Skip to main content

CIS Benchmarks

The Center for Internet Security (CIS) Benchmarks are globally recognized security configuration standards. Cloudgeni automates CIS compliance assessment across your cloud infrastructure.

CIS Coverage

  • CIS 3.0 for Oracle Cloud - Full benchmark coverage
  • 400+ automated checks across cloud services
  • Scored and unscored recommendations
  • Level 1 and Level 2 profiles supported

Understanding CIS Benchmarks

Benchmark Structure

CIS Benchmarks organize recommendations into:
ComponentDescription
SectionsMajor security domains (IAM, Logging, etc.)
RecommendationsSpecific security configurations
ProfilesLevel 1 (essential) or Level 2 (defense in depth)
ScoringScored (measurable) or Unscored (procedural)

Profile Levels

LevelDescriptionUse Case
Level 1Essential security, minimal performance impactAll environments
Level 2Defense in depth, may impact usabilityHigh-security environments

CIS for Oracle Cloud Infrastructure (OCI)

Section 1: Identity and Access Management

RecommendationLevelScoredDescription
1.1L1YesEnsure MFA is enabled for all users
1.2L1YesEnsure API keys rotate within 90 days
1.3L1YesEnsure all users have valid email
1.4L1YesEnsure IAM password policy requires minimum length
1.5L1YesEnsure IAM password policy requires uppercase
1.6L1YesEnsure IAM password policy requires lowercase
1.7L1YesEnsure IAM password policy requires symbols
1.8L1YesEnsure IAM password policy requires numbers
1.9L1YesEnsure IAM policies restrict tenancy admin
1.10L2YesEnsure IAM administrators use dedicated admin accounts
1.11L1YesEnsure service account keys rotate within 90 days
1.12L1YesEnsure user groups don’t have direct IAM policy
1.13L1YesEnsure policies don’t allow all resources in tenancy
1.14L2YesEnsure MFA is enabled for Federation users

Section 2: Logging and Monitoring

RecommendationLevelScoredDescription
2.1L1YesEnsure audit log retention is 365 days
2.2L1YesEnsure default VCN logging is enabled
2.3L1YesEnsure Object Storage bucket has logging enabled
2.4L2YesEnsure Flow Logs capture rejected traffic
2.5L1YesEnsure security notifications are enabled
2.6L1YesEnsure Cloud Guard is enabled
2.7L1YesEnsure Cloud Guard responders are enabled

Section 3: Networking

RecommendationLevelScoredDescription
3.1L1YesEnsure security lists restrict SSH to specific IPs
3.2L1YesEnsure security lists restrict RDP to specific IPs
3.3L1YesEnsure no security list allows ingress 0.0.0.0/0
3.4L2YesEnsure Network Security Groups are used
3.5L1YesEnsure VCN has inbound security rules
3.6L1YesEnsure no NSG allows ingress 0.0.0.0/0
3.7L2YesEnsure FastConnect/VPN is used for on-prem

Section 4: Object Storage

RecommendationLevelScoredDescription
4.1L1YesEnsure Object Storage buckets are not public
4.2L1YesEnsure Object Storage uses customer-managed keys
4.3L2YesEnsure Object Storage has versioning enabled
4.4L1YesEnsure pre-authenticated requests are time-limited

Section 5: Block Volumes

RecommendationLevelScoredDescription
5.1L1YesEnsure Block Volumes use customer-managed keys
5.2L2YesEnsure Block Volume backups are encrypted
5.3L1YesEnsure boot volumes use customer-managed keys

Section 6: Database

RecommendationLevelScoredDescription
6.1L1YesEnsure Autonomous DB uses customer-managed keys
6.2L1YesEnsure DB systems use customer-managed keys
6.3L2YesEnsure DB backups use customer-managed keys
6.4L1YesEnsure Database Management is enabled

Section 7: Compute

RecommendationLevelScoredDescription
7.1L1YesEnsure compute instances don’t have public IPs
7.2L1YesEnsure OS Management is enabled
7.3L2YesEnsure Vulnerability Scanning is enabled
7.4L1YesEnsure instance metadata v2 is used

Using CIS Benchmarks in Cloudgeni

Running Assessment

  1. Go to Compliance in Cloudgeni
  2. Select CIS 3.0 (for OCI accounts)
  3. Click Run Assessment
  4. Review findings by section

Filtering Results

Filter by:
  • Level - Show only Level 1 or Level 2
  • Scored - Show scored recommendations only
  • Status - Pass, Fail, or Manual review
  • Section - IAM, Networking, Storage, etc.

Compliance Score

CIS score calculation: 
Score = (Passing Scored Recommendations / Total Scored) × 100
ScoreStatusInterpretation
90-100%ExcellentMeeting CIS best practices
75-89%GoodMinor gaps to address
50-74%FairSignificant improvements needed
Below 50%PoorMajor security gaps

Implementation Guide

Level 1 Implementation

Start with Level 1 recommendations:
  1. Identity & Access
    • Enable MFA for all users
    • Implement password policies
    • Restrict admin access
  2. Logging
    • Enable audit logging
    • Configure 365-day retention
    • Set up security notifications
  3. Networking
    • Review security list rules
    • Remove 0.0.0.0/0 ingress
    • Restrict SSH/RDP access
  4. Storage
    • Make buckets private
    • Enable encryption
    • Use customer-managed keys

Level 2 Implementation

After achieving Level 1 compliance:
  1. Advanced IAM
    • Dedicated admin accounts
    • Federation MFA
    • Regular access reviews
  2. Enhanced Monitoring
    • Flow log analysis
    • Cloud Guard responders
    • Vulnerability scanning
  3. Defense in Depth
    • Network Security Groups
    • VPN/FastConnect
    • Advanced encryption

Remediation

Automated Fixes

Many CIS recommendations can be auto-remediated:
RecommendationAuto-RemediateFix
1.1 MFAManualRequires user action
2.1 Audit retentionYesUpdate audit policy
3.1 SSH restrictionYesUpdate security list
4.1 Bucket publicYesUpdate bucket policy
5.1 Volume encryptionYesEnable encryption

Manual Remediation

Some recommendations require manual action:
CategoryExamples
User configurationMFA enrollment, password changes
Architecture changesVPN setup, network redesign
Process changesAccess reviews, training

Reporting

CIS Report Generation

  1. Go to ComplianceCIS 3.0
  2. Click Generate Report
  3. Select options:
    • Level (1, 2, or both)
    • Scored only or all
    • Date range
  4. Download PDF

Report Contents

SectionContents
Executive SummaryOverall score, trends
Section BreakdownScore by CIS section
RecommendationsPass/fail for each
EvidenceConfiguration details
Remediation PlanPrioritized fixes

CIS for Other Clouds

While Cloudgeni currently provides full CIS 3.0 support for OCI, compliance for AWS, Azure, and GCP is covered through:
FrameworkAWSAzureGCP
CIS-aligned checksVia SOC 2, ISO 27001Via SOC 2, ISO 27001Via SOC 2, ISO 27001
Direct CISComing soonComing soonComing soon
CIS Benchmarks for AWS, Azure, and GCP are on our roadmap. Many CIS controls are already covered through SOC 2 and ISO 27001 frameworks.

Compliance Frameworks

Overview of all frameworks

SOC 2

SOC 2 compliance guide

ISO 27001

ISO 27001 compliance

OCI Setup

Connect Oracle Cloud