You can't fulfill your end of the shared responsibility model if you don't emphasize secure configurations. Depending on the cloud services you're using, you're responsible for configuring different things. Once you figure out those responsibilities, you then need to perform the hardening.
Our guidance helps simplify the process. It explains how you can use the CIS Foundations Benchmarks to get started with identity and access management (IAM), logging and monitoring, and networking on the cloud service platforms you're using. It also notes that you can use the CIS Hardened Images® to automate your hardening efforts for operating systems on virtual machines.
But much has changed in the past few years since we released our guidance — the first of its kind that the Center for Internet Security® (CIS®) published on the shared responsibility model. At the time of its release, we only had foundational coverage for Benchmarks specific to cloud services you might be using.
Now our coverage is much more expansive. In this blog post, we’ll discuss some new resources you can use to continue to meet your security responsibilities in the cloud.
We’ve expanded guidance on cloud components with the new CIS Cloud Service Category Benchmarks and additional CIS Foundations Benchmarks. The guidance builds off of the shared responsibility model and foundational concepts.
The number of cloud platforms available to you continues to expand, especially if you’re embracing a multi-cloud strategy. More and more organizations are taking this approach. Per a Flexera survey, 89% of organizations said they're using multiple clouds — up from 87% in 2023.
To keep up with your business needs, you can now use three newer CIS Foundations Benchmarks:
All CIS Foundations Benchmarks consist of 50–60 recommendations you can use to get started with security on your cloud service provider (CSP) platform. You can then build upon this foundation by using CIS Cloud Service Category Benchmarks. They include hardening recommendations for specific services you're using that are beyond the scope of the CIS Foundations Benchmarks.
CIS Cloud Service Category Benchmarks emphasize services such as compute, databases, and storage on CSP platforms like Amazon Web Services (AWS) and Microsoft Azure. Here are a few examples:
In addition, we’ve created new CIS Benchmarks that build off of the shared responsibility model and help you securely configure cloud-based components you’re using like cloud containers and container orchestration platforms. Let's take a closer look.
These Benchmarks consist of secure recommendations designed to help you securely configure systems that use a container-optimized operating system (OS). A few examples include:
The CIS Kubernetes Benchmarks is a group of Benchmarks that outline the division of security responsibility between the customer and the cloud service provider for Kubernetes and managed Kubernetes services. It consists of Benchmarks for Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE), and RedHat OpenShift. Each of those Benchmarks cover topics like control plane configurations, worker nodes, and API server.
We continue to build security guidance in cloud computing environments. We started with foundational concepts for operating systems. With the releases discussed above, we’re taking it a step further to include CIS Kubernetes, Container, and Cloud Benchmarks. This guidance takes you past the point of just securing your operating systems; you can start securing everything else that you’re working with, too.
Ready to take the next step in your cloud security efforts?