Why does the CIS AWS Foundations Benchmark package cost additional money?
A customer asked: > Why does the CIS AWS Foundations Benchmark package cost additional money?
Our reference architecture and the CIS compliance repo are certified by CIS. We pay a membership fee to CIS. We also maintain the code according to the latest version of the Benchmark and provide migration guides (see [here](https://gruntwork.io/guides/upgrades/how-to-update-to-cis-14/) and [here](https://gruntwork.io/guides/upgrades/how-to-update-to-cis-13), for example). It’s actually possible to achieve CIS compliance with the library without the CIS package; all the modules have the features available. However, it’s faster and thus more cost effective to use our dedicated compliance repo with all the wrapper modules. One example here is to flush out what CIS actually requires. Yes, setting up MFA delete is a requirement, but: 1. Even this one requirement is harder than it looks. That’s because Terraform doesn’t support it natively yet and AWS APIs require you to auth as the root (!) user and use MFA with the root user and use a different MFA token for each bucket you want to enable. Figuring all this out is complicated: we wrote docs, scripts, modules, etc to handle it. 2. There are something like 60 requirements total. Some of these are changes to existing modules (like MFA delete), some of these require totally separate modules we only have in our compliance repo (e.g., AWS SecurityHub, AWS Macie, automated cleanup of expired TLS certs, etc), but all told, it’s many person-months of work to build initially. We make all of this available so that our customers can get a Ref Arch compliant with the CIS benchmarks in ~1 day. 3. Even after the initial build out, there are new CIS standards released periodically: e.g., we started with 1.2.0, and over the last few years, they’ve released 1.3.0 and 1.4.0. We spent several more person-months updating all our code to meet the new requirements in each of those releases. As a result, for our customers, it’s following an upgrade guide, with mostly version number bumps, which can typically be done in ~1 day.