Is this project still being maintained?
bwhaley opened this issue · 13 comments
Thanks for all the hard work to contribute this to the community! Unfortunately, it seems like the project may be abandoned. There haven't been any commits since 097ddf7 in April 2018 and there are a bunch of outstanding issues and PRs. I've just submitted a couple more. Do the original authors care to comment on the status of the project? If it is abandoned, I'll consider forking it and maintaining the fork going forward.
It looks like they stopped maintaining it because Security Hub went GA. However, Security Hub is not available in GovCloud so GovCloud users are SOL. I was just trying to get this working earlier today.
@bwhaley I was mistaken, this is the project that was scrapped due to Security Hub going GA: https://github.com/aws-quickstart/quickstart-compliance-cis-benchmark. However, it looks like aws-security-benchmark may have also been scrapped. Presumably for the same reason. I've not give #90 a spin yet.
Interesting. The "architecture" section of this project has some overlap with the security hub and the quickstart. AFAICT though there is nothing that does what the python checker script does.. e.g. run through an account and report the status of each requirement.
That's what Config and Config Rules will do. I think they essentially replace the python checker script. With Config Rules you can trigger a Lambda function to bring the resource back in compliance if it drifts out of compliance.
True, but they don't have as much coverage as the python script does. Quite a few of the requirements are missing. Also, in some cases it's useful to just report on compliance and not fix configuration drift.
Actually, taking a closer look at the Security Hub, the majority of requirements are in fact covered, and some of those that are missing are manual checks anyway. So the Security Hub can do the checks AND optionally remediate them. Is there still value in maintaining the script?
I was doing the crosswalk and was going to say I thought they were probably pretty similar. If you're in a commercial region where Security Hub is available I would recommend using that. The script pre-dates Security Hub.
Although Security Hub may perform that same checks, AWS Config Rules can quickly become a cost concern for some organizations. It seems some of checks can be performed in the Python without using Config at all, potentially saving cost. Is this valid? If so could be a reason to continue the goodness via forking.
Config rules and the Security Hub compliance checks powered by them are much less expensive now than what they were a few months ago. Config rules has a new pricing plan and the pricing for Security Hub compliance checks mirrors that new pricing. We see CIS checks costing customers a dollar or two per account per region per month on average.
In general, our (AWS) focus is on building out compliance checks in Security Hub as service linked Config rules. We would recommend using that managed service. We are continuously improving the rules there.
No current plans to maintain it that I know of... our focus is on Security Hub.