Table of contents
If you manage cloud environments, you already know that security is non-negotiable, but it can slow everything down – especially when you’re spinning up new AWS accounts.
Every time you add a new account, there’s a long list of things to do: configure logs, enable GuardDuty, tweak IAM policies, block public S3 access… and so on. It’s tedious, time-consuming, and easy to get wrong.
So we built a better way! With XOAP, your AWS accounts can be CIS compliant the moment you connect them.
Why the CIS AWS benchmark matters
The CIS AWS Foundations Benchmark is a set of best practices designed to help secure AWS environments. It covers things like:
- Logging and monitoring
- Identity and access management
- Network protections
- Encryption settings
- Regional coverage
Following these guidelines helps reduce risk and improve your security posture. The problem? Actually applying all of this manually isn’t simple.
📌 Read more about CIS compliance
The problem with manual hardening
Here’s how it usually works:
- A new AWS account gets created.
- Someone (usually a DevOps or security engineer) goes through a checklist.
- They set up CloudTrail, enable Config, turn on GuardDuty, enforce MFA, etc.
- Repeat for every region and every new account.
This process is not only repetitive, but it also introduces inconsistencies, especially as your environment grows.
The fix: XOAP’s automated AWS CIS hardening
Instead of doing all that manually, XOAP lets you automate the entire process in just a few clicks. Here’s how it works:
1. Connect your AWS account
Head to your XOAP Workspace, go to Connections and add your AWS account. The setup only takes a few minutes.
2. Choose the CIS hardening script
Open Scripted Actions, click New, and select the Resource: aws-ps-account-hardening.ps1. It’s pre-built and ready to go.
3. Run now or schedule it
Run the action immediately or schedule it to run automatically at the desired time (your choice).
4. Done! Start using your hardened AWS account
That’s it. The script applies all CIS-aligned settings behind the scenes. No extra tools needed.
What XOAP configures for you
When you run the CIS hardening script, XOAP automatically configures:
- CloudTrail: Multi-region, KMS-encrypted, with log file validation
- AWS Config: Recording and delivery set up across your regions
- Security Hub: Enabled per region and subscribed to the CIS standard
- GuardDuty: Turned on and actively managed
- S3: Public access blocked; SSL-only enforced via bucket policies
- EBS/EC2: Default encryption enabled with your customer-managed keys
- VPC: Flow logs on; optional tightening of admin ports
- IAM: Strong password policy; optional MFA enforcement for console access.
All of this happens automatically, in minutes.
Why this makes a difference
Cloud teams today are moving fast and security can’t be an afterthought. With XOAP:
- New accounts are secured instantly – no lag, no risk.
- You get consistency at scale – the same secure setup across all environments.
- Compliance is easier – CIS-aligned settings are mapped and exportable.
- You don’t need to write scripts – we’ve already done that part.
Whether you’re managing a few accounts or hundreds, this saves time and reduces mistakes significantly.
📌 Read more about CIS-ready AWS accounts
Try it now
There’s no reason to spend hours manually securing every new AWS account. It’s repetitive and pulls your team away from more valuable work.
With XOAP, CIS hardening becomes automatic. The moment an account is connected, it’s configured with security best practices: no guesswork, no delays. You get consistent, reliable security at scale without slowing anything down.
It’s a straightforward fix to a real problem. If you’re managing cloud environments and care about getting security right from day one, this is how you do it.
This script is automatically available for all new XOAP accounts. If you’re an existing XOAP user, please contact us to get the script.