{"id":36349,"date":"2016-06-23T15:06:26","date_gmt":"2016-06-23T09:36:26","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=36349"},"modified":"2016-12-19T15:30:13","modified_gmt":"2016-12-19T10:00:13","slug":"aws-security-re-check","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/aws-security-re-check\/","title":{"rendered":"AWS Security Re-Check"},"content":{"rendered":"

Security<\/strong> is of prime importance for any cloud vendor including AWS. AWS follows a <\/span>Shared Responsibility Model<\/span><\/a> for security. As the name Shared Responsibility Model suggests, security on AWS is not the sole responsibility of either AWS or the customer. It is a combined effort from both parties. The responsibility of AWS includes providing a global secure infrastructure and services, and the responsibility of the customer includes protecting the confidentiality, integrity, and availability of their data in the cloud.<\/span><\/p>\n

The figure given below depicts the clear line of separation between the responsibilities:<\/span><\/strong>\"Shared-responsibility-model\"<\/p>\n

Image courtesy: aws.amazon.com<\/h6>\n

While using any of the AWS services<\/a>, customers must follow these security checks regularly to meet the critical security requirements of their data.\u00a0<\/span><\/p>\n

This blog describes what are the basic security checks that should be performed on every AWS account, why they should be performed, and a code snippet to automate all the described basic security checks.<\/strong><\/p>\n

Server Hosting\u00a0<\/strong><\/h1>\n

First of all, you need to identify where to host your servers. Your account may support EC2-VPC and EC2-Classic. If the account was created after 4th Dec 2013, it will only support EC2-VPC. VPC is always recommended due to its better and flexible security. In case you have servers running on Classic, you should plan to move them to VPC as early as possible.\u00a0<\/span>So, a check for the\u00a0existence of any server on Classic layer becomes necessary if you are using the older account.<\/p>\n

Here is the python snippet that checks for all instances in all the regions\u00a0and lists details of instances if any existing in EC2-Classic:<\/span><\/p>\n

[sourcecode language=”python”]
\nreservations = connection.get_all_instances()
\n\tfor reservation in reservations:
\n\t\tfor instance in reservation.instances:
\n\t\t\tdetail=instance.__dict__
\n\t\t\tcount=0
\n\t\t\tif detail[‘vpc_id’] == None:
\n\t\t\t\tcount=count+1
\n\t\t\tif count!=0:
\n\t\t\t\tdata = [”,instance.tags[‘Name’] , instance.id,”]
\n\t\t\t\tcsvwriter.writerow(data)[\/sourcecode]<\/p>\n

Firewall\u00a0<\/strong><\/h1>\n

Next is the Firewall layer. Once you have placed your servers in VPC, you must configure perimeter security for each of your instances. Firewall is called a Security Group in AWS. Here you define what all machines (or group of machines) can access a particular instance and on what port. It’s always recommended to keep it restricted to a specific IP.\u00a0So, there should be another check to see if someone has not accidentally opened up any port for public (0.0.0.0\/0).<\/span><\/p>\n

[sourcecode language=”python”]<\/p>\n

sg=connection.get_all_security_groups()
\nfor group in sg:
\n\tfor rule in group.rules:
\n\t\tif ‘0.0.0.0\/0′ in str(rule.grants):
\n\t\t\tif rule.to_port == None:
\n\t\t\t\trule.to_port=’ALL’
\n\t\t\tdata = [”, group.name, rule.grants, rule.to_port ]
\n\t\t\tcsvwriter.writerow(data)
\n[\/sourcecode]<\/p>\n

IAM Key Rotation<\/b><\/h1>\n

IAM keys can be used to access your account. Anyone with the open secret and access keys of your account has as many permissions to make changes to your account as you do. So, to avoid the risk of leak and misuse of access keys, as a security best practice, IAM Keys should be rotated in every 90 days.<\/p>\n

[sourcecode language=”python”]<\/p>\n

for value in range (0,len(val)):
\n\tif diff[value] > 90:
\n\t\tdata=[ val[value],keys[value],’Key Not rotated from 90 days’,activekeys[value] ]
\n csvwriter.writerow(data)
\n\telse:
\n\t\tdata=[ val[value],keys[value],’Key is rotated’,activekeys[value] ]
\n\t\tcsvwriter.writerow(data)
\n[\/sourcecode]<\/p>\n

Multi-Factor Authentication<\/strong><\/h1>\n

MFA (Multi-Factor Authentication) is an added layer of security, used when there is more than one method of authentication required. It adds security as users have to configure a device\/number and enter a unique authentication code from their approved device or text message whenever they want to login to their account and access AWS services. <\/span>
\n<\/span>This restricts someone with your leaked root credentials to make any changes on your account.<\/span><\/strong><\/p>\n

[sourcecode language=”python”]
\nfor user in range(0,no_of_users):
\n\tuser_name=users[‘list_users_response’][‘list_users_result’][‘users’][user][‘user_name’]
\n\tmfa=connection.get_all_mfa_devices(user_name)
\n\tstatus=mfa[‘list_mfa_devices_response’][‘list_mfa_devices_result’][‘mfa_devices’]
\n\tif len(status)==0:
\n\t\tdata=[user_name,’Not Enabled’]
\n\t\tcsvwriter.writerow(data)
\n[\/sourcecode]<\/p>\n

User Activity Tracking<\/strong><\/h1>\n

As the number of users increases in an organization, it becomes harder to track what changes\u00a0each individual is making. As an owner, you might want to see what action was taken on what AWS resource and which user is accountable for it. AWS suggests having CloudTrail enabled for all regions in an account. Cloudtrail is used for API calls logging. It records all information about each API call made on your account in the S3 bucket. You can restrict the access of log information by managing IAM roles. By API calls logging, you can track changes made to your AWS resources.<\/p>\n

[sourcecode language=”python”]
\nconnection = boto.cloudtrail.connect_to_region(r_name)
\nc_trail=connection.describe_trails()
\nif not c_trail[‘trailList’]:
\n\tdata=[r_name, "Not Enabled"]
\n\tcsvwriter.writerow(data)
\nelse:
\n\tdata=[r_name, "Enabled"]
\n\tcsvwriter.writerow(data)
\n[\/sourcecode]<\/p>\n

Data Security<\/strong><\/h1>\n

Data security is a big challenge these days. \u00a0Customers keep their critical or non-critical data on AWS Storage service (S3) inside the buckets available in all the regions. It becomes necessary to restrict these buckets with respect to the level of access for the users. Any bucket exposes various permissions like Read, Write, Read_ACP (view Access Control Permissions) and Full Control which are given to different users as per their requirement.<\/span><\/p>\n

There should be a check to identify that only required permission is given to users. For example, if my application is supposed to read and write from the bucket, it does not need permissions for everyone but for a dedicated user. Also, if any bucket needs to have read only permission for everyone to access, it should be limited to \u2018Read Only\u2019 permission and never for Write or ACP related permissions. For more security, data can be encrypted before pushing it in the bucket.<\/p>\n

[sourcecode language=”python”]
\nfor bucket in buckets:
\n\tbucket_policy=bucket.get_acl()
\n user_policy=bucket_policy.acl
\n user_grants=user_policy.grants
\n no_of_user=len(user_grants)
\n data=[bucket.name.title(),bucket_policy.owner.display_name,’ ‘]
\n csvwriter.writerow(data)
\n\tfor user in user_grants:
\n\t\tuname=user.display_name
\n user_permission=user.permission
\n if (uname==None):
\n \tu_uri=user.uri
\n uri_split=u_uri.split(‘\/’)
\n uname=str(uri_split[-1])
\n data=[”,”,uname,user_permission ]
\n csvwriter.writerow(data)
\n[\/sourcecode]<\/p>\n

All above listed security checks should be performed on every AWS account on a monthly or quarterly basis to make you aware of any potential risks with your account.\u00a0Also, to perform all these checks, you require a user with READ-ONLY permissions.<\/p>\n

I have compiled all these snippets in a single script\u00a0which does all above checks automatically and will give you an easy to understand output for each check. Download<\/a><\/strong> the script from here.<\/span><\/p>\n

Once executed, the script will generate an Excel sheet combining all outputs and will appear something like:\"output1\"<\/p>\n

\"output\"<\/p>\n

\"MFAAA\"<\/p>\n

\"OUTCLOUDTRAIL\"<\/p>\n

I hope this blog would have given you the reason for doing all these checks and the way it can be done without much effort.<\/p>\n

For running the script:<\/p>\n