npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
When to Use
- When performing initial security audits of cloud environments against industry-standard benchmarks
- When preparing for SOC 2, ISO 27001, or regulatory audits that reference CIS controls
- When establishing a measurable security baseline for new cloud accounts or subscriptions
- When tracking compliance improvement over time with periodic reassessment
- When evaluating the security posture of acquired or inherited cloud environments
Do not use for runtime threat detection (see detecting-cloud-threats-with-guardduty), for application-level security testing (see conducting-cloud-penetration-testing), or for compliance frameworks not based on CIS (refer to specific regulatory skill files).
Prerequisites
- Read-only access to target cloud accounts (AWS SecurityAudit policy, Azure Reader role, GCP Viewer role)
- Prowler, ScoutSuite, or cloud-native CSPM tools installed and configured
- Understanding of CIS benchmark structure: sections, controls, profiles (Level 1 and Level 2)
- Remediation access for implementing fixes (separate from audit credentials)
Workflow
Step 1: Select Appropriate CIS Benchmark Version
Choose the correct benchmark version for each cloud provider. Current versions as of 2025 include CIS AWS Foundations Benchmark v5.0, CIS Azure Foundations Benchmark v4.0, and CIS GCP Foundations Benchmark v4.0.
CIS Benchmark Coverage Areas:
+-------------------+-------------------------+------------------------+
| Section | AWS v5.0 | Azure v4.0 |
+-------------------+-------------------------+------------------------+
| Identity & Access | IAM policies, MFA, root | Azure AD, RBAC, PIM |
| Logging | CloudTrail, Config | Activity Log, Diag |
| Monitoring | CloudWatch alarms | Defender, Sentinel |
| Networking | VPC, SG, NACLs | NSG, ASG, Firewall |
| Storage | S3 encryption, access | Storage encryption |
| Database | RDS encryption | SQL TDE, auditing |
+-------------------+-------------------------+------------------------+
CIS Profile Levels:
Level 1: Practical security settings that can be implemented without significant
performance impact or reduced functionality
Level 2: Defense-in-depth settings that may reduce functionality or require
additional planning for implementationStep 2: Run Automated Assessment with Prowler
Execute comprehensive CIS benchmark scans using Prowler for automated control evaluation across AWS, Azure, and GCP.
# AWS CIS v5.0 assessment
prowler aws \
--compliance cis_5.0_aws \
--profile audit-account \
--output-formats json-ocsf,html,csv \
--output-directory ./cis-audit-$(date +%Y%m%d)
# Azure CIS v4.0 assessment
prowler azure \
--compliance cis_4.0_azure \
--subscription-ids "sub-id-1,sub-id-2" \
--output-formats json-ocsf,html,csv \
--output-directory ./cis-audit-azure-$(date +%Y%m%d)
# GCP CIS v4.0 assessment
prowler gcp \
--compliance cis_4.0_gcp \
--project-ids "project-1,project-2" \
--output-formats json-ocsf,html,csv \
--output-directory ./cis-audit-gcp-$(date +%Y%m%d)
# Multi-account AWS scan using ScoutSuite
scout suite aws \
--profile audit-account \
--report-dir ./scout-report \
--ruleset cis-5.0 \
--forceStep 3: Interpret Results and Prioritize Remediation
Analyze audit results by section and severity. Prioritize Level 1 controls first as they represent fundamental security hygiene, then address Level 2 controls for defense in depth.
# Parse Prowler results for failed controls
cat ./cis-audit-*/prowler-output-*.json | \
jq '[.[] | select(.StatusExtended == "FAIL")] | group_by(.CheckID) |
map({control: .[0].CheckID, description: .[0].CheckTitle,
failed_resources: length, severity: .[0].Severity}) |
sort_by(-.failed_resources)'
# Generate compliance score by section
cat ./cis-audit-*/prowler-output-*.json | \
jq 'group_by(.Section) | map({
section: .[0].Section,
total: length,
passed: [.[] | select(.StatusExtended == "PASS")] | length,
failed: [.[] | select(.StatusExtended == "FAIL")] | length,
score: (([.[] | select(.StatusExtended == "PASS")] | length) / length * 100 | round)
})'Step 4: Remediate Critical and High Controls
Address failed controls starting with the highest impact items. Use AWS Config remediation, Azure Policy, or Terraform to apply fixes systematically.
# CIS 1.4: Ensure no root account access key exists
aws iam list-access-keys --user-name root
# If keys exist, delete them
aws iam delete-access-key --user-name root --access-key-id AKIAEXAMPLE
# CIS 2.1.1: Ensure S3 bucket default encryption is enabled
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
aws s3api put-bucket-encryption --bucket "$bucket" \
--server-side-encryption-configuration '{
"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]
}' 2>/dev/null && echo "Encrypted: $bucket" || echo "FAILED: $bucket"
done
# CIS 3.1: Ensure CloudTrail is enabled in all regions
aws cloudtrail create-trail \
--name organization-trail \
--s3-bucket-name cloudtrail-logs-bucket \
--is-multi-region-trail \
--enable-log-file-validation \
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/key-id
aws cloudtrail start-logging --name organization-trail
# CIS 4.x: Configure CloudWatch metric filters and alarms
aws logs put-metric-filter \
--log-group-name CloudTrail/DefaultLogGroup \
--filter-name UnauthorizedAPICalls \
--filter-pattern '{ ($.errorCode = "*UnauthorizedAccess*") || ($.errorCode = "AccessDenied*") }' \
--metric-transformations metricName=UnauthorizedAPICalls,metricNamespace=CISBenchmark,metricValue=1Step 5: Establish Continuous Compliance Monitoring
Deploy automated compliance monitoring to detect configuration drift between periodic audits. Use AWS Security Hub, Azure Policy, or GCP Security Command Center.
# AWS: Enable CIS v5.0 in Security Hub
aws securityhub batch-enable-standards \
--standards-subscription-requests '[
{"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/5.0.0"}
]'
# Azure: Assign CIS benchmark policy initiative
az policy assignment create \
--name cis-azure-benchmark \
--scope "/subscriptions/<sub-id>" \
--policy-set-definition "1a5bb27d-173f-493e-9568-eb56638dbd0e" \
--params '{"effect": {"value": "AuditIfNotExists"}}'
# Schedule periodic Prowler assessments
# Run weekly via cron or CI/CD pipeline
0 2 * * 1 prowler aws --compliance cis_5.0_aws --output-formats csv --output-directory /opt/audits/weekly-$(date +\%Y\%m\%d)Key Concepts
| Term | Definition |
|---|---|
| CIS Benchmark | Prescriptive security configuration guidelines developed by the Center for Internet Security through community consensus |
| Level 1 Profile | Practical security controls implementable without significant performance or functionality impact, representing security hygiene |
| Level 2 Profile | Defense-in-depth controls that may restrict functionality and require careful planning before implementation |
| Foundations Benchmark | CIS benchmark specifically for cloud providers covering IAM, logging, monitoring, networking, and storage security |
| Control ID | Unique numerical identifier for each CIS recommendation (e.g., 1.4 for root access key checks, 2.1.1 for S3 encryption) |
| Compliance Score | Percentage of CIS controls in a passing state, tracked over time to measure security posture improvement |
| Automated Assessment | Tool-driven evaluation of CIS controls using cloud provider APIs to check resource configurations against benchmark requirements |
| Remediation Runbook | Documented step-by-step procedure for fixing a specific failed CIS control, including pre-checks and validation |
Tools & Systems
- Prowler: Open-source cloud security tool performing 300+ checks including CIS benchmark assessments for AWS, Azure, and GCP
- ScoutSuite: Multi-cloud security auditing tool with CIS benchmark rule sets generating HTML reports
- AWS Security Hub: Native AWS service supporting CIS AWS Foundations Benchmark as a security standard
- Azure Policy: Governance service with built-in CIS benchmark policy initiatives for automated compliance monitoring
- GCP Security Command Center: Native GCP service evaluating configurations against CIS GCP Foundations Benchmark
Common Scenarios
Scenario: Pre-Audit CIS Assessment for SOC 2 Certification
Context: A SaaS company pursuing SOC 2 Type II certification needs to demonstrate cloud security controls aligned to CIS benchmarks. The auditor requires evidence of continuous compliance monitoring across 45 AWS accounts.
Approach:
- Run Prowler CIS v5.0 assessment across all 45 accounts to establish the baseline compliance score
- Export results to CSV and categorize failures by section (IAM, Logging, Monitoring, Networking)
- Map each CIS control to the relevant SOC 2 Trust Services Criteria (CC6.1, CC6.6, CC7.1, etc.)
- Remediate all Level 1 control failures within 30 days and Level 2 within 60 days
- Enable CIS v5.0 in AWS Security Hub for continuous monitoring and automated drift detection
- Generate weekly compliance reports showing improvement trajectory for the auditor
- Document exceptions for controls intentionally not implemented with risk acceptance justification
Pitfalls: Remediating controls without testing in a staging environment first can break production workloads. Ignoring Level 2 controls entirely weakens the audit narrative even if they are not strictly required.
Output Format
CIS Benchmark Audit Report
============================
Cloud Provider: AWS
Benchmark Version: CIS AWS Foundations Benchmark v5.0
Accounts Assessed: 45
Assessment Date: 2025-02-23
Tool: Prowler v4.3.0
OVERALL COMPLIANCE SCORE: 74%
COMPLIANCE BY SECTION:
1. Identity and Access Management: 68% (41/60 controls passed)
2. Storage: 82% (28/34 controls passed)
3. Logging: 91% (20/22 controls passed)
4. Monitoring: 55% (18/33 controls passed)
5. Networking: 78% (32/41 controls passed)
TOP FAILED CONTROLS (by affected accounts):
[1.4] Root account has active access keys - 3/45 accounts
[1.5] MFA not enabled for root account - 2/45 accounts
[2.1.1] S3 default encryption not enabled - 12/45 accounts
[3.1] CloudTrail not multi-region - 8/45 accounts
[4.3] No alarm for root account usage - 28/45 accounts
[5.1] VPC flow logs not enabled - 15/45 accounts
[5.4] Security groups allow 0.0.0.0/0 ingress - 22/45 accounts
REMEDIATION PRIORITY:
Critical (Fix within 7 days): Root access keys, missing root MFA
High (Fix within 30 days): S3 encryption, CloudTrail, VPC flow logs
Medium (Fix within 60 days): CloudWatch alarms, security group restrictions
Low (Fix within 90 days): Level 2 controls, informational itemsReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md1.9 KB
API Reference: Auditing Cloud with CIS Benchmarks
boto3 - AWS CIS Checks
IAM Account Summary (Root Keys, MFA)
import boto3
iam = boto3.client("iam")
summary = iam.get_account_summary()["SummaryMap"]
print("Root access keys:", summary["AccountAccessKeysPresent"])
print("Root MFA:", summary["AccountMFAEnabled"])Password Policy
policy = iam.get_account_password_policy()["PasswordPolicy"]
print("Min length:", policy["MinimumPasswordLength"])
print("Require symbols:", policy["RequireSymbols"])CloudTrail Multi-Region
ct = boto3.client("cloudtrail")
trails = ct.describe_trails()["trailList"]
for t in trails:
print(t["Name"], "Multi-region:", t["IsMultiRegionTrail"])VPC Flow Logs
ec2 = boto3.client("ec2")
vpcs = ec2.describe_vpcs()["Vpcs"]
flow_logs = ec2.describe_flow_logs()["FlowLogs"]
logged = {fl["ResourceId"] for fl in flow_logs}
for vpc in vpcs:
print(vpc["VpcId"], "Logged:" if vpc["VpcId"] in logged else "MISSING")CIS Controls Quick Reference
| CIS Control | boto3 Method | Check |
|---|---|---|
| 1.4 Root keys | iam.get_account_summary() |
AccountAccessKeysPresent == 0 |
| 1.5 Root MFA | iam.get_account_summary() |
AccountMFAEnabled == 1 |
| 2.1.1 S3 encryption | s3.get_bucket_encryption() |
No ClientError |
| 3.1 CloudTrail | ct.describe_trails() |
IsMultiRegionTrail |
| 5.1 VPC flow logs | ec2.describe_flow_logs() |
All VPCs covered |
| 5.4 Default SG | ec2.describe_security_groups() |
No 0.0.0.0/0 rules |
Prowler CLI
prowler aws --compliance cis_5.0_aws --output-formats json,csv
prowler azure --compliance cis_4.0_azure
prowler gcp --compliance cis_4.0_gcpReferences
Scripts 1
agent.py6.2 KB
#!/usr/bin/env python3
"""Agent for auditing cloud infrastructure against CIS Benchmarks using boto3."""
import os
import json
import argparse
from datetime import datetime
import boto3
from botocore.exceptions import ClientError
def check_root_access_keys(session):
"""CIS 1.4 - Ensure no root account access key exists."""
iam = session.client("iam")
summary = iam.get_account_summary()["SummaryMap"]
root_keys = summary.get("AccountAccessKeysPresent", 0)
return {"control": "1.4", "description": "Root access keys", "status": "FAIL" if root_keys > 0 else "PASS", "detail": f"{root_keys} keys"}
def check_root_mfa(session):
"""CIS 1.5 - Ensure MFA is enabled for the root account."""
iam = session.client("iam")
summary = iam.get_account_summary()["SummaryMap"]
mfa = summary.get("AccountMFAEnabled", 0)
return {"control": "1.5", "description": "Root MFA", "status": "PASS" if mfa else "FAIL"}
def check_password_policy(session):
"""CIS 1.8-1.11 - Ensure IAM password policy is strong."""
iam = session.client("iam")
try:
policy = iam.get_account_password_policy()["PasswordPolicy"]
issues = []
if policy.get("MinimumPasswordLength", 0) < 14:
issues.append("MinLength < 14")
if not policy.get("RequireUppercaseCharacters"):
issues.append("No uppercase required")
if not policy.get("RequireLowercaseCharacters"):
issues.append("No lowercase required")
if not policy.get("RequireNumbers"):
issues.append("No numbers required")
if not policy.get("RequireSymbols"):
issues.append("No symbols required")
return {"control": "1.8-1.11", "description": "Password policy", "status": "FAIL" if issues else "PASS", "detail": issues}
except ClientError:
return {"control": "1.8", "description": "Password policy", "status": "FAIL", "detail": "No policy set"}
def check_cloudtrail_multiregion(session):
"""CIS 3.1 - Ensure CloudTrail is enabled in all regions."""
ct = session.client("cloudtrail")
trails = ct.describe_trails()["trailList"]
multiregion = [t for t in trails if t.get("IsMultiRegionTrail")]
return {"control": "3.1", "description": "CloudTrail multi-region", "status": "PASS" if multiregion else "FAIL", "detail": f"{len(multiregion)} multi-region trails"}
def check_cloudtrail_log_validation(session):
"""CIS 3.2 - Ensure CloudTrail log file validation is enabled."""
ct = session.client("cloudtrail")
trails = ct.describe_trails()["trailList"]
no_validation = [t["Name"] for t in trails if not t.get("LogFileValidationEnabled")]
return {"control": "3.2", "description": "Log file validation", "status": "FAIL" if no_validation else "PASS", "detail": no_validation}
def check_s3_encryption(session):
"""CIS 2.1.1 - Ensure S3 default encryption is enabled."""
s3 = session.client("s3")
buckets = s3.list_buckets()["Buckets"]
unencrypted = []
for b in buckets:
try:
s3.get_bucket_encryption(Bucket=b["Name"])
except ClientError:
unencrypted.append(b["Name"])
return {"control": "2.1.1", "description": "S3 default encryption", "status": "FAIL" if unencrypted else "PASS", "detail": unencrypted}
def check_vpc_flow_logs(session):
"""CIS 5.1 - Ensure VPC flow logging is enabled."""
ec2 = session.client("ec2")
vpcs = ec2.describe_vpcs()["Vpcs"]
flow_logs = ec2.describe_flow_logs()["FlowLogs"]
logged_vpcs = {fl["ResourceId"] for fl in flow_logs}
missing = [v["VpcId"] for v in vpcs if v["VpcId"] not in logged_vpcs]
return {"control": "5.1", "description": "VPC flow logs", "status": "FAIL" if missing else "PASS", "detail": missing}
def check_default_sg_restrictions(session):
"""CIS 5.4 - Ensure default security group restricts all traffic."""
ec2 = session.client("ec2")
sgs = ec2.describe_security_groups(Filters=[{"Name": "group-name", "Values": ["default"]}])["SecurityGroups"]
open_default = []
for sg in sgs:
if sg.get("IpPermissions") or sg.get("IpPermissionsEgress"):
for rule in sg.get("IpPermissions", []):
for ip_range in rule.get("IpRanges", []):
if ip_range.get("CidrIp") == "0.0.0.0/0":
open_default.append(sg["GroupId"])
return {"control": "5.4", "description": "Default SG restrictions", "status": "FAIL" if open_default else "PASS", "detail": open_default}
def run_full_audit(session):
"""Execute all CIS benchmark checks."""
checks = [
check_root_access_keys, check_root_mfa, check_password_policy,
check_cloudtrail_multiregion, check_cloudtrail_log_validation,
check_s3_encryption, check_vpc_flow_logs, check_default_sg_restrictions,
]
results = []
for check_fn in checks:
result = check_fn(session)
results.append(result)
status_icon = "PASS" if result["status"] == "PASS" else "FAIL"
print(f" [{status_icon}] {result['control']}: {result['description']}")
return results
def main():
parser = argparse.ArgumentParser(description="CIS Benchmark Cloud Audit Agent")
parser.add_argument("--profile", default=os.getenv("AWS_PROFILE"))
parser.add_argument("--region", default=os.getenv("AWS_DEFAULT_REGION", "us-east-1"))
parser.add_argument("--output", default="cis_audit_report.json")
args = parser.parse_args()
session = boto3.Session(profile_name=args.profile, region_name=args.region)
account = session.client("sts").get_caller_identity()["Account"]
print(f"[+] CIS Benchmark Audit for account {account}")
results = run_full_audit(session)
passed = sum(1 for r in results if r["status"] == "PASS")
total = len(results)
score = int(passed / total * 100) if total else 0
report = {
"account": account,
"benchmark": "CIS AWS Foundations v5.0",
"audit_date": datetime.utcnow().isoformat(),
"compliance_score": f"{score}%",
"passed": passed,
"failed": total - passed,
"checks": results,
}
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Score: {score}% ({passed}/{total} passed)")
print(f"[+] Report saved to {args.output}")
if __name__ == "__main__":
main()