Total Pageviews

Translate

September 9, 2019

AWS Security Automation - Access Key Rotation Compliance Management using AWS Lambda

by 4hathacker  |  in AWS SecOps at  10:14 PM

Hi folks!!!

In the previous post, we discussed about control and enforcement over Public Ingress Rules in EC2 Security Groups. Feel free to have a look at it here.



Now, we will be proceeding with maintenance of IAM User Access Key hygiene. But first lets understand about the same.

AWS Access Keys are the credentials used by IAM User or the AWS account root user. They are used to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access Keys consist of two parts: an access key ID and a secret access key. Like a username and password, we have to provide both together to authenticate the requests. A security recommendation suggests that we should only use IAM roles instead of access keys but still in some cases we need to have the access keys handy. These access keys will provide a user complete access to a set of resources defined by the IAM User Policy. So, if the access keys are lost or went into wrong hands, your resources are at risk.

There are a set of IAM Best Practices defined by AWS to help secure your AWS resources. Related to Access Keys, this include,

1. Do Not Share Access Keys

We clearly understood the fact that Access Keys must not be shared in public and should be kept at secure place.

2. Rotate Credentials Regularly

Rotate your credentials either password/access keys regularly s.t. if a password or access key is compromised without your knowledge, you can limit how long the credentials can be used to access your resources.

3. Remove Unnecessary Credentials, etc.

It is important to remove the unused passwords and access keys not in current utilization of business requirements. For this, you can look for the users who have not used their passwords/credentials since a pre-decided particular time.

If you have plenty of users in your AWS account, it will be a tedious task to keep an eye on every user to meet the access key compliance. And manual management, can result in severe consequences.

Compliance:

According to CIS Amazon Web Services Foundations v1.2.0 - 05-23-2018, the compliance benchmark says,
Ensure credentials unused for 90 days or greater are disabled.
Ensure access keys are rotated every 90 days or less.
Strategy:

To meet the following compliance requirements, here we will be implementing an intelligent Lambda function which will take care of the following things,
Sanitation: If Access Key is not used since last 45 days being "Active", disable the Access Key and publish the message to Security/SecOps Team.
Rotation: If Access Key creation has passed 85 days, generate a new Access Key for the user and publish the message to Security/SecOps Team. Further SecOps/Security Team will inform the user to update all its apps with New Access Key. Delete the older Access Key automatically after 90 days.
Audit: Check the compliance everyday and generate a compliance list for all users with relevant information, scope of action required and action recommendation.

Setup:

1. Go to AWS Lambda Console using "Services" drop-down and search for "Lambda". Inside Lambda Console, Go to "Functions" and hit "Create Function". Fill the basic information required for the AWS Lambda function and move forward.



2. Post successful Lambda creation, Click on Amazon CloudWatch Logs and go down to hit "Manage These Permissions".


3. Now we will be attaching an inline policy for IAM Access Key Management permissions. Use "Edit JSON" to write the policy and review it giving a name to hit "Create Policy" button.







4. I have one more inline policy made for SNS publish. Going to attach the same now.




5. To add a trigger, go to our Lambda function, hit "Add Trigger" and fill the details as given below. Please note that we will be setting up a "Schedule expression" which will trigger the Lambda check every day at 10 am UTC. And do not check upon the "Enable trigger" for now.  





"Lambda Core Logic"

There are three parts in this Lambda function:

1. lambda_handler - It is the controller of the function which passes the usernames to check for access key compliance.



2. sns_publish - To send the notification to Security/SecOps team about the compliance status.



3. access_key_remediator - accepts the usernames and check compliance benchmark for every key attached to a username.





Compliance Check:

To check for the compliance, here I have created a set of users in this AWS account. 



When we ran the Lambda, we got a result in return as well as some log information. If we can see the log information along with the result, we can conclude,




- There are 5 users.
- User "4hathacker" has two access keys and both are disabled.
- User "LegitUser3" has one access key and it is disabled.
- User "LegitUser4" have one access key and it isn't used in any of the API call yet.
- User "LegitUser4" has  one access key which is disabled.


If you are wondering about "LegitUser1" and "LegitUser2", then I would like to tell you that, I do not have created any access key for them. Hence, they didn't appear in the logs as well as the compliance report result.

Advantages:

1. Automatic and timely Creation and Deletion of Keys.
2. Notification of Disabled Keys to SecOps/Security Team.
3. Daily Audit for compliance.
4. No manual overhead and zero maintenance.

Scope Of Improvement:

1. SecOps/Security Team needs to convey to the user about Creation of New Access Keys with complete details.
2. Can subscribe to more SNS topics with an arrangement to reach end user with appropriate notification.

This is how we have automated one more compliance check. Stay Tuned, for more posts like this...!!!
PS: I have cleared all the users and keys shared here... ;)

7 comments:

  1. I had a very bad feeling that my woman has been lying to me all this years and also cheating on me, I can’t get hold of her phone cause she always put it on phone lock, though she claims that there is no one else but she stays out some nights and tell me that she was up for work so I was able to pull up with arstrongcyberwizard@yahoo.com and this hacker helped me with all the necessary info I needed to know and right about now am very happy with all that I was able to find out from her phone without touching her phone. Am here to thank you ARSTRONG WIZARD you are the best. Its really hard to find a legit hacker but this hacker is the real deal just tell him Jim Dutcher referred you to him. arstrongcyberwizard@yahoo.com Whatsapp him +12899600524

    ReplyDelete
  2. They are all scammers, they will make you pay after which they will give you an excuse asking you to pay more money, they have ripped me of $2000, i promised i was going to expose them. I figured it all out when my colleague took me to Pavel (HACKINTECHNOLOGY@GMAIL.COM) +1 669 225 2253 He did perfect job, he hacks all accounts ranging from (Emails, Facebook, whatsapp, imo, skype, instagram, Phone cloning, DMV removal, tracking locations, background checks Kik etc. he also hacks cell phones, cell phone tapping and cloning, clears bad driving and criminal records, bank transfers, locates missing individuals e.t.c. You should contact him and please stop using contacts you see on websites to execute jobs for you, you can ask around to find a real hacker.

    ReplyDelete
  3. Please help me to get missing code in line no 94-172 in lamda code 3rd scrrenshot def access_key_remediator(usernames) function.pls help me to get remaining code

    ReplyDelete
  4. CREDIBLE ETHICAL H A C K E R RECOMMENDATION - QUADHACKED @ G M A I L . C O M

    i’ll recommend this for anyone in a distant relationship most especially . the kind of job i do Makes me stay far away from home in remote countries drilling and mining . Any time i’m away, i’m always curious on what my spouse was up to. some one recommended to me Q U A D H A C K E D @ G M A I L . C O M . and spoke so high of him. i decided to give him a try, . he helped me clone my spouse phone and tap into my spouse whatsapp and e m ails. i was shook with all that was revealed to me in a a very short while, even deleted messages from over 7 months ago, i promise to testify if he helped me which he did .ever since ,he has helped me on other jobs i’ll keep off here. reach out to him today and thank me later.
    Reach out to him for hack services ranging from
    EMAIL ACCOUNT HACK
    PHONE SPY/ PHONE TAP/PHONE CLONING
    WHATSAPP HACK
    FACEBOOK MESSENGER HACK AND OTHER SOCIAL MEDIA.  

    ReplyDelete
  5. Things fell off and I needed a car loan, but all attempts went to no avail because of my bad credit. After so much research online I came across CLEVER HACKER, I saw good recommendations and I sent him a mail though I was skeptical. To my great surprise my score was raised to 774 from 591 in no time, my collections was wiped and I got approved for a new car loan. The least I could do is the others about him cause I know how frustrating the credit system can be. Send him a mail via CLEVERHACKER.HACK@GMAIL.COM or text 7818169462 if you having credit problems

    ReplyDelete
  6. i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or always too scared to pin anything on her. with the help a friend IN PERSON OF PAIGE who recommended me to who help hack her phone, email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to HACKINTECHNOLOGY@GMAIL.COM . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable. you could also text +1 669 225 2253

    ReplyDelete
  7. I’m sharing this piece of info for those who need the service of a genuine hacker,
    Hack into your partners whatsapp, Facebook or any other social network account without he/she knowing and read conversations, old and new messages including deleted messages,
    He is tested and reliable. contact cyberspyguru07@ gmail com
    wish you the best

    ReplyDelete

Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.