Cavirin Blog

CIS AWS Benchmark

Cavirin’s Platform manages the day-to-day challenges of implementing security best practices and assessing operational risk against the major compliance frameworks, including PCI, CIS, HIPAA, ISO, NIST, DISA and many more for on-premise, clouds and hybrid environments. It was purpose built as a single solution for managing risk and compliance in the enterprise. It works in the data center environment as well as in the cloud. It becomes a single compliance fabric that you can extend across your entire network, applying the same policies everywhere. Cavirin’s solution continuously monitors the entire environment and maps changes against operational and regulatory policies. By elevating the visibility of network changes as they happen, Cavirin ensures that you are always in a position to evaluate your level of risk and compliance and adjust it to suit your business’s unique needs. 

Control Your Cloud

As a follow-up to our blog on how Cavirin can help combat WannaCry and other ransomware, this blog provides additional detail on our Network Policy Pack.

As a customer, you have seen several use cases that Cavirin helps you address in your hybrid cloud environment. This ranges from several CIS benchmarks to regulatory requirement such as PCI.

Today, we are pleased to announce the availability of Network Security Policies specifically designed for your AWS environment. These network policies are around the best practice that:

“Ensure no security group allows ingress from or from the world on any port”

This policy pack contains all IANA registered ports and protocols.

Basically, you can use this policy pack to address below security requirements:

  1. Ensure that SSH connections are not open to the world
  2. Ensure that DB ports are not open to the world
  3. Ensure that any other random critical ports are not open to the world

Stopping port scans / blocking access are very important for upkeep of your infrastructure. If you have ports opened for world access, any known vulnerabilities in particular services could potentially be exploited to gain control. Additionally, removing unfettered connectivity to remote console services, such as RDP/SSH, reduces a server's exposure to risk and further reduces the overall attack surface area.

Scanning your security groups is pretty straight forward in Cavirin’s platform. Just select the region(s) that you want to scan and it automatically sweeps through your entire list of security groups.

Currently, by default, the policy pack contains *6221 ports*. These are the ports which are currently allocated by IANA. The only exceptions are port 80 and port 443 to allow web server traffic.

For those of you who run your IT and business computing infrastructure on the Amazon Public Cloud (AWS), the concept of “tagging” is not new. Tagging is a grouping mechanism in AWS, that allows the organization of your cloud resources under user-friendly labels for easy identification. For example, a major healthcare corporation could create groups of cloud resources and label them with tags such as “patient info”, ”billing”, and “patient notifications” and assign dedicated workloads.

Tags: ,

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.



5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

Cavirin US Location