Enhanced Automation for CIS AWS/Google Cloud Foundations Benchmark Checks

We have expanded the explanations and audit rules provided for the CIS AWS/Google Cloud Foundations Benchmark on Shisho Cloud. This allows you to evaluate the security posture of a wider range of resources on AWS/Google Cloud from a broader perspective on Shisho Cloud.

Overview

With this update, all Shisho Cloud customers can use managed Rego rules & explanations by Flatt Security for all automatable items in the following benchmarks:

• CIS AWS Foundations Benchmark v1.5.0
• CIS Google Cloud Foundations Benchmark v1.3.0

info

The latest version of these benchmarks are as follows:

• CIS AWS Foundations Benchmark v2.0.0
• CIS Google Cloud Foundations Benchmark v2.0.0

For items that have remained unchanged between versions, we have already applied some changes in this update to adapt to the changes in categorization to Manual and Audomated, and changes in Profile Applicability. We are also progressively delivering managed audit rules and explanations on Shisho Cloud for a few additional items.

Getting Started

Try it with Shisho Cloud for free

Thank you for your interest! Please contact us through the Shisho Cloud official page. We will promptly guide you on how to start with the Shisho Cloud free trial.

Try it with an existing Shisho Cloud organization

All Shisho Cloud customers can start scanning with updated policies by the following steps:

1. Update integrations between Shisho Cloud and your cloud accounts
2. Add new workflows in Shisho Cloud
3. Add workflows to a GitHub repository (optional)

(1) Updating integrations

Please refer to the guide below and update integrations between Shisho Cloud and AWS/Google Cloud:

Google Cloud

If you have already created a service account for integrating Shisho Cloud with your Google Cloud projects/folders/organizations, there are basically no settings to be changed on the Shisho Cloud side for Google Cloud. You also don't need to recreate the service account.

However, you need to enable some Google Cloud APIs in the project where the service account for the integration exists. You can enable all the necessary APIs using the command below, or the Terraform code snippet provided in the Google Cloud integration tutorial:

gcloud services enable \
  bigquery.googleapis.com \
  cloudasset.googleapis.com \
  cloudkms.googleapis.com \
  cloudresourcemanager.googleapis.com \
  compute.googleapis.com \
  container.googleapis.com \
  dns.googleapis.com \
  essentialcontacts.googleapis.com \
  logging.googleapis.com \
  iamcredentials.googleapis.com \
  iam.googleapis.com \
  pubsub.googleapis.com \
  serviceusage.googleapis.com \
  storage-component.googleapis.com \
  sqladmin.googleapis.com \
  --project "$PROJECT_ID"

AWS

If you have already created an IAM role for the integration, there are basically no settings to be changed on the Shisho Cloud side for AWS. You also don't need to recreate the IAM role.

However, you need to update the inline policy in the IAM role created in each account. Please make sure to update the IAM role created in each account, referring to the AWS integration tutorial.

(2) Applying the Updated Workflow

You can apply the latest workflow by following the steps below:

danger

The procedure below overwrites the workflow registered on Shisho Cloud. If you have set parameters on Shisho Cloud, or have made changes to the Rego policy, please be sure to back up your existing Shisho Cloud manifest using the following command:

SHISHO_ORG_ID="Your Shisho Cloud Organization ID"
shishoctl workflow export --structured --org "$SHISHO_ORG_ID" --path .

We are also considering providing a versioning feature for workflows on Shisho Cloud. If you accidentally overwrite a workflow and lose parameter settings for the workflow, please contact Flatt Security Support.

info

If you have never used the shishoctl command, please refer to the tutorial to set it up.

SHISHO_ORG_ID="Your Shisho Cloud Organization ID"

# Gather the latest workflow
git clone https://github.com/flatt-security/shisho-cloud-managed-workflows
cd ./shisho-cloud-managed-workflows

# Apply the policy corresponding to CIS AWS Foundations Benchmark v1.5.0 to the $SHISHO_ORG organization
shishoctl workflow apply --org "$SHISHO_ORG_ID" -f ./workflows/cis-benchmark/aws-v1.5.0

# Apply the policy corresponding to CIS Google Cloud Foundations Benchmark v1.3.0 to $SHISHO_ORG organization
shishoctl workflow apply --org "$SHISHO_ORG_ID" -f ./workflows/cis-benchmark/googlecloud-v1.3.0

(3) Applying to your own GitHub Repository

If you have created a repository to store policy codes with the procedure described in the GitHub Actions tutorial, perform the following steps after updating the workflow on Shisho Cloud with the above steps:

SHISHO_ORG_ID="Your Shisho Cloud Organization ID"

# Get your organization's GitHub repository
git clone <URL of the GitHub repository> ./repo
cd ./repo

# Export the updated workflow from Shisho Cloud again
shishoctl workflow export --structured --org "$SHISHO_ORG_ID" --path .

# Review the differences
git diff

# ... decide to incorporate changes, commit, and push

If you have created a fork from flatt-security/shisho-cloud-managed-workflows, please merge the latest branch of the same repository and incorporate the differences.