Also read – Google Cloud Security Audit

Amazon Web Services is leading the public cloud space with an ever increasing list of service offerings. AWS EC2, S3 and RDS are known leaders – but with AWS Workspaces, Lambda, Kinesis, EKS and ElasticSearch – are also staking their claim within a crowded cloud computing space. As you leverage some of these PaaS services, as well as the traditional compute (IaaS) services, there are several items that need to be part of your AWS security audit checklist. For example:

AWS Risk Factor – Exposed Root Accounts and Not Rotating IAM Access Keys

• Administrators often forget to disable root API access.
• IAM access keys are often not rotated (Access Keys provide API based access to all AWS resources, include account logins)

Solution

• Never share root access credentials across users and applications.
• Root accounts absolutely must be protected by multi-factor authentication and used as sparingly as possible.
• Rotate or change your access keys at least once every 90 days
• One of the best ways to protect your account is to not have an access key for your AWS account root user.
• Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys

AWS Risk Factor – Outbound traffic is unrestricted

• 85% of resources associated with security groups don’t restrict outbound traffic at all (RedLock survey).

Solution

• Limit the IP ranges that you assign to each security group in such a way that everything networks properly

AWS Risk Factor – Unpatched Hosts

Problem

• Organizations need oversight into user activities which can reveal account compromises, insider threats, and other risks.
• Traditional network vulnerability scanners are most effective for on-premises networks, but miss an awful lot of crucial vulnerabilities when they’re used to test cloud networks.

Solution

• AWS CloudTrail is a web service that provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
• Enabling CloudTrail simplifies security analysis, resource change tracking, and troubleshooting.

Summary  – AWS Security Audit and Checklist

This is a partial list of the 60 plus checks that Anuj Varma and team perform as part of their AWS Security Audit.

Is your AWS Deployment Secure? Start the conversation sooner rather than later.   Security cannot be an afterthought ()

Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.

The post AWS Security Audit appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

(Also read, KMS based data encryption on AWS and Google Cloud)

CloudTrail logs, CloudWatch log groups, GuardDuty logs, Inspector logs, VPC Flow Logs, Trusted Advisor logs – are just some AWS native services that provide you insight into security events on your AWS account.

Each of these services requires a role with it’s own IAM policies, either custom or managed – for access. This is why a majority of AWS admins take a shortcut. They create a role (or a user) and assign a Full Administrator policy to users that need read only access to these logs.

 That’s the key point — this is meant to be a read only user (or role), and granting full admin is overkill, apart from being a security risk.

So — what’s the alternative?

An Auditor Role would be cool

Wouldn’t it be cool if you could encapsulate all the required IAM policies into a single policy?  And simply create a user (or a role) with that attached policy?

This post describes such a Security Auditor role in AWS, with the following attributes.

1. A READ ONLY (auditor) role that is able to access logs and events to investigate potential security breaches or potential malicious activity.
2. The role should have privileges to read and view ANYTHING and EVERYTHING related to security, monitoring and troubleshooting within an AWS environment.
3. This should include GuardDuty logs, CloudTrail logs, CloudWatch events, Inspector logs and more.
4. Optionally, it should also continuously check for compliance vioilations (security related compliance violations – such as open Security Groups, Public IPs etc.)

Built in Security policies in AWS IAM ?

Believe it or not, AWS has already thought through the majority of this security audit use case. They have a policy specifically designed to perform this read only auditing role. However, as this post will describe, you may still need an additional policy or two (depending on how comprehensive an auditor role you are defining is).

To that end, the policies that I recommend for a full security auditor role in AWS include:

• SecurityAudit– MUST have policy, contains all the read only permissions for cloudtrail, cloudwatch, vpc flow logs, inspector logs and more.
• AWSSecurityHubFullAccess(as opposed to AWSSecurityHubReadOnlyAccess— Wait, didn’t you say you should avoid FullAccess? This was meant to be a read only role. You are right – but the SecurityHub full access isn’t the same as Admin Full Access. In addition, what it buys you, is the ability to automatically check for any compliance violations (See the AWS managed policy AWSSecurityHubFullAccess section below).

Why we need this AWS managed policy –  AWSSecurityHubFullAccess ?

 When you enable Security Hub, it’s assigned a service-linked role named:

AWSServiceRoleForSecurityHub

This service-linked role includes a trust policy that Security Hub requires to do the following:

1. Detect and aggregate findings from Amazon GuardDuty, Amazon Inspector, and Amazon Macie
2. Configure the requisite AWS Config infrastructure to run supported standards (in this release, CIS AWS Foundations) compliance checks.

This is why I recommend this policy for all auditor roles. The SecurityAudit policy by itself does not allow the running of supported CIS benchmarks.

What about Cross Region Security Logs and Cross Account Logs?

The SecurityAuditor role (A role with the SecurityAudit AWS policy attached), provides access to cloudwatch logs, regardless of the region in which they were created. The same applies for all other security related logs, including VPC flow logs, Inspector Logs and GuardDuty logs.

For accessing logs across AWS accounts, you have 2 options:

1. Either create the same role in each account and provide cross account ‘assume role’ access to appropriate users in each account.
2. A better solution is to use a centralized logging solution in your AWS account. This would channel all logs from all different accounts to a centralized logging account (typically to an S3 resource).

Are there any Permissions Boundaries for this role?

No permission boundaries are required for this role, since it is designed as a read only role.

Other Public Clouds? Azure and Google Cloud Security Auditor Roles

In GCP, the equivalent is the IAM Security Reviewer role (roles/iam.securityReviewer).

In Azure, the closest is the Security Reader Role.

The following table displays roles and allowed actions in Azure Security Center (source Azure docs).

TABLE 1

Role	Edit security policy	Apply security recommendations for a resource (including with ‘Quick Fix!’)	Dismiss alerts and recommendations	View alerts and recommendations
Subscription Owner
Subscription Contributor	—
Resource Group Owner	—		—
Resource Group Contributor	—		—
Reader	—	—	—
Security Administrator		—
Security Reader	—	—	—

Summary

 Auditing all security related events and logs across an AWS account means auditing multiple logs. Each of these logs can be streamed to a variety of destinations. This makes it challenging to assign IAM policies for accessing each service’s log, especially since it could be going to an S3 bucket today and to an event streaming service tomorrow.

 This post details creating a SINGLE role that provides READ ONLY access across all these logs – regardless of their source (GuardDuty, VPC Flow Logs, Inspector, Trusted Advisor Logs) or their destination.

Looking for a consultant to assist with a Cloud Security Review on AWS, Azure or Google Cloud?

For an initial security consultation on AWS, Azure or GCP, pick a time here. For a general consultation, Set up a time here .

The post Security Audits of AWS Accounts – Roles, Policies and equivalents on GCP and Azure appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.