CIS AWS Foundations Benchmark v2.0 — Securing AWS Cloud resources | Tech Blog
3 min readJul 14


The cloud has become an integral part of modern-day tech infrastructure, and with that comes the need for tight security measures. The CIS AWS Benchmark is one of the most comprehensive security compliance standards for AWS cloud environments. It provides guidelines for configuring AWS services securely and is widely recognized as a benchmark for cloud security best practices. We are excited to announce that our product now supports CIS AWS Foundations Benchmark v2.0.

Even though it is a major version (the earlier version was v1.5.0), there are no major changes in recommendations. CIS AWS Foundations Benchmark v2.0 includes 2 new recommendations, 1 recommendation removed, and updates to the descriptions and remediation steps of some recommendations.

New recommendations

1.22 Ensure access to AWSCloudShellFullAccess is restricted

AWS CloudShell is a browser-based shell, where you can quickly and securely access AWS Command Line Interfaces (CLIs), PowerShell, Bash, and other tools from a preconfigured and pre-authenticated browser-based shell environment.

AWS CloudShell
AWS CloudShell

The AWS-managed policy AWSCloudShellFullAccess uses the wildcard (*) character to give the IAM identity (user, role, or group) full access to CloudShell and its features. The AWS credentials you used to sign in to the console are instantly accessible in a new shell session.

Within the CloudShell environment, a user has sudo permissions and can access the internet. CloudShell allows file upload and download capability between a user’s local system and the CloudShell environment. So it is possible to install file transfer software (for example) and move data from CloudShell to external internet servers, thus opening a data exfiltration channel for malicious cloud admins.

As a best practice, administrators can define policies that specify the specific operations that users can execute with the shell environment at a granular level. This new recommendation helps cloud admins identify IAM roles with the AWSCloudShellFullAccess policy attached and adjust permissions per their requirements.

5.6 Ensure that EC2 Metadata Service only allows IMDSv2

This is my favourite recommendation. I have already covered the benefits of IMDSv2 in another blog post. I strongly recommend ensuring that all EC2 instances use IMDSv2. This recommendation helps cloud admins to identify EC2 instances with IMDSv1. AWS released IMDSv2 in Nov 2019, and it is surprising that CIS took almost 3.5 years to include this critical recommendation in one of the most followed benchmarks.

Removed recommendation

2.1.1 Ensure all S3 buckets employ encryption-at-rest

Starting January 2023, S3 will automatically apply server-side encryption (SSE-S3) to each new object, unless a different encryption option has been specified. However, existing buckets that currently use S3 default encryption will not be affected. It’s important to note that the new default encryption will not apply to objects that existed in the buckets before the change in encryption settings. This creates a tricky situation where some objects may remain unencrypted while new objects are encrypted. It’s important to consider that, from now onwards, there will always be some kind of encryption for the bucket, but this CIS recommendation has been removed.

CloudYali supports CIS AWS Foundations Benchmark v2.0

We perform daily security compliance checks for AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark v2.0. These checks are performed for each CloudYali managed AWS account every day. Upon successful completion, a CSV report is generated and made available for download for the next 48 hours. Users can use these reports further in their workflows. Additionally, all security compliance control findings are available in a dedicated Compliance tab in the CloudYali console.

CloudYali Security Compliance
CloudYali Security Compliance

If you’re looking for an easy way to fulfil your AWS Cloud compliance needs, please signup for a free CloudYali trial.

Originally published at


-- | Tech Blog

Easily view and query all you AWS could — multiple accounts, multiple regions in a single place.