Security Benchmark Implementation in AWS

Security is a or was a big concern while moving to publicly hosted cloud infrastructure but things have matured enough that any organization can move easily to cloud based shared infrastructure by following some of the security benchmark listed by major organization specially CIS (Center of Internet Security). Security in AWS is shared responsibility model where major heavy wait infrastructure standards are followed by cloud vendors and those were like (ISO 27001,SOC reports,HIPPA, FISMA,PCI etc) and cloud vendor itself provides flexibility to hosted client to implement security on their infrastructure so that clients can have option to allow and deny traffic from or to specific services.

2015 Cyber Edge group report itself says that

  • 70% of companies suffered a breach.
  • Average incident cost $3.5 million.
  • 62% of security budgets are increasing.
  • Is projected to continue to increasing as a substantial board of directors and direct customer concerns

CIS security benchmark as some advantages as compare to other standards like

  1. CIS security standards have very practical and immediate value
  2. CSI security standards can be part of a larger inititative or longer project
  3. CSI security standards scale down to smaller organization
  4. They are modern , actively developed and automated ready
  5. You can reduce implementation stress through the methods and tools using tools

We will be more focusing on CIS benchmarks to implement security standards  on AWS cloud hosted environment as CIS decides these metrics/configuration after discussion and consensus from industry leaders, enterprises and registered individuals.If we review traditional vs new CIS benchmark  security implementation and we finds that it is aligning to our DevOps or Agile approach and it can be implemented automatically in more streamlined way. (Reference for all images:  Pluralsight CIS Benchmarks for AWS)

tradition-security-approach-vs-cis-benchmark

In this above image you can see our traditional way to implement security is through getting security standards from industry and then taking help from individual consultants or internal security member to implement those rules so those can be freezed as internal security rules and then those secured system can formally audited to get 3rd party security certification from external auditors.

But in newer CIS benchmark we already have those standards and steps to implement those in your environment which can be directly feed to your automation system to implement those metrics and standards that completly removing “Workgroup/Consultants” from this implementation chain that indirectly helping you to go more agile and reduce management cost.

In this framework “Infrastruture as Code” is playing a big role as you can pick benchmarks from CIS site for you environment or operating system and can write down those rules for your organization and then those can be automatically applied on scheduled interval.Here you can choose Cloud formation, OpenStack Heat, Self designed bash/powershell/python scripts or tools designed to implement on hetrogeneous cloud environment like terraform.

CIS Benchmark rules are published for most of the operating system, databases or application and can be download from CIS web site.Some of the most usefull benchmarks are

CIS-Benchmarks-pdfs

If you go through these PDF’s content then you will find more crisp information about service/OS level settings to achive your organization level desired goals for an example

Linux:

1.6 Mandatory Access Control ………………………………………………………………………………………………. 58
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored) ……………….. 60
1.6.1.2 Ensure the SELinux state is enforcing (Scored) ……………………………………………….. 61
1.6.1.3 Ensure SELinux policy is configured (Scored) ………………………………………………….. 62
1.6.1.4 Ensure SETroubleshoot is not installed (Scored) …………………………………………….. 63

Windows:

2.2 User Rights Assignment …………………………………………………………………………………………………… 47
2.2.1 (L1) Ensure ‘Access Credential Manager as a trusted caller’ is set to ‘No One’ (Scored) …………. 47
2.2.2 (L1) Configure ‘Access this computer from the network’ (Scored) ………………………………………. 49
2.2.3 (L1) Ensure ‘Act as part of the operating system’ is set to ‘No One’ (Scored) …………………………. 51
2.2.4 (L1) Ensure ‘Add workstations to domain’ is set to ‘Administrators’ (DC only) (Scored) ………… 53
2.2.5 (L1) Configure ‘Allow log on locally’ (Scored) ………………………………………………………………….. 57

These CIS benchmark also talks about how to configure it in your system so please download these benchmarks according to your environment.

CIS AWS Foundation Benchmark are focused on :

  1. Implementation ready checklist
  2. Foused on highest impact benefits
  3. Technology specific (IIS,AWS,Linux)
  4. Comunity driven,updated constantly
  5. Embrace Agile,DevOps,Cloud & Automation
  6. Early component of a larger compliance program or project
  7. Faster implementation and update cycle

Here i am listing some of the CIS best practices to implement those benchmarks on specific AWS security area:

  1. For an example CIS benchmark for AWS IAM asks you to take required decision while choosing in between IAM role and User level access.

cis-iam-standards

Here in this image CIS Benchmark focuses on IAM Role to get service access instead of creation of IAM User and generating their password or access/secret key. But here i can’t say that each organization should follow these Benchmarks as i have seen some time organizations avoid creation of such “Bastion instances” for security reason as it gives unrestricted access to envrionment once such system gets compromized so its more depends on IAM permission policy that you have to create for your organization then CIS benchmark can be easily followed.

Besides these AWS IAM or role we have seen many time developers are putting direct passwords text in their configuration files and that should be avoided by using tools like “yaml” encrypt bash command or “convertfrom-securestring” powershell or following other already provided mechanism by AWS S3 secure password storage for your micro services so that you can take out those secure information using proper decryption tools or functions in your app.

AWS IAM MFA is also one of the recommended benchmark metrics where as a security consultant you have to decide which services should be enabled with MFA as enabling it for all services will be cumbersome to use while working in such a big environment.

2. Enable logging and monitoring of service access for security incident and access reporting

cis-wiring-up-resources

We should enable cloud trail for our major services like AWS KMS, VPC,  RDS, EC2, IAM so that we can log those access details so that monitoring system like Cloud watch can report it as incident or alarm us in case of abnormal access. We should have above setup implemented in our organization so that we can help our organization to track and take action against un authorized access incidents and can immediatly block access to such incident and indirectly it will help in mean time resolution or such problems.AWS IAM policy designing require some efforts so you need to design those policies in your planning phase and need to tune as per new requriements entertained by new setup although AWS itself proves >200 policies that you can choose but we  still see organizations require it more customized policies for their environment.

Intended Protections by CloudTrail:

  1. Complete auditability of breaches
  2. Raw data for real time alerts
  3. Deterrent to “attacks form within”
  4. Track API keys stored with 3rd parties

But there are some of the implementation challenges like

  1. Cost of CloudTrail event recording
  2. Cost of CloudWatch log ingestion
  3. Cost of S3 log storage

3. Security group and VPC logging

Each VPC has their separate security group, routes and network access control so we should write and tune those as per our organization requirement and VPC flow logging should be enabled as it can report access of each firewall rule at hypervisor level and you can assume it as “esxcli firewall” settings those who comes from VMware backgroup but it will be having Xen based firewall rules that uses iptable to control access.By default we can have 5 security group attached to a resource with maximum of 50 rules that comes around 250 rules but it can be modified by raising AWS request where still you can’t go above 250 per resource but 5 SG rules can be over rident by having

SGs/Instance X Rules/SG     =      250 or Less

           5 X 50 =250 (Defualt)
6 X 41=246
7 X 35=245

Security group are implemented at VPC level as well as specific to some of the services like RDS security group etc so we can control VPC level as well as service specific access.

a. We should design IaaS, PaaS, SaaS specific security groups so that you can control access in better way and can separate infrastrucutre level traffic from web or application  traffic.

cis-infra-sg

b. There should be some temporary security group those can be dynamically attached or removed as per your requirement like troubleshooting scenerio or temporary ping access to trace reachability of services etc.

cis-sg-testing

c. Engineering least privilege security groups, We should not allow all rules in single SG as should created more cusotmized SG rules with least service ports.

cis-least-privilege-security-group

AWS also provides AWS Inspector, AWS Trusted advisor and AWS WAF services to handle web and other application level attac handling and these are over above CIS benchmark standards.

There are many more standards across AWS services for containers, micro services, lamda etc but we will talk about those in our other upcoing security blogs and in this blog our intentation was talk about CIS standard benchmark so that as solution architect we can plan security implementation in advance while designing our cloud based infrastructure or writing our cloud based infrastructure as code.