Compliance · AWS · CIS Benchmark
CIS AWS Benchmark tool: which controls CloudArq checks
The Center for Internet Security's AWS Foundations Benchmark is the de-facto baseline for cloud security. This page explains what it covers, how CloudArq aligns with v1.5 and v3.0, and which specific controls we scan on every audit run.
Updated 2026-04-19 · ~6 minute read
What is the CIS AWS Benchmark?
A free, community-maintained checklist of AWS security settings that, if implemented, reduce the most common attack vectors. The Center for Internet Security (cisecurity.org) publishes it annually. Version 1.5 (2022) is still the most-cited; version 3.0 (late 2024) adds coverage for Organizations, KMS, and Lambda.
Every AWS-focused compliance framework (SOC 2, HIPAA, PCI DSS, NIST 800-53) is more demanding than CIS, but every one of them treats CIS as the entry ticket. If you fail the Benchmark, you won't pass any of them. If you pass it, you're ready for the harder frameworks — which is why the SOC 2 checklist starts by assuming CIS is done.
How CloudArq aligns
- v1.5Primary baseline. Every CloudArq tier — Starter, Pro, Max — enables the v1.5 control set. Starter runs the 46-check subset that covers the Section 1 (IAM) and Section 5 (Networking) controls most likely to block an audit.
- v3.0Additive delta. v3.0 controls that aren't in v1.5 (Organizations, KMS rotation, Lambda) are merged into the Pro and Max checker sets so organisations on either benchmark have coverage.
- gapA small set of CIS controls are on the roadmap rather than implemented — mostly controls that require organization-wide AWS Config rules or IAM Access Analyser data. They're flagged with
roadmapin the table below.
Controls at a glance
A representative subset of the CIS AWS Benchmark — full coverage in the Max tier. See cisecurity.org for the complete spec.
| ID | Section | Title | Severity | CloudArq |
|---|---|---|---|---|
| 1.4 | IAM | Ensure no root account access key exists | high | Checked |
| 1.5 | IAM | Ensure MFA is enabled for the root account | high | Checked |
| 1.7 | IAM | Eliminate use of the root account for administrative tasks | high | Checked |
| 1.8 | IAM | Ensure IAM password policy requires ≥ 14 characters | medium | Checked |
| 1.9 | IAM | Ensure IAM password policy prevents password reuse | medium | Checked |
| 1.10 | IAM | Ensure MFA is enabled for all IAM users with a console password | high | Checked |
| 1.12 | IAM | Ensure credentials unused for 90 days or greater are disabled | medium | Checked |
| 1.14 | IAM | Ensure access keys are rotated every 90 days or less | medium | Checked |
| 1.20 | IAM | Ensure that IAM Access Analyser is enabled for all regions | medium | Roadmap |
| 3.1 | Logging | Ensure CloudTrail is enabled in all regions | high | Checked |
| 3.2 | Logging | Ensure CloudTrail log-file validation is enabled | medium | Checked |
| 3.3 | Logging | Ensure the S3 bucket used for CloudTrail logs is not publicly accessible | high | Checked |
| 3.4 | Logging | Ensure CloudTrail trails are integrated with CloudWatch Logs | medium | Roadmap |
| 3.5 | Logging | Ensure AWS Config is enabled in all regions | medium | Checked |
| 3.7 | Logging | Ensure CloudTrail logs are encrypted at rest using KMS-managed keys | medium | Checked |
| 3.8 | Logging | Ensure rotation for customer-created KMS keys is enabled | medium | Checked |
| 3.9 | Logging | Ensure VPC flow logging is enabled in all VPCs | medium | Checked |
| 4.1 | Monitoring | Ensure a log metric filter + alarm for unauthorized API calls exists | medium | Checked |
| 4.2 | Monitoring | Ensure a log metric filter + alarm for Management-Console sign-in without MFA | medium | Checked |
| 4.3 | Monitoring | Ensure a log metric filter + alarm for root-account usage | high | Checked |
| 4.4 | Monitoring | Ensure a log metric filter + alarm for IAM policy changes | medium | Checked |
| 5.1 | Networking | Ensure no NACLs allow ingress from 0.0.0.0/0 to remote admin ports | high | Checked |
| 5.2 | Networking | Ensure no security group allows ingress from 0.0.0.0/0 to port 22 | high | Checked |
| 5.3 | Networking | Ensure no security group allows ingress from 0.0.0.0/0 to port 3389 | high | Checked |
| 5.4 | Networking | Ensure the default security group of every VPC restricts all traffic | medium | Checked |
| 5.5 | Networking | Ensure routing tables for VPC peering are least-access | medium | Roadmap |
How to read the output
Each CloudArq finding carries the CIS control ID it satisfies in its metadata. From the compliance-gaps page you can filter by framework (CIS) and sort by severity; every row shows the AWS CLI command or Terraform block to fix the gap. The same finding carries its mapping for SOC 2, HIPAA, PCI-DSS, NIST 800-53, and ISO 27001 — useful when you're preparing for more than one audit.
If you're evaluating scanners, Prowler vs CloudArq covers the open-source alternative.
Run the benchmark on your own AWS
Starter tier is free for accounts under 50 resources. No credit card. 5-minute read-only CloudFormation setup.