CIS Benchmarks Overview
Industry-standard secure configuration guidelines for cloud platforms, operating systems, and applications — automated evaluation in ComplyWise.
On this page
What are CIS Benchmarks?
CIS (Center for Internet Security) Benchmarks are consensus-based secure configuration guides developed by cybersecurity experts worldwide. They provide prescriptive hardening recommendations for operating systems, cloud platforms, databases, and applications. Unlike compliance frameworks like SOC 2 or ISO 27001 that define security outcomes, CIS Benchmarks specify exact configuration settings to achieve those outcomes.
- Developed by the Center for Internet Security with community consensus
- 300+ benchmarks covering cloud services, OS, databases, applications, and network devices
- Two levels: Level 1 (essential, low impact) and Level 2 (defense-in-depth, higher impact)
- Referenced by SOC 2, ISO 27001, NIST, HIPAA, and PCI DSS as implementation guidance
CIS in ComplyWise
ComplyWise uses CIS Benchmarks as evaluation criteria within the automated scan engine. When scanning AWS or Azure infrastructure, the scanners check configurations against the relevant CIS Benchmark recommendations. Findings are mapped to the corresponding compliance framework controls — for example, a CIS AWS Foundations Benchmark 2.1.1 finding (S3 bucket server-side encryption) maps to SOC 2 CC6.1, ISO A.10.1, and HIPAA §164.312(a)(2)(iv).
- CIS AWS Foundations Benchmark — IAM, Storage, Logging, Monitoring, Networking
- CIS Azure Foundations Benchmark — Identity, Security Center, Storage, Networking, Logging
- Automated checks during every compliance scan
- Findings mapped to framework controls via the UCF
AWS CIS Benchmark Checks
The CIS AWS Foundations Benchmark covers 50+ security recommendations organized into IAM, Storage, Logging, Monitoring, and Networking sections. ComplyWise evaluates each recommendation and reports pass/fail status with evidence. Common checks include MFA on the root account, IAM password policy, CloudTrail multi-region logging, VPC flow logs, and S3 bucket encryption.
- IAM: root MFA, password policy, access key rotation, unused credentials
- Storage: S3 encryption, public access blocks, bucket logging
- Logging: CloudTrail, Config, VPC flow logs enabled in all regions
- Monitoring: CloudWatch alarms for unauthorized API calls, console logins, IAM changes
- Networking: default security group restricts all traffic, no unrestricted ingress
Azure CIS Benchmark Checks
The CIS Azure Foundations Benchmark provides recommendations for Identity and Access Management, Microsoft Defender, Storage, Database, Logging, Networking, and Virtual Machines. ComplyWise checks Entra ID MFA enforcement, Defender for Cloud recommendations, storage account encryption and access, and network security group rules.
- Identity: MFA enabled for all users, no guest accounts with owner role
- Defender: all resource types covered, email notifications enabled
- Storage: encryption with customer-managed keys, secure transfer required
- Networking: NSGs on all subnets, no SSH/RDP open to 0.0.0.0/0
- Database: audit logging enabled, transparent data encryption on
CIS to Framework Mapping
CIS Benchmark findings feed directly into your compliance framework evaluations. A single CIS check can satisfy controls across multiple frameworks. For example, ensuring encryption at rest (CIS) satisfies data protection controls in SOC 2 (CC6.1), ISO 27001 (A.10.1), HIPAA (§164.312(a)), and PCI DSS (Req. 3). ComplyWise handles this mapping automatically through the UCF.
- Encryption checks → SOC 2 CC6.1, ISO A.10.1, HIPAA §164.312(a), PCI DSS Req 3
- Access control checks → SOC 2 CC6.3, ISO A.9.4, HIPAA §164.312(d), CMMC AC
- Logging checks → SOC 2 CC7.2, ISO A.12.4, HIPAA §164.312(b), NIST DE.CM
- Network security checks → SOC 2 CC6.6, ISO A.13.1, PCI DSS Req 1