Security Benchmark Implementation in AWS

The Center for Internet Security (CIS) is a 501(c)(3) organization dedicated to enhancing the cybersecurity readiness and response among public and private sector entities. Utilizing its strong industry and government partnerships, CIS combats evolving cybersecurity challenges on a global scale and helps organizations adopt key best practices to achieve immediate and effective defenses against cyber attacks. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), CIS Security Benchmarks, and CIS Critical Security Controls.

Security is a or was a big concern while moving to publicly hosted cloud infrastructure but things have matured enough that any organization can move easily to cloud based shared infrastructure by following some of the security benchmark listed by major organization specially CIS (Center of Internet Security). Security in AWS is shared responsibility model where major heavy wait infrastructure standards are followed by cloud vendors and those were like (ISO 27001,SOC reports,HIPPA, FISMA,PCI etc) and cloud vendor itself provides flexibility to hosted client to implement security on their infrastructure so that clients can have option to allow and deny traffic from or to specific services.

Cyber Edge group report itself says that

  • 70% of companies suffered a breach.
  • Average incident cost $3.5 million.
  • 62% of security budgets are increasing.
  • Is projected to continue to increasing as a substantial board of directors and direct customer concerns

CIS security benchmark has some advantages as compare to other standards like:

  1. CIS security standards have very practical and immediate value
  2. CIS security standards can be part of a larger initiative or longer project
  3. CIS security standards scale down to smaller organization
  4. They are modern , actively developed and automated ready
  5. You can reduce implementation stress through the methods and tools using tools

We will be more focusing on CIS benchmarks to implement security standards on AWS cloud hosted environment as CIS decides these metrics/configuration after discussion and consensus from industry leaders, enterprises and registered individuals.If we review traditional vs new CIS benchmark  security implementation and we finds that it is aligning to our DevOps or Agile approach and it can be implemented automatically in more streamlined way. (Reference for all images:  Pluralsight CIS Benchmarks for AWS)

tradition-security-approach-vs-cis-benchmark

In this above image you can see our traditional way to implement security is through getting security standards from industry and then taking help from individual consultants or internal security member to implement those rules so those can be freezed as internal security rules and then those secured system can formally audited to get 3rd party security certification from external auditors.

But in newer CIS benchmark we already have those standards and steps to implement those in your environment which can be directly feed to your automation system to implement those metrics and standards that completely removing “Workgroup/Consultants” from this implementation chain that indirectly helping you to go more agile and reduce management cost.

In this framework “Infrastructure as Code” is playing a big role as you can pick benchmarks from CIS site for you environment or operating system and can write down those rules for your organization and then those can be automatically applied on scheduled interval.Here you can choose any Infrastructure as Code tools or designated tools used by vendors like Cloud formation, OpenStack Heat, Self designed Bash/Powershell/Python scripts or tools designed to implement on heterogeneous cloud environment like Terraform.

CIS Benchmark rules are published for most of the operating system, databases or application and can be download from CIS web site. Some of the most useful benchmarks are

CIS-Benchmarks-pdfs

If you would like to have a look on AWS customized benchmark and would like to use already customized AMI’s then you can checkout at URL, If you go through CIS PDF’s content then you will find more crisp information about service/OS level settings to achieve your organization level desired goals for an example:

Linux:

1.6 Mandatory Access Control     ……………… 58
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored)
1.6.1.2 Ensure the SELinux state is enforcing (Scored) ……….. 61
1.6.1.3 Ensure SELinux policy is configured (Scored) ………….. 62
1.6.1.4 Ensure SETroubleshoot is not installed (Scored) …….. 63

Windows:

2.2 User Rights Assignment ………………. 47
2.2.1 (L1) Ensure ‘Access Credential Manager as a trusted caller’ is set to ‘No One’ (Scored) …………. 47
2.2.2 (L1) Configure ‘Access this computer from the network’ (Scored) …….. 49
2.2.3 (L1) Ensure ‘Act as part of the operating system’ is set to ‘No One’ (Scored) . 51
2.2.4 (L1) Ensure ‘Add workstations to domain’ is set to ‘Administrators’ (DC only) (Scored) ………… 53
2.2.5 (L1) Configure ‘Allow log on locally’ (Scored) ……. 57

These CIS benchmark also talks about how to configure it in your system so please download these benchmarks according to your environment.

AWS and CIS Benchmark

AWS is also focused on CIS benchmark implementation and also providing supporting services around it so that you can identify and mitigate issues and AWS Security Hub is one of the service that helps you to integrate other AWS security services like AWS Inspector,Gaurdduty.

CIS AWS Foundation Benchmark are focused on :

  1. Implementation ready checklist,
  2. Focused on highest impact benefits,
  3. Technology specific (IIS, AWS, Linux),
  4. Community driven,updated constantly,
  5. Embrace Agile, DevOps,Cloud & Automation,
  6. Early component of a larger compliance program or project,
  7. Faster implementation and update cycle

Here i am listing some of the CIS best practices to implement those benchmarks on specific AWS security area:

  1. For an example CIS benchmark for AWS IAM asks you to take required decision while choosing in between IAM role and User level access.

cis-iam-standards

Here in this image CIS Benchmark focuses on IAM Role to get service access instead of creation of IAM User and generating their password or access/secret key. But here i can’t say that each organization should follow these Benchmarks as i have seen some time organizations avoid creation of such “Bastion instances” for security reason as it gives unrestricted access to environment once such system gets compromised so its more depends on IAM permission policy that you have to create for your organization then CIS benchmark can be easily followed.

Besides these AWS IAM or other roles, we have observed that many time developers put direct passwords string  in their configuration files and that should be avoided by using tools like “yaml” encrypt bash command or “convertfrom-securestring” Powershell or following other already provided mechanism by AWS S3 secure password storage for your micro services so that you can take out those secure information using proper decryption tools or functions in your app(Hashicorp Vault).

AWS IAM MFA is also one of the recommended benchmark metrics where as a security consultant you have to decide which services should be enabled with MFA as enabling it for all services will be cumbersome to use while working in such a big environment.

2. Enable logging and monitoring of service access for security incident and access reporting

cis-wiring-up-resources

We should enable cloud trail for our major services like AWS KMS, VPC,  RDS, EC2, IAM so that we can log resource access details so monitoring system like Cloud Watch can report it as incident or alarm us in case of abnormal access. We should have above setup implemented in our organization so that we can help our organization to track and take action against unauthorized access incidents and should be in position to immediately block access to such incident and indirectly it will help in mean time resolution or such security related problems.

AWS IAM policy design require some efforts so you need to design those policies in your planning phase and need to tune as per new requirements entertained by new setup although AWS itself provides >200 policies that you can choose but still we saw organizations requires more customized policies for their environment.

Intended Protections by CloudTrail:

  1. Complete audit ability of breaches,
  2. Raw data for real time alerts,
  3. Deterrent to “attacks form within”,
  4. Track API keys stored with 3rd parties

But there are some of the implementation challenges like

  1. Cost of CloudTrail event recording
  2. Cost of CloudWatch log ingestion
  3. Cost of S3 log storage

3. Security group and VPC logging

Each VPC has their separate security group, routes and network access control so we should write and tune those as per our organization requirement and VPC flow logging should be enabled as it can report access of each firewall rule at Hypervisor level and you can assume it as “esxcli firewall” settings for those who comes from VMware background but it will be having Xen based firewall rules that uses iptable to control access(Recently Amazon said that they are using non Xen based virtualization).

By default we can have 5 security group attached to a resource with maximum of 50 rules that comes around 250 rules but it can be modified by creating AWS request where still you can’t go above 250 per resource but 5 SG rules can be over ridden by having

SGs/Instance X Rules/SG     =      250 or Less

           5 X 50 =250 (Default)
6 X 41=246
7 X 35=245

Security group are created per VPC as well as specific to some of the services like RDS security group etc. so we can control VPC level as well as service specific access using given SG,

a. We should design IaaS, PaaS, SaaS specific security groups so that you can control access in better way and can separate infrastructure level traffic from web or application  traffic.

cis-infra-sg

b. There should be some temporary security group those can be dynamically attached or removed as per your requirement like troubleshooting scenario or temporary ping access to trace reach ability of services etc.

cis-sg-testing

c. Engineering least privilege security groups, We should not allow all rules in single SG as should created more customized SG rules with least service ports.

cis-least-privilege-security-group

AWS also provides AWS Inspector, AWS Trusted advisor and AWS WAF services to handle web and other application level attack management and over above CIS benchmark standards are also available.

There are many more standards across AWS services for containers, micro services, Lamda etc but we will talk about those in our other upcoming security blogs and in this blog our intention was to only talk about CIS standard benchmark so that as solution architect we can plan security implementation in advance while designing our cloud based infrastructure or writing our cloud based infrastructure as code.