CIS Benchmarks
The Center for Internet Security (CIS) Benchmarks are consensus-based hardening guides developed by security experts worldwide. They are the most widely adopted configuration standards for cloud platforms, operating systems, and applications. Infracast implements 189 automated rules across five CIS Benchmarks.
Supported Benchmarks
| Benchmark | Version | Rules | Scope |
|---|---|---|---|
| CIS AWS Foundations | 1.5 | 62 | AWS account and service configuration |
| CIS Azure Foundations | 2.0 | 41 | Azure subscription and service configuration |
| CIS GCP Foundations | 1.3 | 38 | GCP project and service configuration |
| CIS Kubernetes | 1.8 | 28 | Kubernetes cluster hardening |
| CIS Microsoft 365 | 3.0 | 20 | Microsoft 365 tenant configuration |
CIS AWS Foundations Benchmark (62 rules)
The CIS AWS Foundations Benchmark v1.5 covers four sections:
Section 1 — Identity and Access Management (26 rules)
| Rule | Level | Description |
|---|---|---|
CIS-AWS-1.1 | 1 | Root account MFA enabled |
CIS-AWS-1.2 | 1 | No root account access keys |
CIS-AWS-1.4 | 1 | IAM password length ≥ 14 characters |
CIS-AWS-1.5 | 1 | Password reuse prevention (24 passwords) |
CIS-AWS-1.6 | 1 | MFA enabled for all IAM users |
CIS-AWS-1.7 | 1 | No initial access keys at user creation |
CIS-AWS-1.9 | 1 | Unused credentials rotated within 45 days |
CIS-AWS-1.10 | 1 | IAM policies attached to groups, not users |
CIS-AWS-1.14 | 1 | No more than one access key per user |
CIS-AWS-1.16 | 1 | IAM access key rotation within 90 days |
CIS-AWS-1.19 | 1 | Security contact info registered |
Section 2 — Storage (10 rules)
| Rule | Level | Description |
|---|---|---|
CIS-AWS-2.1.1 | 1 | S3 public access blocked at account level |
CIS-AWS-2.1.5 | 1 | S3 buckets deny HTTP (TLS only) |
CIS-AWS-2.2.1 | 1 | EBS default encryption enabled |
CIS-AWS-2.3.1 | 1 | RDS encryption at rest enabled |
CIS-AWS-2.3.2 | 1 | RDS automated backups enabled |
CIS-AWS-2.4.1 | 1 | S3 MFA delete enabled |
Section 3 — Logging (10 rules)
| Rule | Level | Description |
|---|---|---|
CIS-AWS-3.1 | 1 | CloudTrail enabled in all regions |
CIS-AWS-3.2 | 1 | CloudTrail log file validation enabled |
CIS-AWS-3.3 | 1 | CloudTrail S3 bucket not publicly accessible |
CIS-AWS-3.4 | 1 | CloudTrail integrated with CloudWatch |
CIS-AWS-3.5 | 1 | AWS Config enabled in all regions |
CIS-AWS-3.10 | 1 | Security Hub enabled |
Section 5 — Networking (16 rules)
| Rule | Level | Description |
|---|---|---|
CIS-AWS-5.2 | 1 | No security groups allow 0.0.0.0/0 to port 22 |
CIS-AWS-5.3 | 1 | No security groups allow 0.0.0.0/0 to port 3389 |
CIS-AWS-5.4 | 1 | Default security group blocks all traffic |
CIS-AWS-5.6 | 2 | VPC flow logging enabled |
CIS Azure Foundations Benchmark (41 rules)
| Category | Rules | Key Checks |
|---|---|---|
| Identity & Access | 15 | MFA for admins, guest users, conditional access |
| Security Center | 8 | Defender for Cloud enabled, security contacts |
| Storage Accounts | 6 | Secure transfer, public access, logging |
| Database Services | 5 | SQL TDE, firewall rules, audit logging |
| Networking | 4 | Network watcher, flow logs, NSG rules |
| Logging | 3 | Activity log alerts, diagnostic settings |
Sample rules:
CIS-AZURE-1.1 — Multi-factor authentication for all privileged users
CIS-AZURE-3.1 — Ensure that 'Secure transfer required' is enabled
CIS-AZURE-6.3 — Ensure that 'Activity Retention' is set to 1 year or greater
CIS-AZURE-9.1 — Ensure app service authentication is enabled
CIS GCP Foundations Benchmark (38 rules)
| Category | Rules | Key Checks |
|---|---|---|
| Identity & Access | 14 | Service account keys, org policies, IAM |
| Logging & Monitoring | 10 | Cloud Audit Logs, log metric alerts |
| Networking | 8 | Firewall rules, SSH/RDP access, flow logs |
| Storage | 4 | Bucket public access, uniform access |
| Compute | 2 | OS login, metadata server access |
Sample rules:
CIS-GCP-1.1 — No admin service accounts at org level
CIS-GCP-4.1 — Firewall rule does not allow 0.0.0.0/0:22
CIS-GCP-6.2.1 — Cloud SQL requires all incoming connections to use SSL
CIS-GCP-7.1 — Cloud Storage bucket is not anonymously accessible
CIS Kubernetes Benchmark (28 rules)
Covers both managed Kubernetes (EKS, AKS, GKE) and self-hosted clusters:
| Category | Rules | Key Checks |
|---|---|---|
| Control Plane | 8 | API server flags, etcd encryption, audit logging |
| Worker Nodes | 8 | kubelet config, node authorization, pod security |
| RBAC | 6 | Cluster-admin binding, service account tokens |
| Networking | 4 | Network policies, CNI configuration |
| Pod Security | 2 | Pod security admission, privileged containers |
Sample rules:
CIS-K8S-1.2.1 — API server anonymous auth disabled
CIS-K8S-1.2.6 — AlwaysPullImages admission controller enabled
CIS-K8S-4.2.1 — kubelet anonymous authentication disabled
CIS-K8S-5.2.1 — No privileged containers in default namespace
CIS-K8S-5.7.1 — Namespaces have network policies applied
CIS Microsoft 365 Benchmark (20 rules)
| Category | Rules | Key Checks |
|---|---|---|
| Identity | 8 | MFA for admins, legacy auth blocked, conditional access |
| Email Security | 5 | Anti-phishing, DKIM, DMARC, SPF |
| Application | 4 | Integrated app consent, OAuth app permissions |
| Data Protection | 3 | Sensitivity labels, external sharing, audit logging |
How Rules Map to CIS Controls
Every Infracast rule includes the CIS control ID for easy cross-reference:
# Get all CIS AWS findings
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/findings?framework=cis-aws"
# Filter by CIS section
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/findings?framework=cis-aws&control_prefix=5"
Example finding response:
{
"id": "CIS-AWS-5.2-sg-0abc123def456",
"rule_id": "CIS-AWS-5.2",
"framework": "cis-aws",
"control_id": "5.2",
"severity": "HIGH",
"title": "Security group allows unrestricted SSH access",
"description": "Security group 'sg-0abc123def456' (web-servers-sg) has inbound rule 0.0.0.0/0:22 (SSH).",
"resource_type": "aws.ec2.security_group",
"remediation": "Remove the inbound rule allowing 0.0.0.0/0:22. Restrict SSH to known admin IPs or a bastion host."
}
CIS Levels
CIS benchmarks define two levels:
| Level | Description | When to Apply |
|---|---|---|
| Level 1 | Essential, practical security. Minimal performance impact | Always — baseline for all systems |
| Level 2 | Defense-in-depth. May impact performance or usability | High-security environments, regulated industries |
Infracast reports pass/fail per level so you can see your posture against L1 alone vs. L1+L2.
Multi-Benchmark Compliance
Running multiple cloud platforms? Infracast evaluates all CIS benchmarks simultaneously:
GET /api/v1/tenants/{tenantID}/compliance/summary
{
"frameworks": {
"cis-aws": { "score": 84, "rules": 62, "passing": 52 },
"cis-azure": { "score": 91, "rules": 41, "passing": 37 },
"cis-gcp": { "score": 78, "rules": 38, "passing": 30 },
"cis-kubernetes": { "score": 86, "rules": 28, "passing": 24 },
"cis-m365": { "score": 95, "rules": 20, "passing": 19 }
}
}
Next Steps
- DISA STIGs — DoD hardening for government systems
- PCI DSS — CIS benchmarks support PCI network controls
- API: Findings — Query CIS findings by benchmark and section