home/CIS_Hardening_Reports/
CIS Benchmarks can be applied at different profiles (levels) Every CIS Hardened Image specifically states the Benchmark and Profile Level. The HTML report noted in item 1 above will only report on the Profile applied. In this KB example this is Profile 1. To see the full benchmark with all profile levels please join CIS Workbench and you can download a PDF format for the Benchmark in question.
CVE vulnerabilities are addressed by the operating system vendor. Please see the related content KB which has information on how CIS addresses CVE vulnerabilities in our hardened image build process.
Related Content
Copyright © 2024 Center for Internet Security® Privacy Policy