AWS Security Audit and Best Practices
When you are running your entire or even a part of your IT infrastructure in AWS cloud, it is really important that you ensure, your workloads, applications, the infrastructure as a whole is secured enough to stand security threats.
But, everything comes with a price and this one has a real good price if you are planning for a complete security audit. How about if you could get the key security checks and take your cloud security a level up for not even a penny charged against it. Centilytics offers you to leverage its “Security Audit” feature where you have multiple AWS security checks and best practices examining your permissions, rules, policies, and more.
1. Security Groups – Specific Ports Unrestricted
You probably do not want malicious activities like data loss, data theft, hacking or denial of service to be occurring across your cloud infrastructure where your applications are running in a critical state. Centilytics provides you this check where the security groups are checked thoroughly for the rules that allow unrestricted access (0.0.0.0/0) to only certain ports. Ports that open doors for these security threats, holding the most elevated risk are highlighted with a red warning. Those with comparatively lower security risk are marked as yellow and the ports hailed green are the ideal ones used by applications that need unrestricted access like HTTP, SMTP, etc.
In the event that you have purposefully organized your security groups in this way, our recommendation to you is utilizing additional security checks & measures to ensure a secure cloud infrastructure, (for example, IP tables).
2. Security Groups – Unrestricted Access
Just like the ports, unrestricted access to a resource makes your cloud more prone to malicious attacks like data loss, data theft, hacking or denial of service. The security groups are checked thoroughly for the rules that allow unrestricted access to a resource.
3. IAM Use
The “IAM Use” check examines your utilization of Identity and Access Management (IAM) in AWS. IAM is a service which is utilized for creating users, groups, and roles in your AWS cloud. You can also make use of permissions to control access to AWS assets or resources.
4. Amazon S3 Bucket Permissions
Amazon Simple Storage Service (Amazon S3) buckets that have permissions to open access are checked for they might contain confidential and critical data that are open to the public. Permissions to buckets in Amazon S3 that concede List access to every user in the loop can bring about higher charges than expected if the objects in those buckets are utilized by unauthenticated, unwanted users at a high recurrence. Plus, the bucket permissions of Upload and Delete access to everyone increases potential vulnerabilities of security risks as it allows any & every user to upload, edit or delete objects in an S3 bucket. This check explicitly scrutinizes bucket permissions, without checking the related bucket policies for that may override the permissions.
5. MFA on Root Account
What does this check do?
Your AWS root account is examined thoroughly and if your multi-factor confirmation (MFA) is not enabled, you get a warning. As a part of advanced security, Centilytics gives you a recommendation on securing your account by enabling MFA in which a user is required to enter a unique authentication code from his/her MFA equipment or virtual gadget while collaborating with the AWS console and related sites.
6. IAM Password Policy
The policy for a password is checked for your account and a severity warning is given if a password policy is disabled, or even if the content requirements for password have not been defined or enabled. Checking password content requirements is important since strong user passwords ensure a strong overall security of your AWS infrastructure. Whenever a policy for the password is changed, the change is imposed promptly for new users, however, the existing users are not required to change their passwords.
7. Tagged-Untagged Resources:
The “Security Audit” feature of Centilytics checks resources in your AWS cloud against the configured settings by the user. The EC2 resources can be tagged or categorized with a tag(key, value) which is used for resource analysis and monitoring. This check helps to identify the association between your resources and user-configured tags. According to the severity level, this check gives you one of the following three statuses of your resources (tagged or untagged):
- Green: The user has not configured any tags in the settings but some resources are tagged.
The user has configured tags in the settings and all resources are tagged accordingly
- Yellow: The user has not configured any tags in the settings and no resources are tagged.
- Red: The user has configured some tags in the settings, but some resources do not have the configured tags.
8. Amazon RDS Security Group Access Risk
Amazon Relational Database Service (Amazon RDS) have security group configurations which are examined explicitly and a warning is released if a rule for security group grants or is probable to grant excessive access to your database. For any security group rule, it is recommended that access from only certain Amazon Elastic Compute Cloud (Amazon EC2) security groups or from a particular IP address should be granted.
9. AWS CloudTrail Logging
This security check examines for your AWS CloudTrail utilization. AWS CloudTrail gives an amplified visibility into all activities occurred in your AWS account by keeping record or logs of AWS API calls made on the account by a user. One can make use of these logs to identify which users have made what all actions on a specific resource during a particular time period. Since CloudTrail sends log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have bucket permissions written.
10. Amazon Route 53 MX and SPF Resource Record Sets
An SPF (sender policy framework) record distributes a rundown of servers that are authorized to send emails for your domain. The resource record set of an SPF is checked for every Amazon Route 53 MX resource record set since an SPF helps in minimizing spam activities by detecting and preventing spoofing of email addresses.
11. ELB Listener Security
This security check detects the listeners in load balancers that are not using secure configurations recommended for encrypted client-to-load balancer communication. It is highly recommended to configure the front-end connections (client to load balancer) with secure protocols (HTTPS or SSL), ciphers and up to date policies of security. Reason being, encrypted requests between your clients and the load balancer in use. Elastic Load Balancing provides a pre-defined set of security policies along with ciphers and protocols that stick to AWS security best practices.
12. ELB Security Groups
This one checks load balancers for misconfigured or missing security groups and also, for a security group with access to suspicious ports that would expose your data to malicious attacks. On the off chance that a security group attached with a load balancer is deleted, the load balancer will not function properly.
13. CloudFront Custom SSL Certificates in the IAM Certificate Store
Examines and notifies about the credibility of SSL Certificates for alternate domain names of CloudFront in the IAM certificate store. Alerts are sent for certificate expired, certificate about to expire, the outmoded encryption being used, or is misconfigured. The browser displaying your CloudFront content gives a warning message if the custom certificate for an alternate domain expires. Also, if a certificate has domain names that match neither Origin domain name nor Host header domain name of viewer requests, an HTTP status code 502 saying bad gateway is returned to the user via CloudFront.
14. CloudFront SSL Certificate on the Origin Server
Checks your origin server for the current status of SSL Certificates; whether they have got expired, about to expire, using obsolete encryption or they are missing. In case the certificate expires the CloudFront returns an HTTP status code 502 displaying, “Bad Gateway” in response to your content requests.
15. IAM Access Key Rotation
Centilytics’ Security Audit recommends that access keys should be rotated regularly or periodically (within the recommended period) in order to protect resources from unauthorized access. The most recently activated or created access key signifies the last rotated date and time.
16. Exposed Access Keys
An exposed access key can breach the security of your account, thereby causing a violation of AWS Customer Agreement and worse, incurring high unexpected charges due to illegal activities. This security check scrutinizes for the exposed access keys in popular code repositories and checks if the usage of Amazon EC2 (Elastic Compute Cloud) is lop-sided for it could result in a compromised access key. AWS can partially protect your account from unauthorized access by preventing the ability to create some vulnerable resources.
17. Amazon EBS Public Snapshots
The permission settings of your Amazon EBS (Elastic Block Store) are thoroughly checked and notified if any snapshots of your EBS volume are open to the public. One can customize the permission settings and share snapshots only with a desired group of users, a specific user or accounts by marking it as private.
18. Amazon RDS Public Snapshots
Similarly, the permission settings of your Amazon Relational Database Service (Amazon RDS) DB snapshots are examined and alerts are sent to you if any snapshots are open to the public. You can customize the permission settings of your RDS snapshots and share those snapshots only with a desired group of users, a specific user or accounts by marking it as private.
However, as the vulnerabilities continue to take their worst forms, Centilytics is coming up with more advanced features to put your Cloud security at par.