CIS Benchmarks are a set of globally recognized and consensus-driven best practices to help security practitioners implement and manage their cybersecurity defenses. Developed with a global community of security experts, the guidelines help organizations proactively safeguard against emerging risks. Companies implement the CIS Benchmark guidelines to limit configuration-based security vulnerabilities in their digital assets.

Why CIS Benchmarks?

Tools such as the CIS Benchmarks are important because they outline security best practices, developed by security professionals and subject matter experts, for deploying over 25 different vendor products. These best practices are a good starting point for creating a new product or service deployment plan or for verifying that existing deployments are secure.

Profile Levels

To help organizations achieve their unique security goals, the CIS assigns a profile level to each CIS Benchmark guideline. Each CIS profile includes recommendations that provide a different level of security. Organizations can choose a profile based on their security and compliance needs.

Level 1 profile

Configuration recommendations for the Level 1 profile are basic security recommendations for configuring IT systems. They are easy to follow and do not impact business functionality or uptime. These recommendations reduce the number of entry points into your IT systems, thereby reducing your cybersecurity risks.

Level 2 profile

Level 2 profile configuration recommendations work best for highly sensitive data where security is a priority. Implementing these recommendations requires professional expertise and diligent planning to achieve comprehensive security with minimal disruptions. These recommendations can provide defense in depth but may impact the utility or performance of the system or incur additional costs.

STIG profile

The Security Technical Implementation Guide (STIG) is a set of configuration baselines from the Defense Information Systems Agency (DISA). The US Department of Defense publishes and maintains these security standards. STIGs are specifically written to meet US government requirements.

CIS Benchmarks can also specify a Level 3 STIG profile that is designed to help organizations comply with the STIG. Not all AWS Services have a relevant STIG, but DISA does recognize CIS Benchmarks as an alternative. The DoD Cloud Computing Security Requirements Guide (SRG), version 1, Release 4 provides the following guidance:

Impact Level 2 Systems

CIS Benchmarks are an acceptable alternative to STIGs.

Impact Level 4/5/6 Systems

CIS Benchmarks as a commercial equivalency to STIGs are evaluated on a case-by-case basis.

What CIS Benchmarks Apply to Amazon Workspaces?

The following CIS Benchmarks apply to an Amazon Workspaces Family and are available from the CIS website.

Amazon Web Services Foundations Benchmark
AWS End User Compute Services Benchmark
Relevant OS Benchmark (e.g., Windows, Linux)
Relevant application Benchmarks (e.g., web browsers, business applications)

This list is a starting point and should not be considered a comprehensive list of all CIS Benchmarks that may apply to any given Amazon Workspaces environment.

Applying CIS Benchmarks to Amazon Workspaces

Getting Started

For each CIS Benchmark, specific recommendations will be listed that require any notable deviations from the audit procedure or remediation procedure, do not apply, or require additional context when used with Workspaces.

Amazon Web Services Foundations Benchmark (v2.0.0)

This benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.

Identity and Access Management

This section focuses on recommendations for configuring identity and access management within AWS. While these recommendations may not affect Amazon Workspaces users directly, they help ensure security of foundational AWS systems used to manage Amazon Workspaces.

It is generally safe to apply the recommendations listed in this section to an Amazon Workspaces environment. The following are notable recommendations:

1.1.15 Ensure IAM Users Receive Permissions Only Through Groups

This configuration will primarily apply to administrators, DevOps engineers, etc. that are required to manage Amazon WorkSpaces and the supporting infrastructure. IAM Groups should be created for each distinct administrative role with appropriate attached IAM Policies.

1.1.16 Ensure IAM policies that allow full “:” administrative privileges are not attached

Each distinctive administrative role for Amazon Workspaces should be granted least privilege permissions required to perform a specific task. It is recommended to start with a minimum set of permissions and grant additional permissions as necessary.

1.1.18 Ensure IAM instance roles are used for AWS resources access from instances

This recommendation does not apply to Amazon Workspaces Personal instances as they do not support attaching IAM roles. If there is a requirement for Workspaces Personal instances to interact with AWS resources then it is possible to utilize Amazon API Gateway and AWS STS to assume an IAM role:

https://aws.amazon.com/blogs/desktop-and-application-streaming/using-amazon-api-gateway-with-amazon-workspaces-to-interact-with-aws-resources/.

Storage

These recommendations focus on configuring AWS Storage services like Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS), and Amazon Elastic File System (EFS).

2.2.2.1 Ensure EBS Volume Encryption is Enabled in All Regions

This recommendation should be followed to apply default EBS encryption to any supporting WorkSpaces infrastructure. For WorkSpaces user desktops, follow the recommendation in the AWS End User Compute Services Benchmark under 2.2.3 Ensure Workspace volumes are encrypted.

2.2.4.1 Ensure that encryption is enabled for EFS file systems

This recommendation should be followed to apply encryption to EFS file systems during their creation and cannot be modified after file system creation. This includes EFS volumes used for user profiles and home drives.

Logging

These recommendations focus on configuring AWS logging features such as AWS CloudTrail. It is generally safe to apply the recommendations listed in this section.

Monitoring

These recommendations focus on configuring AWS to assist with monitoring and responding to account activities.

Metric filter-related recommendations in this section are dependent on the Ensure CloudTrail is enabled in all regions and Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs recommendation in the Logging section.

It is generally safe to apply the recommendations listed in this section.

Networking

This section contains recommendations for configuring security-related aspects of Amazon Virtual Private Cloud (VPC). It is generally safe to apply the recommendations listed in this section.

AWS End User Compute Services Benchmark (v1.0.0)

This document provides prescriptive guidance for configuring security options for the services within End User Computing category in AWS. This Benchmark is intended to be used in conjunction with the CIS Amazon Web Services Foundations Benchmark.

It is recommended to apply the benchmarks listed in this document.

Microsoft Windows Server 2016, 2019 & 2022 Benchmark (v2.0.0)

This benchmark provides prescriptive guidance for configuring security options for Microsoft Windows Server 2016, 2019, and 2022, with an emphasis on foundational, testable, and architecture agnostic settings.

Note about CIS Benchmarks for this section

AWS provided images of Microsoft Windows operating systems for Amazon WorkSpaces are built using Windows Server 2016, 2019, and 2022 with a Windows 10 user experience. For these images, the CIS benchmarks for the appropriate Windows Server operating system should be applied. These CIS benchmarks are referenced in the sections below.

Account Policies

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Local Policies

Ensure that the user rights documented in the CIS guide is compatible with your desktop applications and functionality

2.2.4.6 Ensure 'Shut down the system' is set to 'Administrators'

Amazon WorkSpaces are Windows Server operating systems with a Windows 10 user experience. From an end user perspective, the shutdown process may not need to be restricted to Administrators only. Ensure this setting meets the needs and requirements of your organization.

Event Log

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Restricted Groups

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

System Services

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Registry

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

File System

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Wired Network (IEEE 802.3) Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Windows Defender Firewall with Advanced Security

This section contains recommendations for configuring the Windows Firewall.

Note: In older versions of Microsoft Windows, this section was named Windows Firewall with Advanced Security, but it was renamed to Windows Defender Firewall with Advanced Security starting with the Server 2019 release.

9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'

The following ports and protocols should be added to the ‘Allow’ list for WorkSpaces to function properly.

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

See IP address and port requirements for WorkSpaces for ports and protocol requirements.

9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'

The recommendation should be followed with the following inbound rules added to the Windows Firewall

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'

The recommendation should be followed with the following inbound rules added to the Windows Firewall

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

Network List Manager Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Wireless Network (IEEE 802.11) Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Public Key Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Software Restriction Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Network Access Protection NAP Client Configuration

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Application Control Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

IP Security Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Advanced Audit Policy Configuration

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Administrative Templates (Computer)

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Administrative Templates (User)

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Microsoft Windows 10 (v2.0.0)

This benchmark provides prescriptive guidance for configuring security options for Microsoft Windows 10 BYOL, with an emphasis on foundational, testable, and architecture agnostic settings.

Account Policies

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Local Policies

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Event Log

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Restricted Groups

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

System Services

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Registry

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

File System

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Wired Network (IEEE 802.3) Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Windows Defender Firewall with Advanced Security

This section contains recommendations for configuring the Windows Firewall.

9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'

The recommendation should be followed with the following inbound rules added to the Windows Firewall Allow list

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

See IP address and port requirements for WorkSpaces for ports and protocol requirements

9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'

The recommendation should be followed with the following inbound rules added to the Windows Firewall Allow list

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'

The recommendation should be followed with the following inbound rules added to the Windows Firewall Allow list

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

Network List Manager Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Wireless Network (IEEE 802.11) Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Public Key Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Software Restriction Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Network Access Protection NAP Client Configuration

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Application Control Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

IP Security Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Advanced Audit Policy Configuration

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Administrative Templates (Computer)

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Administrative Templates (User)

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Microsoft Windows 11 (v2.0.0)

This benchmark provides prescriptive guidance for configuring security options for Microsoft Windows 11 BYOL, with an emphasis on foundational, testable, and architecture agnostic settings.

Account Policies

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Local Policies

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Event Log

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Restricted Groups

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

System Services

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Registry

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

File System

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Wired Network (IEEE 802.3) Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Windows Defender Firewall with Advanced Security

This section contains recommendations for configuring the Windows Firewall.

9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'

The recommendation should be followed with the following inbound rules added to the Windows Firewall Allow list

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

See IP address and port requirements for WorkSpaces for ports and protocol requirements

9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'

The recommendation should be followed with the following inbound rules added to the Windows Firewall Allow list

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

9.3.3 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'

The recommendation should be followed with the following inbound rules added to the Windows Firewall Allow list

TCP / UDP 4172 (PCoIP)
TCP / UDP 4195 (WSP)
TCP / UDP 8200
TCP 4489 (Web client)
TCP 8201-8250 (Amazon DCV)

Network List Manager Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Wireless Network (IEEE 802.11) Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Public Key Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Software Restriction Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Network Access Protection NAP Client Configuration

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Application Control Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

IP Security Policies

This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.

Advanced Audit Policy Configuration

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Administrative Templates (Computer)

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Administrative Templates (User)

Policies in this section can generally be applied following the CIS guidelines. Additional policies should specific to your organization should be applied and tested to ensure compatibility.

Assessing and Maintaining CIS Benchmark Compliance

Assessing Status (Automated vs. Manual)

All CIS Benchmark recommendations include an assessment status. The status is set to Manual or Automated and represents whether a CIS Benchmark recommendation can evaluate a system’s state with an automated check or requires manual investigation.

Manual

Requires manual steps to determine whether a system’s configured state is as expected. A pass/fail assessment result cannot be automatically achieved.

Automated

System’s state can be automatically evaluated against the recommended state with a configuration assessment tool such as CIS-CAT Pro Assessor. A pass/fail assessment result can be automatically achieved.

It is recommended that administrators automate as much as possible. However, if the recommendation cannot be fully automated the status is left as “Manual”.