3. Goals of this presentation
▷Introduction
▷Quick overview of CIS
▷Quick overview of security and AWS
▷Pass on some lessons learned
▷Provide some CLI examples
▷Save you some time and pain
▷Recommendations based on these
4. So why write your own tool?
Besides CLI Naming inconsistencies…
5. Besides being a good way to
learn AWS Security…
▷I didn’t want to have to go to the web
interface or a document every time I wanted
to do a security review
▷AWS has Trusted Advisor, but charges for
more than basic checks
▷Although the CLI has quite good help, the
naming and use of tags and switches is
frustratingly inconsistent
▷No source (including me) is perfect, more
than one source of verification is good
6. I already had a Security
Auditing tool of my own… [1]
▷Supported a number of UNIX OS,
including Amazon Linux
▷Used the CIS Benchmarks already
▷Was free (apart from my time) and
required minimal additional software
▷Had a number of people using it, so
would get some additional testing
▷I could add additional tests as I
discovered new security
recommendations and tips[1] https://github.com/lateralblast/lunar
8. It’s good to have a common
point of reference as a start…
▷Used by a lot of people and places as a
basis for their own security processes
▷Has a long track record
▷Well trusted, and has industry support
▷Mentioned on AWS Security Blog [1]
▷Semi regularly updated
▷Has explanation and implementation
notes as well as the standard checkbox
▷Has GUI and CLI remediation steps
[1] https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/
9. But it’s only a start…
▷It’s not perfect (e.g. typos in remediation)
▷Not everything is going to be applicable to
your organisation / application
▷You’ll have your own processes on top of it
▷Sometimes lags with updates
▷It’s always good to have more than one
source of verification, especially for security
▷It’s a paper document, needs to be
automated to reduce work and human error
11. Traditional:
Security in layers
Network, Application, OS, Users, etc.
Least access / privilege by default
Restrict access to privileged
accounts
Monitor usage of privileged accounts
Use Multifactor Authentication
Enable password complexity
Enable password / credential rotation
Create roles and add users to them
Enable and manage logging
Generate alerts
Encrypt at rest and in transit
What is old is new again…
AWS:
Security in layers
Network, Application, OS, Users, etc.
Least access / privilege by default
Restrict access to “root” account
Monitor use of IAM
Use Multifactor Authentication
Enable password complexity
Enable password / credential rotation
Create roles and add users to them
Enable and manage logging
Generate alerts
Encrypt at rest and in transit
12. AWS CLI Security Auditing
An Engineers attempt to audit via the CLI…
13. What does this involve?
▷An overview of key areas:
▷IAM (Users, Groups, Roles, Policies, MFA)
▷Monitoring (Logging, Metrics, Alerting)
▷Encryption (at rest and in flight)
▷Networking (VPCs and Security Groups)
▷Some CLI examples of how to get and set
security parameters where appropriate
15. Avoid use of the “root” account
▷Attach IAM policies to groups and roles and
use them to delegate responsibility to
management accounts [1]
▷Minimise use of “root” account to those
functions that require it e.g. requesting a
penetration test of creating a CloudFront
private key
[1] http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
16. IAM Account Security (MFAs etc.)
▷Ensure MFA is enabled for “root” account
▷Ensure MFA is enabled for other IAM
users
▷Consider hardware MFA for ”root” account
▷Use MFA devices where applicable and
lock the device away in the case of the
root user
▷Delegate management of MFA devices [1]
▷Hardware, Virtual and SMS based MFA [2]
[1] https://aws.amazon.com/blogs/security/how-to-delegate-management-of-multi-factor-authentication-to-aws-iam-users/
[2] http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
17. Checking MFAs
$ aws iam generate-credential-report
{
"State": "STARTED",
"Description": "No report exists. Starting a new report generation task”
}
$ aws iam get-credential-report --query 'Content' --output text |base64 –D
|cut -d, f1,4,8
user,password_enabled,mfa_active
<root_account>,not_supported,true
spindler,false,false
$ aws iam list-virtual-mfa-devices –-query “VirtualMFADevices”
[
{
"SerialNumber": "arn:aws:iam::123456789012:mfa/ExampleMFADevice”
}
]
$ aws iam get-account-summary | grep "AccountMFAEnabled”
"AccountMFAEnabled": 1,
18. Managing Credentials
▷Manage Access and Secret keys used for
programmatic access via SDK and HTTP [1]
▷Ensure credentials unused for 90 days or
greater are removed
▷Ensure keys are rotated every 90 days or
less
▷Done manually, or better programmatically
▷Only create keys for users that need them,
and do not have keys for “root” account [2]
[1] http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
[2] http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
19. Checking Credentials
$ aws iam generate-credential-report
{
"State": "STARTED",
"Description": "No report exists. Starting a new report generation task”
}
$ aws iam get-credential-report --query 'Content' --output text |base64 –D
|cut -d, -f1,4,9,11,14,16 |grep -v '<root_account>’
user,password_enabled,access_key_1_active,access_key_1_last_used_date,
access_key_2_active,access_key_2_last_used_date
spindler,false,true,2017-01-22T00:11:00+00:00,false,N/A
$ aws iam list-access-keys --user-name spindler --query
"AccessKeyMetadata[].{AccessKeyId:AccessKeyId, Status:Status}”
[
{
"Status": "Active",
"AccessKeyId": "AKIAISKTDTHXSGFO5ZFQ”
}
]
$ aws iam delete-access-key --access-key AKIAISKTDTHXSGFO5ZFQ –-user-name spindler
20. IAM Password Policies
▷At least one uppercase letter
▷At least one lowercase letter
▷At least one symbol
▷At least one number
▷Minimum length of 14
▷Prevent password reuse
▷Expires within 90 days
21. Getting and Setting Password Policies
$ aws iam get-account-password-policy
{
"PasswordPolicy": {
"AllowUsersToChangePassword": true,
"RequireLowercaseCharacters": true,
"RequireUppercaseCharacters": true,
"MinimumPasswordLength": 14,
"RequireNumbers": true,
"RequireSymbols": true,
"ExpirePasswords": true
}
}
$ aws iam update-account-password-policy --require-uppercase-characters
$ aws iam update-account-password-policy --require-lowercase-characters
$ aws iam update-account-password-policy --require-symbols
$ aws iam update-account-password-policy --require-numbers
$ aws iam update-account-password-policy --minimum-password-length 14
$ aws iam update-account-password-policy --password-reuse-prevention 24
$ aws iam update-account-password-policy --max-password-age 90
22. IAM Policies
▷ Ensure IAM policies are attached only to
groups or roles [1] [2]
▷Ensure IAM Master and Manager roles are
active (like RBAC, use with EC2 and
Lambda)
▷Ensure IAM instance roles are used for AWS
resource access for instances [3][4]
▷Ensure there are no policies that allow full
“*:*” administrative privileges[1] http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
[2] http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
[3] http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
[4] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon- ec2.html
23. IAM Policies
$ aws iam list-users --query 'Users[*].UserName' --output text
$ aws iam list-attached-user-policies --user-name <iam_user>
$ aws iam list-user-policies --user-name <iam_user>
$ aws iam list-policies --output text |awk '{print $2","$5}'
|grep -v "arn:aws:iam::aws:policy”
arn:aws:iam::XXXXXXXXXXXX:policy/cloudformationcreatestack,v2
arn:aws:iam::XXXXXXXXXXXX:policy/IAM-Manager,v1
$ aws iam get-policy-version --policy-arn <arn> --version <version>
--query "PolicyVersion.Document.Statement[?Effect == 'Allow' &&
contains(Resource, '*') && contains (Action, '*')]”
$ aws iam list-entities-for-policy --policy-arn <arn>
$ aws iam detach-role-policy --role-name <role> --policy-arn <arn>
24. Interfacing with AWS Support
▷Consider enabling security questions for
AWS support calls
▷Maintain security and current contact details
▷Ensure a support role has been created to
manage incidents with AWS support
▷Support does not allow you to allow or deny
access to individual actions so assign
allowing access to all cases, so assign
appropriately
27. Logging
▷Ensure CloudTrail is enabled in all regions
▷Ensure CloudTrail log file validation is
enabled
▷Ensure the S3 bucket CloudTrail logs to is
not publicly accessible
▷Ensure CloudTrail trails are integrated with
CloudWatch Logs
▷Ensure VPC flow logging is enabled in all
VPCs [1]
[1] http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
29. Log and Key Management
▷Ensure S3 bucket access logging is enabled
on the CloudTrail S3 bucket
▷Adjust log retention according to
requirements [1]
▷Ensure AWS Config is enabled in all regions
▷Consider encrypting CloudTrail logs at rest
using KMS and ensure keys are rotated [2]
[1] http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html
[2] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
53. Networking and Security Groups
▷Ensure SSH is not open to the world
▷Ensure RDP is not open to the world
▷Ensure the default security group of every
VPC restricts all traffic [1]
▷Ensure routing tables for VPC peering are
"least access” [2]
[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
[2] http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering- configurations-partial-access.html