How CIS^® Ensures Security Throughout the CIS Hardened Images^® Build Process

The CIS Cloud team operates under a standard procedure of separation of duties to limit security risk. In addition to the noted separation of duties, no one person provides Quality Assurance and publishing on the same product every month.

During the time that the CIS Hardened Images are being “built,” the ability to access these machines is locked down to decrease the risk of outside interference during the time the machine is up and running. These machines are ephemeral and retained for a very limited amount of time. Following that time in their build cycle, the machines are all deallocated, generalized, sysprepped, etc. These steps render the machines inaccessible and the machines' state cannot be altered.

The CIS Cloud products are reviewed for quality assurance with each monthly product release. This process includes checking keys, directories of security risk, etc. The output is maintained internally for historical reference if future review is necessary. For more information, please see our blog post on the Shared Responsibility for Cloud Security: What You Need to Know.

Once the images are approved and exist within the Cloud Service Provider (CSP) marketplace, (CIS) cannot alter them. Following submission, the images become the responsibility of the CSP housing them and the end user upon purchase to align with security patching, new Common Vulnerabilities and Exposures (CVE) releases, etc.

In addition to sanitized build environments for production images, CIS adheres to security best practices across CSP platforms to further regulate build integrity. Security best practice includes strict attention and routine reviews to resources such as Virtual Private Cloud (VPC) segregation, security group audits, and the use of high-strength credentials on regular rotations. No single entity has control over internal topography, changes are logged, and all sources-of-truth are maintained in version-controlled environments.