AWS Conformance packs for NIST 800-53 and CIS

0

Hi AWS, we have to deploy AWS Conformance packs for NIST 800-53 and CIS across multiple AWS accounts in Organizations deployed using Control Tower. We have to do it across 10 AWS accounts.

Here are the GitHub Repos link for the same:

  1. Deploy NIST 800-35 Conformance Packs: https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-800-53-rev-5.yaml
  2. Deploy CIS Benchmark Conformance Packs: https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level2.yaml

I need to know what is the right way to deploy them, is it account by account or using Control Tower and if so how. Also I need to run a report for Above 2 Conformance Packs showing Non-Compliant or missing configs.

Please help.

1 Answer
0

There are two main approaches to deploying your NIST 800-53 and CIS conformance packs across your 10 AWS accounts:

1. Account-by-Account Deployment:

This method involves manually deploying the conformance packs to each account individually. You can achieve this using the AWS Config console or the AWS CLI. While straightforward for a small number of accounts, it becomes cumbersome and error-prone for 10 accounts.

2. Deployment using Control Tower (Recommended):

This method leverages Control Tower's capabilities for centralized management across your organization. Here's how to achieve this:

https://aws.amazon.com/blogs/mt/extend-aws-control-tower-governance-using-aws-config-conformance-packs/

Associate Managed Rules with Accounts:

https://aws.amazon.com/blogs/mt/customize-aws-config-resource-tracking-in-aws-control-tower-environment/

profile picture
EXPERT
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions