Introducing: CIS Service Catalog and CIS Reference Architecture 2.0
The fastest way to achieve compliance with the CIS AWS Foundations Benchmark
After a few months of diligent work, we’re happy to announce the general availability of the CIS Service Catalog and CIS Reference Architecture 2.0! This is the fastest way to launch infrastructure in AWS that is compliant with the CIS AWS Foundations Benchmark.
What is the CIS Service Catalog?
For the last few years, we’ve provided customers with low-level Terraform modules that are compliant with the CIS AWS Foundations Benchmark out of the box: for example, we have one module that creates compliant Network ACLs (which met AWS CIS Benchmark recommendation 5.1), another module that creates compliant Security Groups (recommendation 5.2), and another one that creates the VPCs themselves. These modules were great, but it took a lot of work to assemble them into a production-grade infrastructure. With the addition of the CIS Service Catalog, we’ve added high-level services, an opinionated way to combine multiple modules into a single unit designed to be deployed directly to production, with almost no code to write.
For example, you can now use our Landing Zone services to deploy a CIS-compliant AWS Landing Zone in a few minutes. The Landing Zone services combine modules for CloudTrail, AWS Config, GuardDuty, EBS encryption, and all other CIS requirements.
As another example, here’s a code snippet you could use to deploy a CIS-compliant VPC that blocks all access to the remote server administration ports (recommendations 5.1 and 5.2):
module "vpc" {
# Replace <VERSION> with the most recent release from the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases:
source = "git::git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/networking/vpc?ref=<VERSION>" # Set the basic required variables first
vpc_name = "example-vpc"
aws_region = "us-east-1"
cidr_block = "10.2.0.0/16"
num_nat_gateways = 1 # Other params omitted to keep the example simple
}
What is CIS Reference Architecture 2.0?
The easiest way to take advantage of the CIS compliance offering is to opt for the Gruntwork subscription with the Gruntwork Reference Architecture option. The Reference Architecture is an end-to-end architecture that includes Landing Zone, VPC, EKS, and everything else you will need to run your entire infrastructure stack on AWS, all 100% managed as code. We will then deploy your entire architecture, configured for CIS compliance, in about one day.
We recently launched the 2.0 version of the Reference Architecture, which includes significant improvements and new features, such as the Gruntwork Landing Zone solution, the Gruntwork Pipelines solution, the latest Terragrunt features, Terraform 0.14 compatibility, end-to-end encryption by default, and much more.
Alternatively, you can compose your architecture yourself and configure it for CIS compliance by taking advantage of our terraform-aws-cis-service-catalog git repository. See the code snippet above for an example.
Keep up with updates to the standard
With Gruntwork compliance, we take care of all the grunt work of keeping up with the standard, so your team can stay focused & secure:
- In November 2019, we released our initial compliance offering, compliant with version 1.2.0 of the CIS AWS Benchmark.
- In January 2021, we updated it to meet the recommendations of v1.3.0.
- In May 2021 (just a few days ago), version 1.4.0 came out, and we are already starting to update our code to meet the new recommendations.
Interested? Get in touch!
If all this sounds potentially of interest and you’d like to learn more about our compliance offering, please contact us!
