Skip to main content

Recommendation sections

Identity and Access Management

Number of recommendations: 21

The recommendations in this section involve the use of identity, accounts, authentication, and authorization. On AWS, most identity and access control related concerns are managed using the IAM service. Hence, most (but not all) of the recommendations in this section discuss particular IAM configurations, such as the configuration of the password policy, the use of various groups and roles, and the configuration of multi-factor authentication (MFA) devices.


Number of recommendations: 7

This section was added originally in the previous CIS version (1.3.0), and now in 1.4.0 the recommendations are enhancements and updates to the use of AWS’s storage capabilities. The relevant services for this section are S3, EC2 and RDS. The recommendations in this section pertain to in-transit and at-rest encryption, access control to the resources, and handling sensitive data.


Number of recommendations: 11

AWS has a variety of logging, monitoring, and auditing features, and the Benchmark has recommendations for several of them:

  • AWS CloudTrail tracks user activity and API usage

  • AWS Config records and evaluates resource configurations

  • VPC Flow Logs capture network traffic information in VPCs

  • AWS KMS lets you handle keys to encrypt and decrypt your data

AWS has several other logging related features that are not covered directly by the Benchmark. For example, the primary log ingestion and query service, Amazon CloudWatch Logs, is integrated with many other AWS services. The Benchmark recommends that CloudTrail is integrated with CloudWatch Logs. Within the Gruntwork modules we’ve setup CloudWatch with all the integrated services such as AWS Config, CloudTrail and S3.


Number of recommendations: 15

Monitoring is an overloaded term in the industry. In the context of the AWS Foundations Benchmark, the monitoring section is exclusively about monitoring for specific API calls using the CloudTrail service paired with CloudWatch Logs filter metrics. Each recommendation in this section spells out a specific filter and an associated alarm.

Metric filter-related recommendations in this section are dependent on the "Ensure CloudTrail is enabled in all regions" and "Ensure CloudTrail trails are integrated with CloudWatch Logs" recommendation in the "Logging" section.


Number of recommendations: 4

The Benchmark is uncomfortably light on networking, considering its central role in the security of any distributed system. The recommendations merely limit traffic from the zero network ( and suggest limiting routing for VPC peering connections based on the principle of least-privilege.