Walkthrough: Identifying CIS violations for AWS
In the previous walkthrough, you used BMC Helix Cloud Security to download, configure, and run the AWS Cloud connector. This walkthrough enables you to explore the results and identify specific resources that are not compliant with the out-of-the-box CIS policies for AWS.
Log on to Cloud Security with your registered credentials.
Onboard and run the connector, as described in Walkthrough: Onboarding the AWS Cloud connector.
|Click the Policy Filter and select CIS Amazon Web Services Foundations Benchmark|
View the two S3 Buckets rules, and note the number of non-compliant resources for each rule.
Note that the Ensure the S3 bucket CloudTrail logs is not publicly accessible rule has a severity of Critical, and would typically be investigated solely by this severity. But because there is 100% compliance, there is no further action necessary for this rule in this scenario.
Click the Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket rule, to view the list of non-compliant S3 buckets.
The resulting list makes it easy to identify the S3 resources that are non-compliant.
Expand the resource and click the Resource Results button to view the conditions of the rule.
The icons to the left of the rule make it easy to see which ones failed the compliance scan. In this case, the rule that checks to see if permissions are wide open for a resource is the one that failed.
To dig a little deeper, you can view the Variable Details.
Here you can see the values that are associated with each variable.
To see the format of the rule, click the Expression button to see the full expression.
In this scenario, you have quickly identified a security vulnerability in your AWS environment.
Cloud Security makes it easy to continually review your AWS deployment to make sure that it is properly configured.
To walk through a scenario where you must remediate identified violations, see Remediating an AWS compliance violation.