CIS Benchmarks & Matillion ETL - AWS

Options & guidance for Matillion ETL administrators

1. What is CIS?

The Center for Internet Security (CIS) is a non-profit organization focused on enhancing the cybersecurity readiness and response of public and private sector entities. CIS provides a set of well-defined best practices, known as CIS Benchmarks, which help organizations secure their systems and data against cyber threats.

2. What are CIS Benchmarks?

CIS Benchmarks are comprehensive, consensus-developed guidelines that provide specific, actionable recommendations for securing various IT systems and platforms. They are widely recognized and used to help organizations achieve strong security configurations.

Examples of Level 1 Benchmarks for RHEL 9

Below are examples of three Level 1 benchmarks for RHEL 9 and their summarized remediations:

Example 1: Ensure the file permissions on /etc/passwd are configured

• Benchmark: Ensure that the permissions on /etc/passwd are set to 644 or more restrictive.
• Remediation:
  chmod 644 /etc/passwd

Example 2: Ensure the GDM is removed or disabled

• Benchmark: Ensure that the GNOME Display Manager (GDM) is removed or disabled if not required.
• Remediation:
  systemctl disable gdm
  yum remove gdm

Example 3: Ensure the permissions on /etc/ssh/sshd_config are configured

• Benchmark: Ensure that the permissions on /etc/ssh/sshd_config are set to 600 or more restrictive.
• Remediation:
  chmod 600 /etc/ssh/sshd_config

3. Options for applying CIS Benchmark remediations

There are two primary methods to apply CIS benchmark remediations:

CIS Hardened Images

These are pre-configured virtual machine images available on various cloud platforms, including AWS GovCloud, that have CIS benchmarks already applied. They are convenient and ensure that all recommendations are implemented correctly from the start.

Self-remediated

This approach involves manually applying the CIS benchmarks to an existing system. This method requires more effort and expertise but allows for more customization based on specific needs and constraints.

4. Pricing considerations for CIS Hardened Images

CIS Hardened Images typically cost more than standard virtual machine images. Pricing can vary based on factors such as the cloud provider, instance type, and region. It is essential to evaluate the additional cost against the benefits of enhanced security and ease of use.

5. Manually applying CIS remediations: Explanation of different levels

CIS benchmarks provide different levels of security settings:

Level 1

This level focuses on essential security settings that do not impact the system's usability. It is recommended for most environments and provides a good balance between security and functionality. Applying Level 1 remediations typically requires moderate effort but yields significant security improvements, making it suitable for general-purpose systems.

Level 2

This level offers more stringent security settings, which might impact the system's usability. It is recommended for environments requiring higher security levels, such as those dealing with sensitive data or facing higher threat levels. 

Implementing Level 2 remediations involves a higher effort due to their complexity and potential impact on system usability, but they provide enhanced security measures essential for critical and sensitive environments.

6. Considerations for CIS hardening

When implementing CIS benchmarks, consider the following:

Compatibility

Ensure that your applications and services are compatible with the CIS hardened configuration. Some settings might restrict functionalities or access required by certain applications.

Testing

Thoroughly test the remediations in a staging environment before applying them to production to avoid disruptions.

Documentation

Refer to the CIS Benchmark documentation for specific guidance and recommendations.

7. Updating RHEL 9 for new/changed CIS Benchmarks

To keep your RHEL 9 system updated with the latest CIS benchmark changes:

Update regularly

Use yum or dnf to regularly update your system packages. This ensures you receive the latest security patches and updates.

Note: In the command above, all Matillion repositories are excluded to avoid accidental updates of the Matillion ETL application.

Keep up with CIS updates

Monitor CIS for updates to the benchmarks and apply them as necessary. This may involve revisiting your configurations and applying new recommendations.

8. Maintenance and automation considerations

Maintaining a CIS hardened system involves regular monitoring and updates:

Automation tools

Consider using automation tools like Ansible, Puppet, or Chef to apply and maintain CIS configurations consistently across your environment.

Compliance monitoring

Implement compliance monitoring tools to ensure your systems remain aligned with CIS Benchmarks over time.

Regular audits

Conduct regular security audits and vulnerability assessments to identify and remediate any deviations from CIS Benchmarks.

9. Benchmarks for AWS

CIS also provides benchmarks specifically for AWS environments. These benchmarks help ensure that your AWS infrastructure is configured securely.

Examples of AWS CIS Benchmarks

Example 1: Ensure CloudTrail is enabled in all regions

• Benchmark: AWS CloudTrail records AWS Management Console actions and API calls. Ensure CloudTrail is enabled to track activity across all regions.
• Remediation: Enable CloudTrail in all AWS regions.

Example 2: Ensure S3 buckets block public access

• Benchmark: Manage access to AWS resources by ensuring Amazon S3 buckets cannot be publicly accessed.
• Remediation: Configure S3 bucket settings to block public access.

Example 3: Ensure IAM users are using a password policy that requires strong passwords

• Benchmark: AWS Identity and Access Management (IAM) password policies should require at least one uppercase letter, one lowercase letter, one number, and one symbol.
• Remediation: Update IAM password policies to enforce strong password requirements.

10. Monitoring compliance with CIS Benchmarks

To monitor a virtual machine (VM) for compliance with CIS Benchmarks and ensure your AWS environment is compliant, you can use various AWS services and external tools:

AWS Services

• AWS Config: Continuously assesses, audits, and evaluates the configurations of your AWS resources. It helps monitor compliance with the CIS Benchmarks.
• AWS Security Hub: Provides a comprehensive view of your security state within AWS and helps you check your environment against CIS Benchmarks.
• Amazon CloudWatch: Monitors and logs your resources and applications, providing insights into performance and compliance.

External tools

• CloudSploit: An open-source security configuration scanner that helps ensure your cloud environment complies with industry standards like CIS.
• Qualys Cloud Platform: Provides continuous security monitoring and compliance for cloud infrastructure.

Conclusion

Applying CIS benchmarks to your Linux servers can significantly enhance your security posture. Whether you choose to use CIS Hardened Images or manually apply the benchmarks, it's crucial to understand the guidelines and maintain the configurations regularly. Following the above guidance can help ensure your systems are secure, compliant, and well-maintained.

Keep your eyes peeled for part two coming soon!

Additional Resources

• Center for Internet Security (CIS) Official Website
  CIS Official Website
  The official website of the Center for Internet Security offers resources, benchmarks, and tools to enhance cybersecurity readiness and response.
• Sign up to download CIS Benchmarks
  CIS Benchmarks Download
  Register to access and download various CIS Benchmarks, which provide configuration guidelines to secure your systems and data against cyber threats.
• Installing Matillion ETL on a new virtual machine
  Matillion ETL Installation Guide
  This guide provides step-by-step instructions for installing Matillion ETL on a new virtual machine, helping users set up and configure their data integration environment.
• Blog post on industry best practices for securing AWS resources
  Industry Best Practices for Securing AWS Resources
  A blog post by AWS highlighting industry best practices for securing AWS resources. It offers insights and recommendations to enhance your cloud security posture.
• Using AWS CloudWatch to monitor CIS Benchmark controls
  AWS CloudWatch Contributor Insights for CIS Benchmarks
  This blog post demonstrates how to use AWS CloudWatch Contributor Insights to monitor CIS AWS Foundations Benchmark controls by analyzing log trail event data and creating a time series to display contributor data.
• AWS Operational best practices for CIS Benchmarks
  AWS Operational Best Practices
  This guide provides operational best practices for managing and maintaining CIS benchmarks in AWS environments, including how to set up monitoring and compliance checks using AWS Config.