Write a Framework

This document provides a walkthrough of the aws_cis_compute_service_v100 Compliance Framework.

The framework outlines best practices in alignment with the Center for Internet Security (CIS) AWS Compute Services Benchmark v1.0.0, offering recommendations to enhance the security posture of AWS Compute resources and ensure they meet industry-standard compliance requirements.

Framework Definition

framework:
  id: aws_cis_compute_service_v100
  title: "CIS AWS Compute Services Benchmark v1.0.0"
  description: >
    This CIS AWS Compute Services Benchmark provides prescriptive guidance for configuring
    security options for the services within the Compute category in AWS. This Benchmark
    is intended to be used in conjunction with the CIS Amazon Web Services Foundations Benchmark.
  section-code: aws_cis_compute_service_v100
  metadata:
    defaults:
      auto-assign: false
      enabled: false
      tracks-drift-events: false
    tags:
      framework:
        - "CIS AWS Compute Services Benchmark"
      version:
        - "v1.0.0"
      service:
        - "compute"
      category:
        - "CIS"
  • ID & Title: Uniquely identifies the framework and provides a clear title.

  • Description: Offers an overview of the framework's purpose and its relation to other CIS benchmarks.

  • Control Groups - Control Groups organize related controls into hierarchical sections

  • Metadata:

    • Defaults: Sets default behaviors for control assignment and event tracking.

    • Tags: Categorizes the framework for easier identification and filtering based on criteria like service, platform, and priority.

Control Groups

Control Groups organize related controls into hierarchical sections, mirroring AWS Compute services.

Example: Elastic Cloud Compute (EC2)

control-group:
  - id: aws_cis_compute_service_v100_2
    title: "Elastic Cloud Compute (EC2)"
    description: >
      Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure,
      resizable compute capacity in the cloud. This section will contain recommendations
      for configuring your compute resources within EC2.
    section-code: "2"
    control-group:
      - id: aws_cis_compute_service_v100_2_1
        title: "Amazon Machine Images (AMI)"
        description: >
          This section contains recommendations for the security of Amazon Machine Images
          (AMI's) that you could utilize within the AWS EC2 Service.
        section-code: "1"
        controls:
          - aws_cis_compute_service_v100_2_1_1
          - aws_cis_compute_service_v100_2_1_2
          - aws_cis_compute_service_v100_2_1_3
          - aws_cis_compute_service_v100_2_1_4
          - aws_cis_compute_service_v100_2_1_5

      - id: aws_cis_compute_service_v100_2_2
        title: "Elastic Block Storage (EBS)"
        description: >
          This section contains guidance for Amazon Elastic Block Store (EBS) which is a
          high performance block storage service designed for use with Amazon Elastic
          Compute Cloud (EC2).
        section-code: "2"
        controls:
          - aws_cis_compute_service_v100_2_2_1
          - aws_cis_compute_service_v100_2_2_2
          - aws_cis_compute_service_v100_2_2_3
          - aws_cis_compute_service_v100_2_2_4
    controls:
      - aws_cis_compute_service_v100_2_3
      - aws_cis_compute_service_v100_2_4
      # Additional controls...
  • Control Group ID & Title: Identifies the group and specifies the AWS service (e.g., EC2).

  • Description: Provides context and scope for the controls within the group.

  • Section-Code: Numerical identifier for organization.

  • Nested Control Groups: Further categorizes controls (e.g., AMI, EBS) with their own IDs, titles, descriptions, and specific controls.

Each group includes relevant controls tailored to the specific service, ensuring comprehensive coverage.

Controls

Controls are defined as unique identifiers within their respective control groups. For example:

controls:
  - aws_cis_compute_service_v100_2_1_1
  - aws_cis_compute_service_v100_2_1_2
  # Additional controls...

Each control corresponds to a specific security recommendation or requirement as per the CIS benchmark.

Tags and Metadata

Tags within each control group and the framework as a whole enable easy filtering and management based on various attributes like service type, compliance category, and priority level.

Summary

This YAML framework structure efficiently organizes CIS benchmark controls for AWS Compute services, facilitating scalable and manageable compliance enforcement. By leveraging hierarchical control groups and detailed metadata, SecOps teams can ensure robust security configurations across all AWS Compute resources.

References

Last updated