Cloud Infrastructure Security Report. Prepared for Acme Corp

Transcription

1 Cloud Infrastructure Security Report Prepared for Acme Corp From: Jul 24, 2016 at 09:08 PDT To: Jul 24, 2017 at 09:08 PDT Cloud Account(s): Dev Account, Staging Account, Production Account

2 Table of Contents Executive Summary Network Security Risks IAM Risks

3 Executive Summary Resources Monitored 814 Open Alerts 49 Accounts Monitored 3 Alerts By Status Open Alerts By Violation Type 460 Alerts 79 Alerts Resolved Open Con g Network Anomaly Resources By Risk Rating Open Alerts By Severity A B C F 600 Resource(s) Alerts 0 Sep '16 Jan '17 May '17 Date Medium Low High

4 Executive Summary Policy Compliance Summary Severity: High Medium Low Name Compliance Standard Resource(s) Passed Resource(s) Failed RDS instances are not encrypted PCI DSS v3.2, CIS Account Hijacking attempts N/A Default Security Group does not restrict all tra c CIS Security groups allow internet tra c PCI DSS v3.2, CIS Security Groups allow internet tra c to SSH port (22) CIS S3 buckets are accessible to public PCI DSS v Internet exposed instances Network N/A 6 Excessive login failures N/A SSH from internet to non-elb & non-nat resources Network N/A 3 Publicly accessible AMIs N/A 2 2 EBS snapshots are accessible to public N/A 4 1 CloudTrail logs are not encrypted using Customer Master Keys (CMKs) CIS 3 1 Access logging not enabled on S3 buckets PCI DSS v MFA not enabled for IAM users PCI DSS v3.2, CIS 8 28 Access keys are not rotated for 90 days N/A VPC Flow Logs not enabled CIS Customer Master Key (CMK) rotation is not enabled PCI DSS v3.2, CIS 1 9 IAM password policy does not have a minimum of 14 characters PCI DSS v3.2, CIS 3 1 IAM password policy does not have a uppercase character PCI DSS v3.2, CIS 3 1 IAM password policy allows password reuse PCI DSS v3.2, CIS 3 1

5 IAM password policy does not have password expiration period PCI DSS v3.2, CIS 3 1 IAM password policy does not exist PCI DSS v3.2, CIS 3 1 IAM password policy does not have a lowercase character PCI DSS v3.2, CIS 3 1 IAM password policy does not expire in 90 days CIS 3 1 Inactive users for more than 30 days PCI DSS v3.2, CIS 9 34 Security Groups not in use N/A Accessing logging not enabled on all cloud trail buckets CIS 1 18 IAM policies are not attached to groups only CIS 12 1

6 RedLock platform ingests con guration data from various cloud services to identify potential compliance risks for customers. This data is scanned by RedLock s advanced policy engine to identify compliance violations based on CIS (Center for Internet Security), PCI DSS (Payment Card Industry Data Security Standard), and other industry best practices. Publicly accessible AMIs Resource Type: VM Image 2 Resource(s) Passed: 2 Compliance: N/A Last Seen: Jun 27, 2017 at 01:12 PDT Checks to ensure that AMIs are not accessible to public. Amazon Machine Image (AMI) provides information to launch an instance in the cloud. The AMIs may contain proprietary customer information and should be accessible only to authorized internal users public-image-test, public-image-test 1. Login to the AWS Console and navigate to 'EC2' service. 2. Navigate to the AMI that was reported in the alert. 3. Click on 'Modify Image Permission' and make sure 'public' is deselected to make sure the image is not available to public.

7 Default Security Group does not restrict all tra c Resource Type: Security Group 12 Resource(s) Passed: 16 Compliance: CIS Last Seen: Jul 21, 2017 at 16:18 PDT Checks to ensure that the default security group restricts all inbound and outbound tra c. A VPC comes with a default security group whose initial con guration deny all inbound tra c from internet and allow all outbound tra c. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. As a result, the instance may accidentally send outbound tra c default 1. Login to the AWS Console and navigate to the 'VPC' service. 2. For each region, select the 'Security Groups' and then click on the 'default' security group. 3. Delete the 'Inbound Rules' and 'Outbound Rules' which will restrict all tra c to the default security group.

8 Security groups allow internet tra c Resource Type: Security Group 12 Resource(s) Passed: 58 Compliance: PCI DSS v3.2, CIS Last Seen: Jul 11, 2017 at 20:41 PDT Checks to ensure that Security Groups do not allow all tra c from internet. A Security Group acts as a virtual rewall that controls the tra c for one or more instances. Security groups should have restrictive ACLs to only allow incoming tra c from speci c IPs to speci c ports where the application is listening for connections. default If the Security Groups reported indeed need to restrict all tra c, follow the instructions below: 1. Login to the AWS console and navigate to the 'VPC' service. 2. Click on the 'Security Group' speci c to the alert. 3. Click on 'Inbound Rules' and remove the row with the ip value as /0. 4. Click on the 'Outbound Rules' and remove the row which has the ip value as /0.

9 CloudTrail logs are not encrypted using Customer Master Keys (CMKs) Resource Type: CloudTrail Setting 1 Resource(s) Passed: N/A Compliance: CIS Last Seen: Jul 11, 2017 at 20:41 PDT Checks to ensure that CloudTrail logs are encrypted. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to encrypt the CloudTrail data since it may contain sensitive information. trail-1 1. Login to AWS Console and navigate to the 'CloudTrail' service. 2. For each trail, under Con guration > Storage Location, select 'Yes' to 'Encrypt log les' setting and then choose and existing KMS key or create a new one to encrypt the logs with.

10 Security Groups allow internet tra c to SSH port (22) Resource Type: Security Group 12 Resource(s) Passed: 50 Compliance: CIS Last Seen: Jul 21, 2017 at 16:18 PDT Checks to ensure that Security Groups do not allow inbound tra c on SSH port (22) from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network Qualys Virtual Scanner Appliance -Pre-Authorized Scanning- HVM PA-AutogenByAWSMP-, launch-wizard-1, build-server-sg, Bastion stage, splunk, W Sec Group, ssh-from-world, SSH from internet, launch-wizard-1, incoming-from-dev_vpc-and-ssh-fromeverywhere...and 2 More If the Security Groups reported indeed need to restrict all tra c, follow the instructions below: 1. Login to the AWS Console and navigate to the 'VPC' service. 2. Select the 'Security Group' reported in the alert. Click on the 'Inbound Rule'. 3. Remove the row which has port value as 22 and ip value as /0 or any row without any port value but ip value as /0.

11 RDS instances are not encrypted Resource Type: Managed Database 69 Resource(s) Passed: 15 Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:18 PDT Checks to ensure that RDS instances are encrypted. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to setup and manage databases. Amazon allows customers to turn on encryption for RDS which is recommended for compliance and security reasons res , res , res , res , res , gaurav-7, res , gauravtest-rr, res , res and 59 More You can only enable encryption for an Amazon RDS instance when you create it, not after the DB instance is created. If you want enable encryption for RDS instance, follow the instructions below for further details.

12 EBS snapshots are accessible to public Resource Type: Snapshot Settings 1 Resource(s) Passed: 4 Compliance: N/A Last Seen: Jul 20, 2017 at 10:31 PDT Checks to ensure that EBS snapshots are not accessible to public. Amazon Elastic Block Store (Amazon EBS) provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. If EBS snapshots are inadvertently shared to public, any unauthorized user with AWS console access can gain access to the snapshots and gain access to sensitive data snap-012ce8630ade1662f 1. Login to the 'AWS Console' and access the 'EC2' service. 2. Under the 'Elastic Block Storage', click on the 'Snapshots'. 3. For the speci c Snapshots, change the value of eld 'Property' to 'Private'. 4. Under the section 'Encryption Details', set the value of 'Encryption Enabled' to 'Yes'.

13 S3 buckets are accessible to public Resource Type: Bucket ACL 9 Resource(s) Passed: 50 Compliance: PCI DSS v3.2 Last Seen: Jul 21, 2017 at 16:17 PDT Checks for publicly accessible S3 buckets. Amazon S3 allows customer to store and retrieve any type of content from anywhere in the web. Often, customers have legitimate reasons to expose the S3 bucket to public, for example to host website content. However, these buckets often contain highly sensitive enterprise data which if left open to public may result in sensitive data leaks redlock-brb, staging les-redlock, redlock-2.io, redlockstage, staging les-dev, cf-templates-6dxf8zsnr80o-us-east-1, redlockdev, cf-templates-6dxf8zsnr80o-us-west-1 1. Login to the AWS Console and navigate to the 'S3' service. 2. Click on the 'S3' resource reported in the alert. 3. Click on the 'Permissions'. 4. Under 'Manage Public Permissions', make sure 'Everyone' is deselected.

14 IAM password policy does not have password expiration period Resource Type: Password Policy 1 Resource(s) Passed: N/A Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:17 PDT Checks to ensure that IAM password policy has an expiration period. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place Login to the AWS console and navigate to the 'IAM' service. 2. Click on 'Account Settings', check 'Enable password expiration' and enter a password expiration period.

15 IAM password policy does not have a lowercase character Resource Type: Password Policy 1 Resource(s) Passed: N/A Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:17 PDT Checks to ensure that IAM password policy requires a lowercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place Login to the AWS console and navigate to the 'IAM' service. 2. Click on 'Account Settings', check 'Require at least one lowercase letter '.

16 Customer Master Key (CMK) rotation is not enabled Resource Type: Managed Key Rotation Status 9 Resource(s) Passed: 1 Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:18 PDT Checks to ensure that CMKs are rotated periodically. AWS KMS (Key Management Service) allows customers to create master keys to encrypt sensitive data in different services. As a security best practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys 0636ffa0-e046-46f be3dafce925, b31e435c-da23-4ec3-a5ba-f6df798937cb, 59ac8c16-a5dc-4ac bc913dc74fa4, edd a6e1-e7e4a7c17efc, 9852bd97-427f-46ab-b1ec-689e044b131d, 031ab3c5-e27b-494e-98e9-3db5d476b233, f5d2d2bb-f24b- 46e1-a0a1-f398d84b9a77, 2b2ce210-c3dd-4053-b9f7-d41e16a522c1, c95dd657-a5f a a690a10b 1. Identify the resource (key) related to this policy. 2. In the IAM Service > Encryption Keys, select the speci c key. 3. Under the 'Key Policy, ensure that 'Rotate this key every year' is enabled.

17 IAM password policy allows password reuse Resource Type: Password Policy 1 Resource(s) Passed: N/A Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:17 PDT Checks to ensure that IAM policy does not allow password reuse. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place Login to the AWS console and navigate to the 'IAM' service. 2. Click on 'Account Settings', check 'Prevent password reuse'.

18 VPC Flow Logs not enabled Resource Type: Virtual Network 12 Resource(s) Passed: 11 Compliance: CIS Last Seen: Jul 11, 2017 at 20:41 PDT Checks for VPCs without ow logs turned on. VPC Flow logs capture information about IP tra c going to and from network interfaces in your VPC. Flow logs are used as a security tool to monitor the tra c that is reaching your instances. Without the ow logs turned on, it is not possible to get any visibility into network tra c vpc-ae912ecb, vpc-81d91ae8, vpc-1060d979, vpc-f713fd9e, vpc-a601eacf, vpc-ef56278a, vpc-c9a82fac, david-vpc, vpc-f8feb49d, vpce4b5578d...and 2 More 1. Login to the AWS and navigate to the 'VPC' service. 2. Navigate to the VPC that was reported in the alert. 3. Click on the 'Flow logs' tab and follow the instructions below to enable Flow Logs for the VPC. ow-logs-log-and-view-network-tra c- ows/

19 IAM password policy does not exist Resource Type: Password Policy 1 Resource(s) Passed: N/A Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:17 PDT Checks to ensure that IAM password policy is in place for the cloud accounts. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place Login to AWS Console and navigate to the 'IAM' Service. 2. Click on 'Account Settings', make sure that one or more options under 'Password policy' are selected.

20 IAM password policy does not expire in 90 days Resource Type: Password Policy 1 Resource(s) Passed: N/A Compliance: CIS Last Seen: Jul 21, 2017 at 16:17 PDT Checks to ensure that IAM policy has password expiration set to 90 days. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place Login to the AWS console and navigate to the 'IAM' service. 2. Click on 'Account Settings', check 'Enable password expiration' and set the value to '90 days'.

21 MFA not enabled for IAM users Resource Type: IAM Credentials Report 28 Resource(s) Passed: 8 Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:18 PDT Checks to ensure that MFA is enabled for all IAM users redlock-prod-ses-smtp-user , tools, stage-s3-user, demo-s3-user, redlock_assumerole, , , , , and 18 More 1. Login to the AWS and navigate to the 'IAM' service. 2. Navigate to the user that was reported in the alert. 3. Under 'Security Credentials', check "Assigned MFA Device" and follow the instructions to enable MFA for the user.

22 IAM password policy does not have a minimum of 14 characters Resource Type: Password Policy 1 Resource(s) Passed: N/A Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:17 PDT Checks to ensure that IAM password policy requires minimum of 14 characters. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place Login to the AWS console and navigate to the 'IAM' service. 2. Click on 'Account Settings', enter 14 or more in the 'Minimum password length' eld.

23 IAM password policy does not have a uppercase character Resource Type: Password Policy 1 Resource(s) Passed: N/A Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:17 PDT Checks to ensure that IAM password policy requires an uppercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place Login to the AWS console and navigate to the 'IAM' service. 2. Click on 'Account Settings', check 'Require at least one uppercase letter '.

24 Access keys are not rotated for 90 days Resource Type: IAM Credentials Report 21 Resource(s) Passed: 21 Compliance: N/A Last Seen: Jul 12, 2017 at 12:44 PDT Checks to ensure that access keys are rotated every 90 days. Access keys are used to sign API requests to AWS. As a security best practice, it is recommended that all access keys are regularly rotated to make sure that in the event of key compromise, unauthorized users are not able to gain access to your AWS services Login to the AWS console and navigate to the 'IAM' service. 2. Click on the user that was reported in the alert. 3. Click on 'Security Credentials' and for each 'Access Key'. 4. Follow the instructions below to rotate the Access Keys that are older than 90 days.

25 Access logging not enabled on S3 buckets Resource Type: Bucket Logging Con g 53 Resource(s) Passed: 10 Compliance: PCI DSS v3.2 Last Seen: Jul 21, 2017 at 16:18 PDT Checks for S3 buckets without access logging turned on. Access logging allows customers to view complete audit trail on sensitive workloads such as S3 buckets. It is recommended that Access logging is turned on for all S3 buckets to meet audit & compliance requirement redlock-dev-ingestion, redlock-brb, redlock-demo-ingestion, redlock-stage-util, redlock-dev-util, redlock-demo-util, redlock-redshift-logs, redlock-s3-logs, redlock-cloud-trail, redlock-dev-web.redlock.io...and 43 More 1. Login to the AWS Console and navigate to the 'S3' service. 2. Click on the the S3 bucket that was reported and click on the 'Properties' tab. 3. Under the 'Logging' section, select 'Enable Logging' option.

26 Inactive users for more than 30 days Resource Type: IAM Credentials Report 34 Resource(s) Passed: 9 Compliance: PCI DSS v3.2, CIS Last Seen: Jul 21, 2017 at 16:17 PDT Checks to ensure that users have not been inactive for more than 30 days. Inactive user accounts are an easy target for attacker because any activity on the account will largely get unnoticed Make sure that the user has legitimate reason to be inactive for such an extended period. 2. Delete the user account, if the user no longer needs access to the console or no longer exists.

27 Accessing logging not enabled on all cloud trail buckets Resource Type: Bucket ACL 18 Resource(s) Passed: 1 Compliance: CIS First Seen: Jul 11, 2017 at 13:30 PDT Last Seen: Jul 21, 2017 at 16:18 PDT Checks to ensure that access logging is enabled on the CloudTrail S3 bucket. S3 Bucket access logging generates access records for each request made to your S3 bucket. An access log record contains information such as the request type, the resources speci ed in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. redlock-stage-archive, redlock-redshift-logs, redlock-demo-ingestion, redlock-dev-archive, redlock-demo-static, redlock-devweb.redlock.io, redlock.io, redlock-stage-static, redlock.com, redlock-cloud-trail...and 8 More 1. Login to the AWS Console and navigate to the 'S3' service. 2. Click on the the S3 bucket that was reported click on the 'Properties' tab. 3. Under the 'Logging' section, select 'Enable Logging' option.

28 IAM policies are not attached to groups only Resource Type: IAM User Managed Policies 1 Resource(s) Passed: 12 Compliance: CIS Last Seen: May 31, 2017 at 13:05 PDT By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users list-attached-user-policies 1. Login to the AWS Console and navigate to the 'IAM' service. 2. Identify the users that was speci cally assigned the IAM policy. 3. If a group with similar policy already exists, put the user in that group. If such a group does not exist, create a new group with relevant policy and assign user to the group.

29 Security Groups not in use Resource Type: Security Group 27 Resource(s) Passed: 98 Compliance: N/A Last Seen: Jul 21, 2017 at 16:18 PDT Checks to ensure if security groups are used by one or more cloud workloads. Security groups act as a virtual rewall to control network tra c for your instances. It is AWS security best practice to make sure that security groups are assigned to one or more instances and are not left unused. Unused security groups with weak ACL may get inadvertently attached to a cloud workload compromising its security. Production NAT Instance, Inspector Test, splunk, incoming_ssh_from_world, Public To Private Web, ankur-demo, Private ELB, loadbalancer-incoming-443, Cache private stage, ssh-from-world...and 17 More 1. Login to the AWS Console and navigate to the 'VPC' service. 2. Navigate to the 'Security Groups' reported in the alerts. 3. If the Security Groups are indeed not in use, delete them. 4. As a security best practice, make sure that only production approved security groups are getting used while creating new workloads.

30 Network Security Risks RedLock continuously monitors north-south and east-west network tra security risks to sensitive workloads. c using ow logs and third-party threat intelligence feeds to identify SSH from internet to non-elb & non-nat resources Resource Type: Other 3 Resource(s) Passed: N/A Compliance: Network Last Seen: Jun 02, 2017 at 09:56 PDT Identify all resources (non-elb & non-nat) in the AWS account which have had SSH connection from internet. Bastion Dev, Bastion Prod backup, Bastion Prod primary, Dev Database

31 Network Security Risks Internet exposed instances Resource Type: Other 6 Resource(s) Passed: N/A Compliance: Network First Seen: Jun 02, 2017 at 13:32 PDT Last Seen: Jul 21, 2017 at 14:41 PDT Detects any network tra c to sensitive cloud workloads from public internet and suspicious locations. Cloud workloads should have appropriate Security Groups and ACLs in place so that only external facing workloads such as load balancers, web servers, bastion hosts are exposed to the internet. If the cloud workloads are exposed to internet, they may become vulnerable to external threats. Bastion Prod primary, Bastion Prod backup, InspectorEC2InstanceLinux, Bastion Dev, Bastion Prod backup, Bastion Prod primary, Dev Database 1. Login to the AWS Console and search for the resource reported in the alert. 2. Check to see if the security group for the resource indeed allows connections from internet. 3. Assign another security group to the resource that has more restrictive ACL which does not permit connection from internet.

32 IAM Risks RedLock platform continuously monitors user and resource activities to detect suspicious behavior such as account hijacking, brute force login attempts, and unusual access to cloud services. It does so by ingesting IAM logs from cloud environments, and applies advanced machine learning algorithms to detect suspicious user behavior. Account Hijacking attempts Resource Type: Other 16 Resource(s) Passed: N/A Compliance: N/A Last Seen: Jul 11, 2017 at 20:57 PDT Detects potential account hijacking attempts by identifying unusual login activities. This can happen if there are concurrent login attempts made in short duration from two different geo-locations or from a previously not known browser, OS or location John, Kate, Leo 1. Make sure that the account credentials were not reused from different locations. 2. Occasionally, impossible time travel anomalies are incorrectly identi ed if the login attempts were made over VPN. Please provide VPN addresses to the RedLock admin if that happens to be the case. 3. If this is indeed an account hijacking attempt, disable the user account temporarily or ask the user to change the password.

33 IAM Risks Insider Threat Resource Type: Other 4 Resource(s) Passed: N/A Compliance: N/A Last Seen: Jul 11, 2017 at 08:42 PDT Detects suspicious user activity by profiling individual user activities and detecting patterns that have not been seen before. David, Alexia, Carlos, Sandra 1. Make sure that the enterprise user indeed has performed suspicious activity in your cloud environment 2. Deactivate user account or remove permissions from the user account