Use of Security Benchmarks in Cloud Configuration Assessment
In cloud security, it is insufficient to implement controls without a defined “security” standard for configuration. As such, security benchmarks provide structured guidelines allowing organisations to measure if their cloud environment meets recognised best practice. Within the scope of this project, security benchmarks were key factors utilised when determining the efficacy of selected AWS security controls.
Role of Security Benchmarks
A set of predefined configuration standards that are intended to improve system security, security benchmarks have become a common tool in evaluating the overall security posture of cloud-based systems. Specifically regarding AWS, the CIS AWS Foundations Benchmark has been widely adopted by organisations to evaluate the overall security posture of their cloud-based environments. The benchmark includes several specific items including checks relative to Identity and Access Management (IAM) along with logging, monitoring and account configuration.
The application of security benchmarks transforms general security principles into quantifiable requirements. For instance, whereas the principle of secure access control may suggest that users should utilise multi-factor authentication, the benchmark would require action be taken (i.e. enabling multi-factor authentication, preventing root account usage and that all applicable log data be captured).
As such, the application of security benchmarks allows for a consistent measurement of an organisation’s cloud-based environment and identification of weaknesses.
Application To This Project
Within this project, the CIS AWS Foundations Benchmark was the primary means of measuring each component within the AWS test environment. Initially, the AWS test environment was evaluated against the benchmark (in its base-line state) to determine which misconfigurations existed. Following the implementation of selected IAM and logging controls, the AWS test environment was once again evaluated against the same benchmark. This ensured consistency in evaluations as well as provided a basis of comparison for both initial and final states.
Through the utilisation of a recognised industry standard, subjectivity is eliminated from the evaluation process as well as enhancing the reliability of results through establishing a basis of comparison to known best practices. Therefore, enhancements will be easily identifiable.
Conclusion
Security benchmarks provide an objective and structured methodology for evaluating cloud-based configurations. Through the utilisation of the CIS AWS Foundations Benchmark during this project, the assessments conducted of the selected AWS security controls ensure consistency, measurability and alignment with industry best practices. Therefore, these elements enhance the reliability of assessments and allow for more accurate determination of how selected controls affect the risk of mis-configuration within an AWS environment.
MSc student specialising in cloud security and applied cybersecurity research. My work focuses on evaluating cloud-based security controls, particularly within Amazon Web Services (AWS), with an emphasis on reducing misconfiguration risk through practical implementation and structured evaluation methods.
References
Center for Internet Security (n.d.) CIS Amazon Web Services Foundations Benchmark. Available at: https://www.cisecurity.org/benchmark/amazon_web_services (Accessed: 20 March 2026).
Amazon Web Services (n.d.-a) Shared responsibility model. Available at: https://aws.amazon.com/compliance/shared-responsibility-model/ (Accessed: 18 March 2026).