CIS Benchmark in Public Clouds

Maintain continuous compliance and security in public clouds

Blog Series about Security in Public Clouds

This blog is part of a blog series about security in public clouds. If you are interested in the topic more deeply have a look at the introductory blog where all related articles are listed and linked.


The CIS Benchmark

The IT security industry can be special… but on the point that one should not try to reinvent the wheel, we all agree. The proverb underlines that a thing that has proven itself in the industry does not have to be redeveloped. The Benchmarks of the Center for Internet Security (CIS Benchmarks) are one of those things that have proven themselves in the industry. For more than 15 years, new benchmarks have been regularly published and existing ones revised.

The CIS publishes benchmarks for a variety of operating systems, applications and network devices. The guidelines describe a good, secure state. Such benchmarks also exist for cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. The benchmarks can be obtained at the URL CIS benchmarks place great value on being implementable and technology-related. This enables a high degree of automation.

CIS Benchmark in Public Clouds

CIS Benchmark in AWS – all in once (with the help of Security Hub)

In AWS, Security Hub is required to enable the predefined CIS controls. Currently (as of April 23, 2019), Security Hub is still in preview . Nevertheless, the Security Hub can be activated in a simple way. As long as the preview phase continues, it will even be free of charge.

Right after enabling Security Hub, the CIS benchmark is available under Compliance Standards. AWS uses Config to automate the necessary tasks so that compliance with the standard can be measured at any time. This means that continuous compliance can be established and analysis can be made available at any time as to what the status of the systems is or was like.

It is even possible to feed the results of several AWS accounts into one Security Hub to centrally check the compliance over all accounts. If needed the results of several AWS accounts can be fed into one Security Hub to centrally check the compliance over all connected accounts. The results are clearly displayed in a dashboard where diving deeper into details is possible.



CIS Benchmark in AWS – Using Event Bus

If a granular control is desired, which controls are monitored and which are not, an alternative approach comes into play. Using Event Bus it is possible to send and receive events even across accounts.

To consume events from event bus event rules are needed. An event rule includes a pattern to match against and targets to send the event to.

For example the following rule will be triggered if a signin event without multifactor authentication (MFA) takes place.

  "source": [
  "detail": {
    "eventSource": [
    "additionalEventData": {
      "MFAUsed": [

Simply explained this means: Event rules use patterns to match against the JSON payload of any event flowing through event bus. The events are processed in almost real time.

With the help of the Event Bus, the automatable rules of the CIS benchmark can be easily implemented. Besides, we gain the opportunity to respond to specific customer needs and save costs at the same time.

CIS benchmark in Azure

Also in Azure the CIS benchmark is already integrated by default. In the Security Center under Regulatory Compliance different compliance standards can be used. These include CIS, PCI DSS, ISO 27001 and SOC TSP. The virtual infrastructure built up in the Azure Cloud and the services offered are continuously monitored for compliance and a comprehensive report is issued.


Security in hybrid cloud setup

With CIS bechmark we use a tool that measures compliance in different cloud environments. This gives us an overview and the ability to report on the status of systems and services.

Further resources

Swisscom has published whitepapers on cloud security in which security issues are dealt with in detail. These can be obtained as follows:

If you want to learn more about Swisscom’s portfolio and services on public cloud get in touch with us using the following links: