CIS controls and cloud benchmarks
CIS publishes two families of guidance people often conflate: the CIS Controls (a prioritized program for any organization) and CIS Benchmarks (vendor-specific secure configuration profiles, including AWS and Microsoft Azure Foundations). This page clarifies the split and points to deeper notes in this library.
Benchmarks are configuration baselines, not a full security or compliance program. Use your risk register and official CIS materials for authoritative wording.
CIS Controls (enterprise program)
Section titled “CIS Controls (enterprise program)”The CIS Critical Security Controls (often called CIS Controls) are a numbered, prioritized set of safeguards (inventory, secure configuration, logging, access control, etc.) meant to improve overall security posture. They are vendor-neutral and map to many frameworks; they do not replace SOC 2, ISO, HIPAA, or PCI programs.
Sample themes and where to read in this library:
| Theme (illustrative) | Where to go deeper |
|---|---|
| Asset inventory and secure configuration | Production platform checklist, AWS security services |
| Continuous vulnerability management | Security scanning, Vulnerability management in CI/CD |
| Controlled use of admin privileges | RBAC, AWS IAM |
| Audit logs and detection | Observability, Compliance and audit |
| Email and web protections | Out of scope for this library’s depth — use CIS official guidance |
CIS Benchmarks (cloud Foundations)
Section titled “CIS Benchmarks (cloud Foundations)”CIS Benchmarks are hardening checklists for specific products (OS, Kubernetes distribution, AWS, Azure, databases). CIS AWS Foundations Benchmark and CIS Microsoft Azure Foundations Benchmark are widely used to assess and continuously monitor cloud account posture (often via CSPM or config rules).
How they differ from CIS Controls: Benchmarks are “what good looks like” for a given cloud (e.g., S3 bucket policies, CloudTrail enabled, key vault settings). Controls are “what good looks like for the whole org” across people, process, and tech.
Sample themes and library map:
| Theme (illustrative) | AWS | Azure |
|---|---|---|
| Identity and access hardening | IAM, Secrets | Azure security, Azure AD |
| Network segmentation and exposure | Networking, VPC connectivity | Networking |
| Logging and monitoring | Observability + AWS-native logging in AWS security services | Same observability hub + Azure patterns in Azure security |
| Kubernetes (if you run clusters on these clouds) | Pod Security Standards, Network policies | Same Kubernetes pages |
Official CIS links
Section titled “Official CIS links”- CIS Controls — program overview and implementation groups.
- CIS Benchmarks — download and licensing for vendor benchmarks.
- CIS WorkBench — community and assessment tooling context (verify current URLs on cisecurity.org).
Related
Section titled “Related”- Compliance quick reference for SREs — CIS row in the matrix.
- DevSecOps overview
- Policy as code — Encode benchmark-style rules where automation fits.