Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

What are CIS benchmarks?

CIS benchmarks are publicly available security roadmaps offering core recommendations to guide organizations on hardening their IT systems against cyber threats.

Wiz Experts Team
4 minutes read

CIS benchmarks are publicly available security roadmaps offering core recommendations to guide organizations on hardening their IT systems against cyber threats. They were created by the Center for Internet Security (CIS), a community-based nonprofit organization striving to “create confidence in the connected world.” 

Over 140 CIS benchmarks, in eight primary categories, have been created to date through a community-based consensus of IT professionals worldwide. These are mapped to the CIS Critical Security Controls and can also be aligned with other standardized frameworks such as NIST, PCI-DSS, HIPAA, and others.

CIS benchmarks have been designed to be a central guiding factor in preparing a comprehensive cybersecurity program. While CIS makes its benchmark guidelines available as free PDF downloads to security professionals for non-commercial use, the organization also makes money through commercial membership and add-on services.

How do CIS benchmarks make your organization safer?

Example compliance assessment against CIS EKS benchmarks

Because CIS benchmarks are created via consensus by IT professionals worldwide, they are well-known and widely accepted. These professionals have aggregated a wide range of lessons learned and best practices that can give any organization a powerful head start against cyber adversaries.

Following CIS benchmarks offers your organization numerous benefits:

  • Reduced attack surface by minimizing exploitable weaknesses

  • Stronger baseline security with a solid foundation

  • Alignment with industry standards, potentially reducing audit risks while simplifying compliance and overall security posture

  • Reduced misconfigurations thanks to clear configuration guidelines

  • Better resilience against the most common known threats as determined by industry consensus

CIS benchmarks are also vendor-agnostic, providing combined intelligence from the global IT community. Beyond hardening security across a wide range of systems and devices, following CIS benchmark remediations can also improve system performance and sustainability.

8 categories of CIS benchmarks

To aid organizations in determining which CIS benchmarks are most relevant to their security program, they are divided into eight general categories.

  1. Cloud provider: Offers best practices for configuring identity and access controls (IAM), system logging mechanisms, network security settings, and compliance-aligned safeguards; includes Amazon Web Services (AWS, e.g., AWS Compute Services), Alibaba Cloud, Microsoft 365, and others

  2. Desktop software: Provides secure configuration guidance for popular desktop applications, encompassing email security, mobile device management, web browsing, and third-party software risk mitigation. It contains subcategories that include productivity software (e.g., Microsoft Office, Zoom) and web browsers (e.g., Mozilla Firefox, Safari)

  3. DevSecOps tools: Aids security teams in securing DevSecOps pipeline, providing best practices for configuring security controls within development and integration tools; includes software supply chain security measures for GitHub and GitLab

  4. Mobile devices: Helps teams focus on optimizing developer settings, operating system privacy configurations, secure web browsing settings, and granular app permission controls; includes subcategories for Apple iOS and Android

  5. Print devices: Currently contains only one benchmark, CIS Multi-Function Device; focuses on hardening vulnerable devices including firmware updates, network configurations, wireless access, user management, and file-sharing controls

  6. Network devices: Offers security hardening guidance encompassing both general best practices and vendor-specific configurations, ensuring optimal security for specific hardware; includes network security devices from Cisco and Palo Alto Networks

  7. Operating systems: Covers controls for local and remote access, user account management, driver installation protocols, and secure web browser settings; subcategories include Linux (e.g., Debian, Ubuntu), Microsoft Windows, and Unix (e.g., IBM AIX, Apple macOS)

  8. Server software: Provides recommendations encompassing administrative controls, virtual network policies, storage access limitations, and secure configurations for Kubernetes, including PKI certificates and API server settings; multiple subcategories include web servers (e.g., Microsoft IIS), database servers (e.g., MongoDB), and virtualized servers (e.g., Kubernetes)

Anatomy of a CIS benchmark

Each CIS benchmark contains a list of recommendations for a particular product, with the number of recommendations depending on the complexity of the product.

Many benchmarks contain hundreds of very detailed recommendations. For each recommendation, its assessment status notes whether it can be automated or requires manual configuration. 

Each CIS benchmark is assigned one of two profiles:

  • Level 1: Basic security guidelines to attain an adequate level of security for non-mission-critical devices; Level 1 actions will rarely affect system functionality.

  • Level 2: Stronger security guidelines for mission-critical devices; these actions may impact system functionality but will provide far more bulletproof security.

Finally, each recommendation includes two areas of focus:

  • Audit: Helps you investigate how secure you are in one particular area

  • Remediation: Action steps with configuration recommendations to harden your system in that area

Here’s what you’ll see when you unpack a typical CIS recommendation:

CIS Foundations Benchmarks cover all aspects of cloud service provider (CSP) security for organizations like Amazon Web Services (AWS), Google Cloud Computing Platform, Microsoft Azure, Alibaba Cloud, and several others.

The following two examples are taken from the CIS Foundations Benchmark for AWS to give you a better idea of what you’ll see inside a typical benchmark recommendation. One is a Level 1 example (basic security guidelines), and the other is a Level 2 example (stronger security guidelines).

TitleEnsure that all the expired SSL/TLS certificates stored in AWS IAM are removedEnsure MFA delete is enabled on S3 buckets
Assessment statusAutomatedManual
ProfileLevel 1Level 2
DescriptionTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.
Rationale statementRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancing (ELB), which can damage the credibility of the application/website behind the load balancer. As a best practice, it is recommended to delete expired certificates.Adding MFA delete to an S3 bucket requires additional authentication when you change the version state of your bucket or you delete an object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.
Impact statementDeleting the certificate could have implications for your application if you are using an expired server certificate with ELB, CloudFront, etc. One has to make configurations at the respective services to ensure there is no interruption in application functionality.Enabling MFA delete on an S3 bucket could require additional administrator oversight. Enabling MFA delete may impact other services that automate the creation and/or deletion of S3 buckets.
Audit procedureAudit steps provided (console and command line)Audit steps provided (console and command line)
Remediation procedureRemediation steps provided (console and command line)Remediation steps provided (command line only)
Default valueBy default, expired certificates won't get deleted.n/a
ReferencesReferences providedReferences provided
CIS Controls mappingCIS v8 - 3.1 Establish and Maintain a Data Management Process CIS v7 - 13 Data ProtectionCIS v8 - 3.3 Configure Data Access Control Lists 6.5 Require MFA for Administrative Access CIS v7 - 14.6 Protect Information through Access Control Lists

Wiz: First to market with built-in Kubernetes CIS benchmark certification

As an integrated cloud native application protection platform (CNAPP) platform, Wiz was the first vendor to be recognized with CIS SecureSuite Vendor Certification for three major Kubernetes benchmarks, simplifying compliance with the latest EKS, AKS, and GKE CIS Benchmarks while giving you a cloud-native way to secure your Kubernetes environments.

Adopting CIS Benchmarks helps your security teams learn from best practices and harden your entire organization against today’s leading threats. And with Wiz, you can do much of that from a single pane of glass, aggregating data from all your tools for actionable, prioritized insights based on “toxic combinations”—a unique vulnerability score based on real risk to your organization. And because it’s agentless, it’s easy to deploy across your entire organization, no matter its size.

Wiz lets you proactively identify vulnerabilities, with clear remediation guidance, staying far ahead of attackers to secure your cloud environments. 

Get a demo today to start simplifying Kubernetes compliance and elevating your entire security posture with Wiz.

100+ Built-In Compliance Frameworks

See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.

Get a demo

Continue reading

GitOps vs. DevOps

While DevOps delineates collaboration and automation practices that emphasize infrastructure provisioning and continuous monitoring, GitOps extends its concepts by employing Git as the single source of truth for both application and infrastructure settings.

Kubernetes Namespaces: Security Best Practices

Kubernetes namespaces divide a given cluster into virtual clusters, helping to separate and manage resources while still keeping them within the same physical cluster. By segregating workloads and applying policies per namespace, you can create boundaries that keep your multi-tenant environments safe and organized.

Linux containers: A security review

Understanding the nuances of Linux containers is crucial for building robust, secure applications. This blog post provides insights into the practical implementation of containers, focusing on both their strengths and potential pitfalls.