I wanted to jot down some of my thoughts on creating an enterprise security account for managing AWS. I had one of these created at work and it’s proven invaluable in managing our rapidly expanding cloud footprint.
What is a dedicated security account? For us it serves several purposes:
It allows us to assume a least-privilege audit role into all of our other AWS accounts It serves as a log destination for our CloudTrail events.
Public Cloud introduced a new concept that not everyone fully grasps. In the on-prem days of old, you had a room & you had connections going into said room. Hopefully those connections had a firewall. Then there were lots of things in that room that authorized users needed to access to accomplish whatever goal your business has, and a bunch of other things in that room that the techies needed to access in order to keep those first things running and secure.
I’m spending more time thinking about Cloud Security in Google and Azure and trying to grok the differences between those platforms and AWS. One of the critical components for understanding your enterprise security stance is what is the source of authority for creating & managing resources in the cloud. As I was thinking about this, I realized that the three main players have very different models. Each model reflects on that companies pre-cloud origins.
Security best practices typically call for some form of multi-factor authentication when accessing sensitive information system, or when accessing systems with elevated privileges (admin level). In most cases, accessing a public cloud provider via WebConsole or API is accessing the system for administrative purposes and requires an extra level of protection than a simple password.
AWS Provides the ability to use MFA on it’s systems, but the ability to enforce that across all facets of the AWS API is not a trivial task.
For a project at work, I needed to highlight users who have access to IAM Actions that are considered “privileged”. There not being a good record of those, I decided to create one.
AWS Interesting API Calls is a yaml file in github that contains a list of high risk calls and some data about them. I’ve also written a python module that can parse the file in various ways.
AWS S3 Bucket security has been in the news a lot recently. Almost 200 million records on US Voters were found on an unsecured S3 bucket owned by a GOP data analytics firm. A third-party vendor to Verizon left 14 million customer records (including SSN partials) publicly readable. Then Dow Jones exposed 2 to 4 million customer records.
AWS has responded to this spate of bad press with a several changes to the AWS Console, and most recently took the extra-ordinary step of emailing account owners informing of any publicly readable buckets.
AWS provides the ability to set a password policy on an account that will require a user to change their password after a certain period of time. However there is no method by which you can notify a user it is about to expire, nor is there anything that would expire an access key that hasn’t been rotated.
I wanted something that would implement policy that would deny any usage if the password was past-due (even if they hadn’t logged in for awhile) and would de-activate a key if it was older than the date set in the password policy.
When creating a new AWS Account, I typically do the following:
Create the CloudTrail Create a Deploy Bucket Create Generic Alert topics for the account and subscribe my email and cell Create a stack to send certain cloudwatch events to a slack channel Configure requireMFA Configure Password & API Key Expiration Warning All of these are done via automation of course
Note: The deploy stack script has been superceeded with cft-deploy, which you can get from pypi via pip install cftdeploy. deploy_stack.rb is not being updated.
Deploying Cloudformation templates via the CLI is a complex process that lack repeatability. Typing out long command lines, and then having to execute other commands either before or after the stack runs results in lots of custom scripting. Rather than go down that route, I created a tool that takes a yaml manifest file that allows you to specify all the details around your stack deployment in one data-driven place.
When I’m creating a new AWS account, I find it helpful to have a generic set of SNS topics that ping me and my team if something goes wrong.
The following CloudFormation template can be used for that purpose. It requires a few parameters and includes an optional Lambda that will send the alerts to a Slack Channel.
Three Topics are created for critical, error and info-level alerts. Critical alerts will send me a text and email, while error only sends an email.
