DEV Community

Cover image for AWS CIS Compliance in 15 minutes with 1 Command

AWS CIS Compliance in 15 minutes with 1 Command

Did you know an AWS Account is only 39% CIS compliant by default?

SecurityHub ScreenShot

That's why I've created a Python script (which is available free on my GitHub page) which will help you achieve CIS, PCI DSS, and AWS Security Best Practice compliance, all with just one command.

Behind the scenes it checks about 200 controls and with my script you will meet over 95% of those. Some items such as enabling hardware MFA are not possible with a script.

SecurityHub MFA ScreenShot

Behind the scenes it launching a nested CloudFormation stack with 10 sub-stacks. Then it uses Python (via the AWS boto3 SDK library) to do the following:

  • Enable GuardDuty
  • Remove Default Security Group Rules
  • Update the Password Policy
  • Enable S3 Secure Transport
  • Enable PCI Standards
  • Enable a VPC for the Control Tower Lambda function

You can download the script and find details on how run it here. NickTheSecurityDude GitHub

After you run the script, simply give SecurityHub about 24 hours to update.

SecurityHub After ScreenShot

The script will send both email notices as well Slack notifications in the event a control is detected out of compliance.

CIS Slack ScreenShot

I will be doing a live demo of the script at the September 2021 Chicago AWS Security Meetup Group. Join me via Zoom on 9/21 at 7pm to view first hand how the script works and to ask any questions.

SecurityHub After ScreenShot 2

Discussion (1)

venkatsi profile image

Very useful. Thank you