How to enhance government security with CIS Hardened Images in AWS Marketplace

Government agencies face increasing challenges in securing their cloud workloads while maintaining compliance with federal regulations. As organizations migrate workloads to Amazon Web Services (AWS), securing operating systems helps protect sensitive data and maintain compliance. A 2024 SentinelOne Cloud Security Statistics report indicates that cloud misconfigurations cause 23 percent of cloud security incidents, while 27 percent of organizations have experienced inadvertent access in their public cloud infrastructure. And approximately 82 percent of cloud misconfigurations stem from human error rather than software issues, highlighting the need for automated security solutions.

This post shows how to enhance government workload security using CIS Hardened Images® available in AWS Marketplace. You’ll learn how to deploy preconfigured Amazon Machine Images (AMIs), integrate with AWS security services, and maintain compliance in AWS GovCloud (US).

Customer challenges and solution

Government agencies operate under numerous regulations and frameworks that ensure responsible, secure functioning. They need to maintain consistent security configurations across their infrastructure while automating security implementations to minimize human error that could create security gaps. They must also comply with requirements from organizations like the Federal Risk and Authorization Management Program (FedRAMP), National Institute of Standards and Technology (NIST), Federal Information Security Management Act (FISMA), and International Standards Organization and International Electrotechnical Commission (ISO/IEC) 27001.

AWS Marketplace offers CIS Hardened Images, developed by the Center for Internet Security® (CIS®), an independent software vendor (ISV) and AWS Partner. CIS has achieved the AWS Government Competency, validating their deep expertise in delivering security solutions for government workloads. These preconfigured AMIs provide automated security configurations aligned with CIS Benchmarks® and industry best practices.

Through AWS Marketplace, organizations can quickly acquire and deploy CIS Hardened Images. The procurement process includes flexible pricing options and deployment capabilities that work seamlessly with AWS services. Organizations benefit from consolidated billing through their AWS account, along with automated updates and patch management. Users also get direct access to comprehensive vendor support and documentation to assist with implementation and maintenance.

CIS Hardened Images help organizations meet FedRAMP, NIST, FISMA, and ISO/IEC 27001 compliance requirements by integrating these security controls directly into their AWS infrastructure. Unlike standard operating system configurations that need manual hardening and patching, CIS Hardened Images provide automated, standardized security controls.

These preconfigured AMIs with enhanced security features are available in AWS Marketplace for government customers using AWS GovCloud (US).

CIS Hardened Images integrate with AWS Config and AWS Security Hub to create comprehensive security coverage. Through AWS Config integration, organizations can automatically monitor configuration changes and track compliance with security policies. The integration enables automated remediation of drift and provides continuous assessment reports. When combined with AWS Security Hub, organizations can centralize security findings across accounts and aggregate compliance status. This integration enables automated response actions and streamlines security operations. While CIS Hardened Images establish security controls at launch, AWS Config and AWS Security Hub provide continual monitoring and automated remediation.

Implementation steps

To enhance government workload security by implementing CIS Hardened Images, complete the steps in the following sections.

Figure 1: Workflow diagram showing CIS Hardened Images implementation steps with AWS Marketplace

To subscribe to the image, follow these steps:

1. Navigate to the CIS Hardened Images listing in AWS Marketplace and choose an operating system. You can choose from several options, including CIS Amazon Linux 2.
2. Select the subscription model.
3. Review pricing and the End User Licensing Agreement (EULA), then choose Accept Terms and Continue to Configuration.

Figure 2: AWS Marketplace Subscription interface highlighting a clear subscription prompt.

To configure and launch the instance, follow these steps:

1. Select your Region, Amazon Elastic Compute Cloud (Amazon EC2) instance type, and AMI version.
2. Choose Continue to Launch, then choose Launch through Amazon EC2.
3. In the Amazon EC2 launch wizard, configure:
   1. Instance type.
   2. Network or subnet.
   3. AWS Identity and Access Management (IAM)
   4. Encrypted storage.
   5. Security groups.
4. Add relevant tags, then launch using your SSH key pair.

After deployment, complete the following setup:

1. Connect to the instance by using SSH.
2. Change default passwords and disable unused accounts.
3. Enable Amazon CloudWatch (or another logging solution).
4. Apply regular updates according to your patch management policies.

Pricing and deployment options

AWS Marketplace offers CIS Hardened Images with pay-as-you-go pricing, annual subscriptions, and custom licensing for enterprise deployments. Additional AWS infrastructure costs apply based on your AWS service usage.

Each CIS Hardened Image includes a conformance assessment report showing adherence to the CIS Benchmark and receives monthly updates to prevent configuration drift. These images focus on security, offering a standardized approach that reduces misconfigurations and simplifies federal security standard compliance.

Supporting government agency cloud security

CIS works with over 18,000 U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. As an AWS Government Competency Partner, CIS demonstrates technical proficiency and proven customer success in delivering specialized solutions for government workloads. Through the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), CIS facilitates information sharing to enhance cloud security capabilities across the public sector.

Government agencies can access and deploy CIS Hardened Images directly in AWS Marketplace. The automated configurations help provide consistent security controls and reduce manual configuration errors while meeting government security requirements.

Cleanup

Please follow the instructions provided here to cancel your AMI subscription.

Conclusion

This post shows how to enhance government workload security using CIS Hardened Images available in AWS Marketplace. It demonstrates how agencies can deploy preconfigured AMIs to automate security configurations, reduce misconfigurations, and meet federal compliance requirements. Through AWS Marketplace, agencies can quickly implement these security controls while benefiting from streamlined procurement, integrated billing, and continual security updates.

Next steps

To learn more about CIS Hardened Images:

• Visit the CIS Hardened Images listing in AWS Marketplace.
• Contact your AWS representative about integration options.

About AWS Marketplace: AWS Marketplace is a digital catalog of third-party software, services, and data that makes it easy to find, buy, deploy, and manage software on AWS. Visit AWS Marketplace to learn more.

About CIS: The Center for Internet Security^® (CIS^®) makes the connected world a safer place for public and private organizations. CIS is a community-driven nonprofit, responsible for the CIS Critical Security Controls^® and CIS Benchmarks^®, globally recognized best practices for securing IT systems and data.

About Authors