What is a Security Benchmark?
A security benchmark is an assessment that provides advice on the security posture of your cloud environment and guidelines on how to monitor your account.
A security benchmark will follow best practices as it gives a baseline of how to keep your account secure. A best practice is a method that has been accepted because of the results it provides. Organizations and companies will use these security benchmarks to try and achieve security compliance. A well-known security benchmark is the CIS benchmark for the cloud.
Individuals working within the account may not know what best practices are when setting up resources in AWS, so a security benchmark is helpful in keeping the account compliant. Another aspect to keep in mind is the shared responsibility model which is just an explanation of what the cloud is responsible for and what you are responsible for.
The benchmark will usually be broken up into sections based of resource types. Some of these resources would include:
- IAM
- S3/EBS/RDS
- CloudTrail/CloudWatch
- VPCs/Security Groups/NACLs
Within these sections there should be an explanation of the suggestion being given and steps to check if this control is already in place within the account; if the control is not being enforced, there will also be steps on how to remediate the issue either through CLI or the user interface.
Why Utilize a Security Benchmark?
Performing a security audit through using a security benchmark has many benefits such as:
- Have an understanding of where your cloud architecture is in terms of security
- Provides actionable work items to improve your cloud security posture
- Gives recommendations to ensure ongoing compliance with best practices
- Shows other companies/individuals that your account is secure
- Outlines a clear set of industry standards so you don’t have to research each resource’s best practices on your own
Maintaining Your Security Posture:
There are many benefits that a security benchmark can provide, but all these benefits are useless unless the configurations and controls are maintained. Here are some suggestions to easily keeping your account maintained:
- Create a company standard guide within a shared file space
- Use a configuration management solutions such as AWS Config
- Always think security whenever implementing new resources!
- Use an infrastructure as code solution and modularize resources such as S3 Buckets
AWS also offers a service to set up compliance insights called AWS config. For more information, check out this article!
