U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

CIS Amazon Web Services Three-tier Web Architecture Benchmark 1.0.0 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Amazon Web Services cpe:/a:amazon:web_services:- (View CVEs)

Checklist Highlights

Checklist Name:
CIS Amazon Web Services Three-tier Web Architecture Benchmark
Checklist ID:
1120
Version:
1.0.0
Type:
Compliance
Review Status:
Final
Authority:
Third Party: Center for Internet Security (CIS)
Original Publication Date:
12/13/2016

Checklist Summary:

This document provides prescriptive guidance for establishing a secure operational posture for a three-tier Web architecture deployed to the Amazon Web Services environment. Notionally, the three-tier Web architecture consists of a single Virtual Private Cloud (VPC) within a single AWS account. The recommendations made in the CIS AWS Foundations Benchmark should be followed prior to completing these recommendations. This benchmark covers the necessary AWS configurations to establish ongoing operations of a three-tier Web architecture. Specific Amazon Web Services in scope for this document include: Elastic Compute Cloud (EC2) - API Version 2016-04-01 Virtual Private Cloud (VPC) - API Version 2016-04-01 Identity and Access Management (IAM) - API Version 2010-05-08 AWS Config - API Version 2014-11-12 CloudFront CDN - API Version 2016-01-13 CloudWatch - API Version 2010-08-01 Amazon Relational Database Service (RDS) - API Version 2014-10-31 Simple Notification Service (SNS) - API Version 2010-03-31 AWS Certificate Manager (ACM) - API Version 2015-12-08 Key Management Service (KMS) - API Version 2014-11-01 While this Benchmark explicitly covers 3-tier architectures featuring Internet, Application and Database tiers (with a Content Distribution Network in the form of CloudFront, which could be considered a fourth tier), the tiers and the interactions between them are readily generalisable to larger “n-tier” architectures incorporating further tiers such as service proxy and management tiers. In particular, Security Group, routing, subnetting and VPC considerations and configurations can be re-used for further tiers and the segregation of communication between these tiers and others. To obtain the latest version of this guide, please visit http://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org.

Checklist Role:

  • Virtualization Server
  • Web Application Server

Known Issues:

Not provided.

Target Audience:

This document is intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in Amazon Web Services.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

feedback@cisecurity.org

Sponsor:

Not provided.

Licensing:

Not provided.

Change History: 

new checklist - 2/26/24
updated status to FINAL - 3/28/24
Updated Resources - 06/24/2024

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 06/24/2024