So you successfully ran Trusted Advisor, Scout2, Access Advisor, or hired an external firm to audit your AWS accounts? You found that the co-founder is still logging in using root keys and that you have security groups allowing 0.0.0.0/0 access from the internet. Not to mention the 20 developers offshore that are sharing the same IAM user and access keys.
The obvious answer is to remediate those items.
Great, we’re done!
Uhh… not quite. Knowing is half the battle. Fixing is 10%. Making sure it doesn’t happen again… THAT’s the other half of the battle. (aka Security Maturity)
And it’s sometimes a real battle for sure.
It’s about disseminating a culture that it’s not OK to share accounts. It’s about educating your users on WHY and what THEIR role in security is.
So back to your AWS accounts… what can you do to prevent such findings in the future Here are some examples:
Security Audit: IAM, IAM, IAM
- Start by locking down who has access to IAM. In the cloud IAM is the FRONT DOOR, not the network. Limiting who has access to create users and keys will decrease the likelihood of rogue access. It is also important to educate those who have IAM access.
- Every person should have a separate IAM user account. If they have a heartbeat, they should have their own account and password that just they know.
- Enable 2FA, for everyone. Yes, everyone. Start with your admins. AWS now supports Yubikey. You can my friend Corey Quinn‘s take on it too.
- Get rid of the root account. Enable 2FA, delete any access keys, and lock the creds in a safe. Some argue to delete the account altogther, especially if you have enterprise support. Here are the only tasks that require a root key.
- Onboarding and Offboarding Hygiene. Make sure when users leave, their accounts and keys are disabled. Utilize SSO for console and CLI access if you can to centralize access. There are so many 3rd party options in this space these days, we’re quite lucky. HashiCorp Vault is one of them.
- Utilize role based access for EC2. This reduces the need to issue access keys for services running on EC2.
This will arguably get you 50% better in terms of cloud security! These are preventative controls designed to stop bad things from happening.
Security Audit: Logging
Next (or first depending) is to find out all the “unknown unknowns”. You can’t fix what you don’t know is broken. You can’t justify your actions if you don’t have data to prove it. You also need to have enough logs to find out the Who, What, Where, and How of a security incident, should it ever happen to you.
- Consolidate your Cloudtrails. Create an AWS account for logs and security tools with access limited to a few security folks. Create an S3 bucket for your cloudtrails and point all your other cloudtrails to this bucket. Point your logging tool to this bucket and start sifting.
- VPC Flow Logs. Back in the day (like a few months ago!) it was complex to get flow logs to an S3 bucket. Now it’s easy. Create a bucket in your security account and point all your flow logs there. Starting mapping.
Continue adding and centralizing your logs and find a SIEM or log aggregator you’re comfortable with to ingest the data.
This is the detection part of Security, knowing what is going on in your environment.
Security Audit: Automated Security
Once you have some security maturity and hygiene to your cloud accounts, you can start automating some tasks. This may be considered advanced by some, but I encourage you to tackle this sooner than later, as it will pay dividends right away!
- Remove unauthorized security groups. Someone creates an unauthorized 0.0.0.0/0 security group? Delete it.
- Remove unauthorized access keys. Not expecting to have long term access keys in your environment, remove them!
- EC2 Instances without roles attached to them? You got it… terminate them!
Cloud Custodian by Capital One is an open source tool than can help automate some of these tasks.
These are corrective controls that will fix bad things before they become worse.
Implementing all of the above will require a culture change. It will require hand holding, guidance, and good bedside manners (emotional intelligence). Take small steps and get some wins behind you, and build momentum from there!
If you’re feeling overwhelmed in securing your AWS environments, contact me at firstname.lastname@example.org.
This article first appeared on LinkedIN on October 17, 2018.