This chapter covers the core features and capabilities of Cloud Security Baseline.
| Category | Files | Description |
|---|---|---|
| Terraform | iam_baseline.tf, encryption_baseline.tf, network_security.tf, logging_monitoring.tf, variables.tf | Complete IaC for IAM, encryption, networking, and observability |
| CloudFormation | security-hub-baseline.yaml, guardduty-org-setup.yaml | SecurityHub conformance packs + GuardDuty organization rollout |
| Scripts | compliance_checker.py, iam_audit.py, security_score_calculator.py | Automated compliance checking, IAM auditing, and posture scoring |
| Docs | architecture.md, cis_benchmark_guide.md, incident_response_runbook.md | Security architecture diagrams, CIS mapping, and IR procedures |
| Examples | security_policies.json, compliance_config.yaml | Ready-to-use IAM policy documents and compliance checker config |
This baseline implements 42 of the 58 CIS AWS Foundations Benchmark v3.0 controls out of the box:
Section 1 - Identity and Access Management: 14/16 controls ββββββββββββββββββββββ 87%
Section 2 - Storage: 6/6 controls ββββββββββββββββββββββ 100%
Section 3 - Logging: 8/8 controls ββββββββββββββββββββββ 100%
Section 4 - Monitoring: 8/12 controls ββββββββββββββββββββββ 67%
Section 5 - Networking: 6/6 controls ββββββββββββββββββββββ 100%
βββββ
42/48 automated (87% coverage)
The remaining controls require manual/organizational processes (MFA hardware tokens, root account procedures, etc.) and are documented in docs/cis_benchmark_guide.md.
Follow this guide to get Cloud Security Baseline up and running in your environment.
# Clone/unzip this product into your infrastructure repo
cp -r terraform/ /path/to/your/infra/security-baseline/
# Review and customize variables
cd /path/to/your/infra/security-baseline/
cp ../examples/compliance_config.yaml ./config.yaml # optional: review config
# Initialize and plan
terraform init
terraform plan -var="environment=production" \
-var="organization_name=acme-corp" \
-var="alert_email=security-team@example.com"
# Review the plan carefully, then apply
terraform apply -var="environment=production" \
-var="organization_name=acme-corp" \
-var="alert_email=security-team@example.com"# SecurityHub with CIS conformance pack
aws cloudformation deploy \
--template-file cloudformation/security-hub-baseline.yaml \
--stack-name security-hub-baseline \
--parameter-overrides \
AlertEmail=security-team@example.com \
EnableCISBenchmark=true \
--capabilities CAPABILITY_IAM
# GuardDuty (organization-wide)
aws cloudformation deploy \
--template-file cloudformation/guardduty-org-setup.yaml \
--stack-name guardduty-org-setup \
--parameter-overrides \
FindingPublishingFrequency=FIFTEEN_MINUTES \
EnableS3Protection=true \
--capabilities CAPABILITY_IAM# Full CIS benchmark compliance check
python scripts/compliance_checker.py --profile production --format report
# IAM-specific deep audit
python scripts/iam_audit.py --profile production --output iam-audit-report.json
# Overall security posture score
python scripts/security_score_calculator.py --profile production| Variable | Type | Default | Description |
|---|---|---|---|
environment | string | "production" | Environment name (production, staging, development) |
organization_name | string | required | Organization identifier for resource naming |
alert_email | string | required | Email for security alert notifications |
enable_guardduty | bool | true | Enable GuardDuty threat detection |
enable_security_hub | bool | true | Enable SecurityHub aggregation |
enable_config_rules | bool | true | Enable AWS Config compliance rules |
enable_vpc_flow_logs | bool | true | Enable VPC flow logging |
password_max_age_days | number | 90 | Maximum password age before forced rotation |
password_min_length | number | 14 | Minimum password length (CIS requires 14+) |
cloudtrail_retention_days | number | 365 | CloudTrail log retention in S3 |
vpc_cidr | string | "10.0.0.0/16" | CIDR block for the security VPC |
allowed_ip_cidrs | list(string) | [] | CIDR blocks allowed for administrative access |
kms_key_deletion_window | number | 30 | KMS key deletion waiting period (days) |
tags | map(string) | {} | Additional tags applied to all resources |
compliance_config.yaml)# Which CIS sections to check (all enabled by default)
checks:
iam: true
storage: true
logging: true
monitoring: true
networking: true
# Severity thresholds for pass/fail
thresholds:
critical_max: 0 # Fail if any critical findings
high_max: 3 # Fail if more than 3 high findings
medium_max: 10 # Warn if more than 10 medium findings
# Output options
output:
format: "report" # "report", "json", "csv"
file: null # null = stdout, or path to output file
include_passing: false # Include passing checks in outputβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS Account β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β IAM Baseline β β
β β βββββββββββ ββββββββββββ βββββββββββββββ β β
β β βPassword β β MFA β β Permission β β β
β β βPolicy β β Enforce β β Boundaries β β β
β β βββββββββββ ββββββββββββ βββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββββββ β
β β Encryption β β Network β β Logging & Monitor β β
β β ββββββββββ β β ββββββββββ β β ββββββββββββββββ β β
β β β KMS β β β β VPC β β β β CloudTrail β β β
β β β Keys β β β β + SGs β β β β (all regions)β β β
β β ββββββββββ€ β β ββββββββββ€ β β ββββββββββββββββ€ β β
β β β S3 β β β β Flow β β β β AWS Config β β β
β β βDefault β β β β Logs β β β β (rules) β β β
β β ββββββββββ€ β β ββββββββββ€ β β ββββββββββββββββ€ β β
β β β EBS β β β β NACLs β β β β GuardDuty β β β
β β βDefault β β β β β β β β β β β
β β ββββββββββ β β ββββββββββ β β ββββββββββββββββ€ β β
β ββββββββββββββββ ββββββββββββββββ β β SecurityHub β β β
β β β (aggregate) β β β
β β ββββββββ¬ββββββββ β β
β βββββββββββΌββββββββββββ β
β β β
β ββββββββΌββββββββ β
β β SNS Alerts β β
β β β Email β β
β β β PagerDuty β β
β ββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Get the full Cloud Security Baseline and unlock everything.
Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.
Access all interactive tools with complete data, all workload profiles, and the full scenario library.
Downloadable source code, configuration files, and working examples from every chapter.
Free updates for life. Every new chapter, tool, and improvement included.