/
CIS Hardened Image Security Assurance

CIS Hardened Image Security Assurance

Owned by Chris Boldiston, created
Last updated: yesterday at 7:18 pm
2 min read

Product Name

CIS Hardened Images® (AWS, Azure, Google Cloud, Oracle Cloud)

 

Product Version

All

Date

Feb 20, 2025

 

Problem

When utilizing CIS Hardened Images, how does CIS ensure the integrity of the AMIs or images delivered to AWS, Azure, Google Cloud and Oracle Cloud?

 

Solution

The CIS Cloud team operates under a standard procedure of separation of duties to limit security risk. In addition to the noted separation of duties, no one person provides QA and publishing on the same product every month. A product and the associated CSP (Cloud Service Provider) rotate each month to hinder error and security risk.

During the time that the CIS Cloud products are being “built,” the ability to access these machines is locked down to decreases the risk of outside interference during the time the machine is up and running. These machines are ephemeral and retained for a very limited amount of time. Following that time in their build cycle, the machines are all deallocated, generalized, syspreped, etc. These steps render the machines inaccessible and the machines' state cannot be altered.

The CIS Cloud products are reviewed for quality assurance with each monthly product release and includes the checking of keys, directories of security risk, etc. This output is maintained internally for historical reference if future review is necessary.

Each CSP scans images submitted to their marketplace. What is being scanned for varies by CSP. Most commonly, CSPs scan for known CVE’s and reject submission of an image if a CVE is resident.

Once the images are approved and exist within the CSP marketplace, they cannot be tampered with by CIS. Following submission, the images become the responsibility of the CSP housing them and the end user upon purchase to align with security patching, new CVE releases, etc.

CIS retains the latest three image versions in each CSP and deprecates older versions, where applicable, each month. This process decreases the likelihood an end user will purchase an out of date, less secure image. CSPs scan their marketplace images for CVEs and send notifications to CIS if any CIS images resident on the associated marketplace have a CVE. CIS will then take immediate action to comply with the CSP standard and remove that image from the marketplace.

In addition to sanitized build environments for production images, CIS adheres to security best practices across CSPs and platforms to further regulate build integrity. Security best practice includes strict attention and routine reviews to resources such as VPC segregation, security group audits, and the use of high-strength credentials on regular rotations. No single entity has control over internal topography and changes are logged while all sources-of-truth are maintained in version controlled environments.

The Center for Internet Security, Inc. maintains compliance with System and Organization Controls (SOC) 2 Type II Audit , SOC for Cybersecurity, ISO 27001, and ISO 27701.

Keywords; CIS Hardened Images

Content by Label

Copyright © 2025

Center for Internet Security®

 

Related content

How does CIS create and maintain Hardened Images?
How does CIS create and maintain Hardened Images?
SBP Customer Facing Knowledge Base
More like this
How does CIS harden the images which are available on the cloud platforms?
How does CIS harden the images which are available on the cloud platforms?
SBP Customer Facing Knowledge Base
More like this
Hardened Image general update and upgrade questions
Hardened Image general update and upgrade questions
SBP Customer Facing Knowledge Base
More like this