My Cloud Security Posture Management (CSPM) project in NT534 - Advanced security network subject at UIT. The final presentation: here.
CSPM tools identify, remediate risks by:
- visibility
- uninterrupted monitoring
- threat detection
- remediation workflows
How? By searching for misconfigs in cloud environments/infrastructure (IaaS, PaaS, SaaS)
Deploy features of AWS Security Hub related to CSPM, aimining to enhance security in AWS and AWS only by security check for misconfig in AWS resources and remediations for findings. Focused standards: CIS AWS Foundation Benchmark v1.2.0, PCI DSS v3.2.1, NIST 800-53 R5.
- AWS Config rule: an ideal config setting
- Scurity control: a representation of a rule -> in one or more security standards
- Finding: a potential security issue generated after security check
- Playbook: a set of remediation
Severity: High
AWS Config rule: restricted-ssh
Parameters: None
This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 or ::/0 to port 22. The control fails if the security group allows ingress from 0.0.0.0/0 or ::/0 to port 22. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. We recommend that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.
Remediation: To prohibit ingress to port 22, remove the rule that allows such access for each security group associated with a VPC.
For PCI DSS v3.2.1
In this part, I use the "malware scan for EC2" feature of GuardDuty to scan an EC2 instance after setup many virus in that EC2 instance. Then observer the GuardDuty report and AWS Security Hub relative report.
The detailed in securittyHub_detectVirus.json, which list the detail of many detected virus.
Refer to: https://github.com/aws-solutions/automated-security-response-on-aws
- Remediation runbook: An implementation of a set of steps that resolves a finding.
- Control runbook: SSM automation documents that Orchestrator uses to route an initiated remediation for a specific control to the correct remediation runbook.
- Playbook: a set of remediation
There are 5 demos in this project. However, for shortly, only the first demo has the description about runbooks. All demos listed in: https://www.youtube.com/playlist?list=PL7IdJecfX87jHfO43NYd6MXL8mBYWBAIf
Input: Member creates a security group that opens port 22 for all IPv4 => violate control EC2.13
Acion: Monitor & remediate
Output:
- Findings generated in admin-member AWS Security Hub
- Remediation status notification to mail
- Successfull automated remediation
What does this document do?
Removes public access to remove server administrative ports from an EC2 Security Group.
Input parameters
- Finding: Security Hub finding details JSON
- AutomationAssumeRole: ARN of the role allows automation to perform on your behalf.
Output parameters
Remediation.Output: Output of AWS-DisablePublicAccessForSecurityGroup rubook.
Run a python script and eventually extract:
Receive the GroupID and the AssumeRole ARN as inputs, then execute a remediation runbook name "AWS-DisablePublicAccessForSecurityGroup"
Receive Security Group ID and IP permissions as inputs
Then call the EC2 API RevokeSecurityGroupIngress:
Input: Member configs weak IAM password policies => Fail control IAM.14
Input: Admin has a RDS DB instance in only one Availablity Zone. => Fail control RDS.5
Input: Member has an unencrypted EBS volume. => Fail control EC2.7
Input: Member has a S3 bucket with public acces. => Fail control S3.1