Total Pageviews

Translate

August 21, 2019

AWS Security Automation - MFA Compliance (Strategy to Audit and Report) - Part 2

by 4hathacker  |  in AWS SecOps at  8:48 AM

Hi folks!!!

In the previous post, we saw what is MFA (Multi-Factor Authentication), how important it is for both on-prem and cloud, and how to setup MFA in AWS for IAM users. In case if you want to get more on this, feel free to see this.



This post is following up the previous post which will look up around auditing for non-MFA users and reporting them to the Security team.

As we all know, 
A security audit is a systematic evaluation of the security of a company's system by measuring how well it conforms to a set of established criteria
Please note if we can relate the above with our MFA compliance,

a. systematic evaluation: To check and monitor if all IAM users are COMPLIANT.
b. system: AWS
c. measuring how well it conforms: either COMPLIANT or NON COMPLIANT
d. established criteria: All IAM users must have MFA enabled.

To audit MFA compliance in AWS, it is required to research about IAM attributes and features we can utilize.

1. Install and Configure awscli in your Windows/Linux/MacOS.

2. Try to find out what all awscli commands can be of use. Go to IAM awscli reference and look for AWS related commands.

3. At a close look, we can see two commands related to IAM Users to provide information about IAM user entities and MFA devices.



4. After running, these awscli commands, we can analyze the output to reach a conclusive strategy for MFA Compliance.




  
Analysis

1. "aws iam list-users" (returns the JSON view of all IAM users in AWS): output shows three different users viz. 4hathacker, 4hathacker.malicious and LegitUser1 with different attributes.

2. "aws iam list-virtual-mfa-devices" (returns the JSON view of all VirtualMFADevices associated to AWS IAM users): output shows three different "VirtualMFADevices" entries for the "UserName" viz. root, 4hathacker and LegitUser1.

Conclusion:

We are unable to find the "VirtualMFADevice" entry for 4hathacker.malicious IAM user in the output of "list-virtual-mfa-devices"

Auditing Logic:

Compare the users present in the AWS IAM and the users present in associated Virtual MFA Devices, whosoever find missing is suspicious and need to be reported to Security Team for investigation.

How to proceed now:

Option 1: Audit can be achieved with an EC2 instance to run a cron-job/scheduled task with a shell script to check for MFA compliance. Setup SMTP server to report the issue to Security Team.
Drawback: EC2 instance cost incurred. Maintenance overhead. Blast Radius is more with EC2 instance with an associated IAM role if policies have been altered. 

Option 2: Audit can be achieved with an on-prem server to run a cron-job with an automation script to check for MFA compliance. Setup SMTP server to report the issue to Security Team.
Drawback: Server needs to be up and running for continuous monitoring. Blast Radius is more with Access Keys stored in the server.

Solution: AWS Lambda. A simple solution with less maintenance, easy deployment, automated triggering and alert system in association with AWS SNS with pre-defined execution roles and AWS Lambda Function Policies. Cost effective in terms of run-time of Lambda which is in milli-seconds. 

Solution Architecture: This comprise of the flow as:
1. Scheduled CloudWatch Rule to check for MFA compliance every-time after a desired time interval via AWS Lambda.
2. SNS Topic defined to send alert to Security Team.
3. AWS Lambda with an intelligent logic to evaluate for the MFA compliance and utilizing the SNS to notify Security Team.



Advantage: Say you have more than 10 AWS accounts and you wanted to deploy it in each account for continuous monitoring and audit reporting. This solution can be deployed to various AWS accounts with the help of AWS CloudFormation in a very little time.

In the upcoming post, we will setup the discussed architecture and deploy the same with the help of AWS Lambda and AWS CloudFormation.

2 comments:

  1. That was really helpful, checkout- https://www.algoworks.com/

    ReplyDelete
    Replies
    1. Checked around https://www.algoworks.com/ Please let me know how can I help you...

      Delete

Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.