Center for Internet Security (CIS) scans for Amazon EC2 instance operating systems
Amazon Inspector CIS scans (CIS scans) benchmark your Amazon EC2 instance operating systems to make sure you configured them according to best practice recommendations established by the Center for Internet Security.
CIS Security Benchmarks
Amazon Inspector performs CIS scans on target Amazon EC2 instances based on instance tags and your defined scanning schedule. Amazon Inspector performs a series of instance checks on each targeted instance. Each check evaluates whether your system configuration meets specific CIS Benchmark recommendations. Each check has a CIS check ID and title, which correspond with a CIS Benchmark recommendation for that platform. When a CIS scan completes, you can view the results to see which instance checks passed, skipped, or failed for that system.
Note
To perform or schedule CIS scans, you must have a secure internet connection. However, if you want to run CIS scans on private instances, you must use a VPC endpoint.
Amazon EC2 instance requirements for Amazon Inspector CIS scans
To run a CIS scan on your Amazon EC2 instance, the Amazon EC2 instance must meet the following criteria:
-
The instance operating system is one of the supported operating systems for CIS scans. For more information, see Operating systems and programming languages supported by Amazon Inspector.
-
The instance is an Amazon EC2 Systems Manager instance. For more information, see Working with the SSM Agent in the Amazon Systems Manager User Guide.
-
The Amazon Inspector SSM plugin is installed on the instance. Amazon Inspector automatically installs this plugin on manged instances.
-
The instance has an instance profile that grants permissions for SSM to manage the instance and Amazon Inspector to run CIS scans for that instance. To grant these permissions, attach the AmazonSSMManagedInstanceCore and AmazonInspector2ManagedCisPolicy policies to an IAM role. Then attach the IAM role to your instance as an instance profile. For instructions on creating and attaching an instance profile, see Work with IAM roles in the Amazon EC2 User Guide.
Note
You're not required to enable Amazon Inspector deep inspection before running a CIS scan on your Amazon EC2 instance.
If you disable Amazon Inspector deep inspection, Amazon Inspector automatically installs the SSM Agent, but the SSM Agent won't be invoked to run deep inspection anymore.
However, as a result, the InspectorLinuxDistributor-do-not-delete
association is present in your account.
Amazon Virtual Private Cloud endpoint requirements for running CIS scans on private Amazon EC2 instances
You can run CIS scans on Amazon EC2 instances over an internet connection. However, if you want to run CIS scans on private Amazon EC2 instances, you must create Amazon VPC endpoints to avoid sending information over the internet.
The following endpoints are required when you create Amazon VPC endpoints for Systems Manager:
-
amazonaws.com.
region
.ec2messages -
amazonaws.com.
region
.inspector2 -
amazonaws.com.
region
.s3 -
amazonaws.com.
region
.ssm -
amazonaws.com.
region
.ssmmessages
For more information, see Creating Amazon VPC endpoints for Systems Manager in the Amazon Systems Manager User Guide.
Note
Currently, some Amazon Web Services Regions don't support the amazonaws.com.
endpoint.
region
.inspector2
Running CIS scans
You can either run a CIS scan once on-demand or as a scheduled recurring scan. To run a scan, you first create a scan configuration.
When you create a scan configuration, you specify tag key-value pairs to use to target instances. If you are the Amazon Inspector delegated administrator for an organization, you can specify multiple accounts in the scan configuration, and Amazon Inspector will look for instances with the specified tags in each of those accounts. You choose the CIS Benchmark level for the scan. For each benchmark, CIS supports a level 1 and level 2 profile designed to provide baselines for different levels of security that different environments may require.
Level 1 – recommends essential basic security settings that can be configured on any system. Implementing these settings should cause little or no interruption of service. The goal of these recommendations is to reduce the number of entry points into your systems, reducing your overall cybersecurity risks.
Level 2 – recommends more advanced security settings for high-security environments. Implementing these settings requires planning and coordination to minimize the risk of business impact. The goal of these recommendations is to help you achieve regulatory compliance.
Level 2 extends level 1. When you choose Level 2, Amazon Inspector checks for all configurations recommended for level 1 and level 2.
After defining the parameters for your scan, you can choose whether to run it as a one time scan, which runs after you complete the configuration, or a recurring scan. Recurring scans can run daily, weekly, or monthly, at a time of your choice.
Tip
We recommend choosing a day and time that's least likely to impact your system while the scan is running.
To create a CIS scan configuration
Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. Using the Amazon Web Services Region selector in the upper-right corner of the page, select the Amazon Web Services Region where you want to run a CIS scan.
From the navigation panel, under On-demand scans, select CIS scans.
Choose Create new scan.
Enter a Scan configuration name.
For Target resource enter the Key and corresponding Value of a tag on the instances that you want to scan. You can specify a total of 25 tags to include in the scan, and for each key, you can specify up to five different values.
Choose a CIS Benchmark level. You can select Level 1 for basic security configurations, or Level 2 for advanced security configurations.
For Target accounts, specify which accounts to include in the scan. A standalone account or member in an organization can select Self to create a scan configuration for their account. An Amazon Inspector delegated administrator can select All accounts to target all accounts within the organization, or select Specify accounts and specify a subset of member accounts to target. The delegated administrator can enter
SELF
instead of an account ID to create a scan configuration for their own account. For more information see Considerations for managing Amazon Inspector CIS scans with Amazon Organizations.Choose a Schedule for the scans. Choose between One time scan, which will run as soon as you finish creating the scan configuration, or Recurring scans, which will run at the scheduled time that you choose until it's deleted.
-
Choose Create to finish creating the scan configuration.
Viewing and editing CIS scan configurations
You can view or edit scheduled scans at any time.
To view or edit a scheduled scan
-
Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
Use the Amazon Web Services Region dropdown to select the Amazon Web Services Region where you created your CIS scan configuration.
-
From the navigation pane, choose On-demand scans, and then choose CIS scans.
-
Choose the Scheduled tab.
-
From the Scan configuration name column, choose the name of the scan configuration you want to view details for. You also can select the row with the scan configuration you want to view details for, and then choose View details.
To edit a scheduled scan
-
Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
Use the Amazon Web Services Region dropdown to select the Amazon Web Services Region where you created your CIS scan configuration.
-
From the navigation pane, choose On-demand scans, and then choose CIS scans.
-
Choose the Scheduled tab.
-
Select the row with the scan configuration you want to edit, and then choose Edit.
Viewing and downloading CIS scan results
Amazon Inspector creates a scan job every time a scan configuration runs and collects the results of the scan under a unique Scan ID. After a scan completes, results are available for 90 days.
You can view scan results by its checks or scanned resources:
-
Scan results aggregated by checks – Groups the results of a scan by each individual check performed during the scan. For each check, you get a report of how many resources failed, skipped, or passed.
-
Scan results aggregated by scanned resources – Groups the results of a scan by each scanned resource the scan targets during the scan. For each resource, you get a report of how many checks that a resource failed, skipped, or passed.
You also can download a PDF or CSV of a CIS scan using the console or Amazon Inspector API. The delegated administrator can download results for specific member accounts.
To view scan results
-
Sign in using your credentials, and thn open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
Use the Amazon Web Services Region dropdown to select the Amazon Web Services Region where you created your CIS scan configuration.
-
From the navigation pane, choose On-demand scans, and then choose CIS scans.
-
Choose Scan results.
-
From the Scan schedule ID column, choose the scan schedule ID you want to view. Or select the row with the scan schedule ID you want to view, and then choose View details.
-
Choose Checks to view each individual check performed during the scan, or choose Scanned resources to view each scanned resource the scan targeted during the scan.
To download scan results from the console
-
Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home
. -
Use the Amazon Web Services Region dropdown to select the Amazon Web Services Region where you created your CIS scan configuration.
-
From the navigation pane, choose On-demand scans, and then choose CIS scans.
-
Choose Scan results.
-
From the Scan schedule ID column, choose the scan schedule ID you want to view. Or select the row with the scan schedule ID you want to view, and then choose View details.
-
Choose Download, and then choose PDF or CSV. If you're the delegated administrator, you can choose Select account to download results for a specific member account.
Note
You can only download a CSV file of your CIS scan results for CIS scans collected after 05/03/2024.
Considerations for managing Amazon Inspector CIS scans with Amazon Organizations
When you run CIS scans in an organization, Amazon Inspector delegated administrators and member accounts interact with CIS scan configurations and scan results differently.
How Amazon Inspector delegated administrators can interact with CIS scan configurations and scan results
When the delegated administrator creates a scan configuration, either for all accounts or a specific member accounts, the organization owns the configuration. Scan configurations that an organization owns have an ARN specifying the organization ID as the owner:
arn:aws:inspector2:
Region
:111122223333
:owner/OrganizationId
/cis-configuration/scanId
The delegated administrator can manage scan configurations that an organization owns, even if another account created them.
The delegated administrator can view scan results for any account in its organization.
If the delegated administrator creates a scan configuration and specifies SELF
as the target account, the delegated administrator owns scan configuration, even if they leave the organization.
However, the delegated administrator cannot change the target of a scan configuration with SELF
as the target.
Note
The delegated adminstrator cannot add tags to CIS scan configurations the organization owns.
How Amazon Inspector member accounts can interact with CIS scan configurations and scan results
When a member account creates a CIS scan configuration, it owns the configuration. However, the delegated administrator can view the configuration. If a member account leaves the organization, the delegated administrator won't be able to view the configuration.
Note
The delegated administrator cannot edit a scan configuration the member account creates.
Member accounts, delegated administrators with SELF
as the target, and standalone accounts all own scan configurations they create.
These scan configurations have an ARN that shows the account ID as the owner:
arn:aws:inspector2:
Region
:111122223333
:owner/111122223333
/cis-configuration/scanId
A member account can view scan results in their account, including scan results from CIS scans the delegated administrator scheduled.
Amazon Inspector owned Amazon S3 buckets used for Amazon Inspector CIS scans
Open Vulnerability and Assessment Language (OVAL) is an information security effort that standardizes how to assess and report the machine state of computer systems. The following table lists all of the Amazon Inspector owned Amazon S3 buckets with OVAL defintions that are used for CIS scans. Amazon Inspector stages OVAL definition files that are required for CIS scans. The Amazon Inspector owned Amazon S3 buckets should be allowlisted in VPCs if necessary.
Note
The details for each of the following Amazon Inspector owned Amazon S3 buckets aren't subject to change. However, the table might be updated to reflect newly supported Amazon Web Services Regions. You can't use Amazon Inspector ownerd Amazon S3 buckets for other Amazon S3 operations or in your own Amazon S3 buckets.
CIS bucket | Amazon Web Services Region |
---|---|
|
Europe (Stockholm) |
|
Middle East (Bahrain) |
|
China (Beijing) |
|
Asia Pacific (Mumbai) |
|
Europe (Paris) |
|
Asia Pacific (Jakarta) |
|
US East (Ohio) |
|
Africa (Cape Town) |
|
Europe (Ireland) |
|
Europe (Frankfurt) |
|
South America (São Paulo) |
|
Asia Pacific (Hong Kong) |
|
US East (N. Virginia) |
|
Asia Pacific (Seoul) |
|
Asia Pacific (Osaka) |
|
Europe (London) |
|
Europe (Milan) |
|
Asia Pacific (Tokyo) |
|
Amazon GovCloud (US-East) |
|
Amazon GovCloud (US-West) |
|
US West (Oregon) |
|
US West (N. California) |
|
Asia Pacific (Singapore) |
|
Asia Pacific (Sydney) |
|
Canada (Central) |
|
China (Ningxia) |
|
Europe (Zurich) |