Contents

Chapter 1

What's Included

This chapter covers the core features and capabilities of Cloud Security Baseline.

What's Included

CategoryFilesDescription
Terraformiam_baseline.tf, encryption_baseline.tf, network_security.tf, logging_monitoring.tf, variables.tfComplete IaC for IAM, encryption, networking, and observability
CloudFormationsecurity-hub-baseline.yaml, guardduty-org-setup.yamlSecurityHub conformance packs + GuardDuty organization rollout
Scriptscompliance_checker.py, iam_audit.py, security_score_calculator.pyAutomated compliance checking, IAM auditing, and posture scoring
Docsarchitecture.md, cis_benchmark_guide.md, incident_response_runbook.mdSecurity architecture diagrams, CIS mapping, and IR procedures
Examplessecurity_policies.json, compliance_config.yamlReady-to-use IAM policy documents and compliance checker config

CIS Benchmark Coverage

This baseline implements 42 of the 58 CIS AWS Foundations Benchmark v3.0 controls out of the box:

Section 1 - Identity and Access Management:  14/16 controls  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘  87%
Section 2 - Storage:                          6/6  controls  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  100%
Section 3 - Logging:                          8/8  controls  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  100%
Section 4 - Monitoring:                       8/12 controls  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘β–‘β–‘  67%
Section 5 - Networking:                       6/6  controls  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  100%
                                             ─────
                                             42/48 automated  (87% coverage)

The remaining controls require manual/organizational processes (MFA hardware tokens, root account procedures, etc.) and are documented in docs/cis_benchmark_guide.md.

Prerequisites

  • AWS Account (or AWS Organizations for multi-account setup)
  • Terraform >= 1.5.0
  • Python >= 3.10 (stdlib only -- no pip packages needed)
  • AWS CLI v2 configured with admin credentials
  • Permissions: IAM, KMS, VPC, CloudTrail, Config, GuardDuty, SecurityHub admin access
Chapter 2

Quick Start

Follow this guide to get Cloud Security Baseline up and running in your environment.

Quick Start

1. Deploy the Security Baseline (Terraform)

bash
# Clone/unzip this product into your infrastructure repo
cp -r terraform/ /path/to/your/infra/security-baseline/

# Review and customize variables
cd /path/to/your/infra/security-baseline/
cp ../examples/compliance_config.yaml ./config.yaml  # optional: review config

# Initialize and plan
terraform init
terraform plan -var="environment=production" \
               -var="organization_name=acme-corp" \
               -var="alert_email=security-team@example.com"

# Review the plan carefully, then apply
terraform apply -var="environment=production" \
                -var="organization_name=acme-corp" \
                -var="alert_email=security-team@example.com"

2. Deploy SecurityHub + GuardDuty (CloudFormation)

bash
# SecurityHub with CIS conformance pack
aws cloudformation deploy \
  --template-file cloudformation/security-hub-baseline.yaml \
  --stack-name security-hub-baseline \
  --parameter-overrides \
    AlertEmail=security-team@example.com \
    EnableCISBenchmark=true \
  --capabilities CAPABILITY_IAM

# GuardDuty (organization-wide)
aws cloudformation deploy \
  --template-file cloudformation/guardduty-org-setup.yaml \
  --stack-name guardduty-org-setup \
  --parameter-overrides \
    FindingPublishingFrequency=FIFTEEN_MINUTES \
    EnableS3Protection=true \
  --capabilities CAPABILITY_IAM

3. Run Your First Compliance Check

bash
# Full CIS benchmark compliance check
python scripts/compliance_checker.py --profile production --format report

# IAM-specific deep audit
python scripts/iam_audit.py --profile production --output iam-audit-report.json

# Overall security posture score
python scripts/security_score_calculator.py --profile production

Configuration Reference

Terraform Variables

VariableTypeDefaultDescription
environmentstring"production"Environment name (production, staging, development)
organization_namestringrequiredOrganization identifier for resource naming
alert_emailstringrequiredEmail for security alert notifications
enable_guarddutybooltrueEnable GuardDuty threat detection
enable_security_hubbooltrueEnable SecurityHub aggregation
enable_config_rulesbooltrueEnable AWS Config compliance rules
enable_vpc_flow_logsbooltrueEnable VPC flow logging
password_max_age_daysnumber90Maximum password age before forced rotation
password_min_lengthnumber14Minimum password length (CIS requires 14+)
cloudtrail_retention_daysnumber365CloudTrail log retention in S3
vpc_cidrstring"10.0.0.0/16"CIDR block for the security VPC
allowed_ip_cidrslist(string)[]CIDR blocks allowed for administrative access
kms_key_deletion_windownumber30KMS key deletion waiting period (days)
tagsmap(string){}Additional tags applied to all resources

Compliance Checker Configuration (compliance_config.yaml)

yaml
# Which CIS sections to check (all enabled by default)
checks:
  iam: true
  storage: true
  logging: true
  monitoring: true
  networking: true

# Severity thresholds for pass/fail
thresholds:
  critical_max: 0     # Fail if any critical findings
  high_max: 3         # Fail if more than 3 high findings
  medium_max: 10      # Warn if more than 10 medium findings

# Output options
output:
  format: "report"    # "report", "json", "csv"
  file: null          # null = stdout, or path to output file
  include_passing: false  # Include passing checks in output

Security Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                        AWS Account                              β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚  β”‚                   IAM Baseline                            β”‚   β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”             β”‚   β”‚
β”‚  β”‚  β”‚Password β”‚  β”‚ MFA      β”‚  β”‚ Permission  β”‚             β”‚   β”‚
β”‚  β”‚  β”‚Policy   β”‚  β”‚ Enforce  β”‚  β”‚ Boundaries  β”‚             β”‚   β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜             β”‚   β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
β”‚                                                                  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚  β”‚  Encryption  β”‚  β”‚   Network    β”‚  β”‚  Logging & Monitor   β”‚   β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚   β”‚
β”‚  β”‚  β”‚  KMS   β”‚  β”‚  β”‚  β”‚  VPC   β”‚  β”‚  β”‚  β”‚ CloudTrail   β”‚   β”‚   β”‚
β”‚  β”‚  β”‚  Keys  β”‚  β”‚  β”‚  β”‚ + SGs  β”‚  β”‚  β”‚  β”‚ (all regions)β”‚   β”‚   β”‚
β”‚  β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€  β”‚  β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€  β”‚  β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€   β”‚   β”‚
β”‚  β”‚  β”‚  S3    β”‚  β”‚  β”‚  β”‚ Flow   β”‚  β”‚  β”‚  β”‚ AWS Config   β”‚   β”‚   β”‚
β”‚  β”‚  β”‚Default β”‚  β”‚  β”‚  β”‚ Logs   β”‚  β”‚  β”‚  β”‚ (rules)      β”‚   β”‚   β”‚
β”‚  β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€  β”‚  β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€  β”‚  β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€   β”‚   β”‚
β”‚  β”‚  β”‚  EBS   β”‚  β”‚  β”‚  β”‚ NACLs  β”‚  β”‚  β”‚  β”‚ GuardDuty    β”‚   β”‚   β”‚
β”‚  β”‚  β”‚Default β”‚  β”‚  β”‚  β”‚        β”‚  β”‚  β”‚  β”‚              β”‚   β”‚   β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚  β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€   β”‚   β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚  β”‚ SecurityHub  β”‚   β”‚   β”‚
β”‚                                       β”‚  β”‚ (aggregate)  β”‚   β”‚   β”‚
β”‚                                       β”‚  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚   β”‚
β”‚                                       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
β”‚                                                  β”‚               β”‚
β”‚                                           β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”      β”‚
β”‚                                           β”‚  SNS Alerts  β”‚      β”‚
β”‚                                           β”‚  β†’ Email     β”‚      β”‚
β”‚                                           β”‚  β†’ PagerDuty β”‚      β”‚
β”‚                                           β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
Chapter 3
πŸ”’ Available in full product

Product Files

You’ve reached the end of the free preview

Get the full Cloud Security Baseline and unlock everything.

All Chapters

Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.

Full Tool Suite

Access all interactive tools with complete data, all workload profiles, and the full scenario library.

Source Files

Downloadable source code, configuration files, and working examples from every chapter.

Lifetime Updates

Free updates for life. Every new chapter, tool, and improvement included.

Buy Now — $49 →
πŸ“¦ Free sample included — download another copy for the full product.
Cloud Security Baseline v1.0.0 β€” Free Preview