CIS AWS v1.4 is out!

CIS launches new AWS version

In February, we launched an update to our CIS-compliant modules with the new version 1.3. In May, CIS announced a new version of the AWS Benchmark, version 1.4.0. Today, we announce the update of our CIS-compliant modules with the new version of the benchmark.

What’s changed?

These recommendations were introduced in the latest version of the benchmark:

• [2.1.3] Ensure MFA Delete is enabled on S3 buckets: All S3 buckets need to have MFA Delete enabled. This ensures that the bucket owner must include an MFA token in any request to delete an object version or change the versioning state of a bucket.
• [2.1.4] Ensure all data in Amazon S3 has been discovered, classified and secured when required: All S3 buckets now need to be analyzed by Amazon Macie, which uses machine learning and pattern matching to find sensitive data automatically in buckets.
• [2.3.1] Ensure that encryption is enabled for RDS Instances: All RDS instances now need to have storage encrypted by default.

Besides the new additions, we also updated one recommendation:

• [1.12] Ensure credentials unused for 45 days or greater are disabled: All IAM users with passwords that haven’t signed into the AWS Console in the last 45 days and Access keys that are older than 45 days need to be disabled. The previous recommendation required unused credentials older than 90 days to be disabled. In addition, we also fixed a bug that was expiring all IAM passwords after 90 days regardless of whether they were used.

To learn more about CIS and for a step-by-step deployment guide that will help you achieve compliance with this benchmark, check out our guide on How to achieve compliance with the CIS AWS Foundations Benchmark.

If you are looking to upgrade from version 1.3.0, check out the migration guide: How to update to CIS AWS Foundations Benchmark v1.4.0.