Home

Awesome

AWS Compliance Machine Don't Stop!

Proof of Value Terraform Scripts to utilize Amazon Web Services (AWS) Security, Identity & Compliance Services to Support your AWS Account Security Posture.

These Terraform Scripts are made with using the Preview of AWS Security Hub in Mind. Security Hub collects Information from GuardDuty, Macie, Inspector as well as AWS Config. Security Hub (the Preview at least) comes with Center for Internet Security (CIS) Config Rules that follow best security practices for account-wide security posture. The Services that are turned on, as well as the inline CloudFormation Stack are all made to support these CIS Rules from Security Hub, and also go a good way towards general security hardening for your account. Visualization & Alerting support have also been added (please refer to ReadMe & Changelog) via Kinesis and Glue to perform crawling & ETL of logs from AWS WAF. Services that are used are listed later in the Readme, this is also a work in progress and other features may be added such as Amazon Macie, and Custom Lambda Functions / CloudWatch Events to further Support Security Posture on AWS.

Getting Started

Baseline Knowledge Required

AWS Services Used

Prerequisites:

Below Steps are Done on a Fresh Install of Ubuntu 18.04LTS Refer to (https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) for Information on how to Install the SSM Agent on Non-Amazon Linux / Ubuntu Distros

  1. Update Your System sudo apt update && sudo apt upgrade -y
  2. Download Latest Version of Inspector Agent (https://docs.aws.amazon.com/inspector/latest/userguide/inspector_installing-uninstalling-agents.html) wget https://inspector-agent.amazonaws.com/linux/latest/install
  3. Install Inspector Agent sudo bash install
  4. Install Unzip sudo apt-get install unzip
  5. Grab the Latest Version of Terraform (https://www.terraform.io/downloads.html) wget https://releases.hashicorp.com/terraform/0.11.13/terraform_0.11.13_linux_amd64.zip
  6. Unzip Terraform Installation unzip terraform_0.11.13_linux_amd64.zip
  7. Move to /local/bin - or you can add Terraform to your PATH sudo mv terraform /usr/local/bin/
  8. Ensure that Terraform is Installed Correctly terraform --version
  9. To use Systems Manager with your EC2 Instances, ensure your EC2 Instances have an Instance Profile that allows full access to SSM Attached to them (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html)

Installing & Configuration

  1. Create & Navigate to a New Directory mkdir aws-cmds && cd aws-cmds
  2. Clone this Repo git clone https://github.com/jonrau1/AWS-ComplianceMachineDontStop.git
  3. Add your Region to the provider.tf - Ensure your EC2 Instance has an Instance Profile that allows permissions to deploy all CMDS Resources nano provider.tf
  4. Fill out the variables.tf file nano variables.tf
  5. Ensure proper elements for your Region from variables.tf are Referenced in data.tf nano data.tf
  6. (Only if Using WAF) navigate to WAF Sub-Directory cd AWS WAF
  7. (Only if Using WAF) repeat steps 3-5 & modify Rules & IPs based on reccomendations from https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf nano waf.tf
  8. (Only if using VPC Module) fill out Variables -- make sure to specify Region as it is used by VPC Endpoints (PrivateLink) cd VPC Module && nano variables.tf
  9. (Only if using ElasticSearch Service Module) fill out Variables
    • WARNING: ES may take over an hour to deploy depending on how you modify the deployment cd ElasticSearch Service && nano variables.tf

!! Notes on Variables.tf !!

Deploying

  1. Initialize your AWS Provider terraform init
  2. Create a Plan terraform plan
  3. Apply the Plan terraform apply
  4. Deploy yes
  5. Navigate to AWS Config Console & Finish Setup
    • Ensure you use your Created Role & Not the Service Linked Role
    • Navigate to Settings and then click Save for additional resources to be added into IAM Role Policy
  6. Attach Remediation SNS Topic to your Inspector Assessment Target Group (Terraform does not yet support this)
    • Navigate to Inspector > Assessment Templates > <Your Assessment Template> > Manage SNS Topics > Select Your Remediation SNS Topic
    • Remove All Events except for Findings Reported & Save
  7. Navigate to AWS Glue Console and Edit your Crawlers, go into the Output section > Configuration Options and check the box that says "Update all new and existing partitions with metadata from the table"
  8. Ensure you CIS Compliance SNS Topic has a Subscriber that is confirmed (Email, SMS, etc) to ensure CIS Compliance checks for Metrics & Alarms Pass

Out of Scope

Next Steps

This Proof of Value is only a small step towards an excellent Security Posture for your AWS Accounts. A Multitude of other Security, Identity & Compliance solutions are available to complement the above deployed Services, such as Macie, SSO, Directory Services, ACM, Secrets Manager, Cognito and Firewall Manager. The proper privacy-by-design and security-by-design for Software Development, Application Lifecycle and Architecture must be also be followed to ensure a hardened state, which this PoV does not supply.

Modifications to Deployment / Further Configuration

High-Level Reading

Security Whitepapers & Workbooks

AWS Security Solutions & Reference Architecture