Total Pageviews

Translate

September 4, 2019

AWS Security Automation - Public Ingress Compliance Auto-Remediation (AWS Config and Lambda) - Part 2

by 4hathacker  |  in AWS SecOps at  11:00 AM

Hi folks!!!

In the previous post, we discussed about SSH Compliance in EC2 Security Groups. Feel free to have a look at it here.



We saw, there were some limitations like, AWS Managed Rule is for SSH only, no sync between AWS Config and AWS Lambda and many more. In this post, we will try to resolve them  while implementing a setup for Custom Config Rule and few tweaks around AWS Lambda for Public Ingress remediation to all the ports instead of SSH only.
Public Ingress Compliance: If the access to instance via any port/protocol is restricted to public IP's of organization behind the firewall/proxy, this is COMPLIANT, else NON-COMPLAINT. 
Strategy:

Using AWS Config Custom Rules with AWS Lambda fucntion, we can check for the Public Ingress associated to the Security Groups in a regional aspect. Here the compliance check will be triggered only when there is a configuration change occurred. So, no need to configure AWS CloudWatch Scheduled Rule. The rule allowing "0.0.0.0/0" or "::/0" for any port/protocol for ingress via EC2 Security Groups must be removed.

Setup:

1. From "Services" drop down, select "Config" and go to AWS Config Console. Select "Rules" from the left pane.

2. From the Rules panel, select "Add rule" and then click on "Add custom rule".

3. In the panel appeared, add the "Name" and "Description" and then Click on "Create AWS Lambda function" with CTRL Key, which is present below the AWS Lambda function ARN* field.



4. Here, we will be following the same approach as earlier to create a Lambda function as "PublicIngressRemovalSecopsSGLambda" provided some basic information like, Name, Runtime, Execution role,  etc.



5. For execution role, we will be creating a new role with name as - "PIRSecOpsSGLambdaRole" with two policy templates viz. AWS Config Rules permissions and Amazon SNS publish policy. 



6. When the function is created, copy the ARN from the top left and go to the Config Console window. Paste the Lambda function here. Add trigger type as "Configuration changes", Scope as "Resources" and Resources as "EC2:SecurityGroup". Click "Save" at the bottom and proceed.




7. You can see the new rule with compliance as "Evaluating".



8. Now, go back to Lambda console, Click on SNS policy and select "Manage these permissions".



9. We will be adding an inline policy to our "PIRSecOpsSGLambdaRole" so click on add inline policy and write the policy as below. Click "Review" policy.




10. Add the name as "PIRSecopsLambdaSGPolicy" and hit "CreatePolicy".

11. You can see your policy is attached here.


"Lambda Core Logic (LCL)"

LCL-1. This is our "evaluate_compliance" function which will check around three cases:
a. If the resource is in APPLICABLE_RESOURCES, for example if you are monitoring a lot of resources via your custom config rules and you specifically want to filter "EC2:SecurityGroups" resources.
b. Check if the resource is present or deleted.
c. If not deleted, get the security group details and proceed to evaluate and remediate as we have done previously for both IPv4 and IPv6 check.



LCL-2. This is our "sns_publish" function which will report the security team about the remediation activity.



LCL-3. This is our main function - "lambda_handler" which acts as a controller here. The interesting part to note here is we will be putting the result after config evaluation to inform AWS Config. So, this Lambda function on its own is evaluating the compliance and then updating the AWS Config about the same.



Compliance Check:

1. To check if its working fine, create two security groups, 4hathackerSecOpsSG and 4hathackerSecOpsSG2 as below.




2. Post 5-6 mins, the Lambda will be automatically triggered by AWS Config, evaluate the compliance and update the security groups.





3. To analyze what happened in due course of time, check for the AWS CloudWatch Logs Log Group. It will show you how the modifications have been made by Lambda.




Advantages:

1. As compared to our previous, blog post where Lambda is being triggered every 2 mins this is much more efficient.

2. The sync of Lambda and AWS Config is functional here.

3. No dependency over AWS Config Managed rules. Write your own custom rule, do evaluation and update the AWS Config.

Scope Of Improvement:

1. Can use CloudFormation Templates to have an easy deployment approach.

2. Filter the ports/protocol as per your requirement. Here it is rigid for every port not allowing public ingress at all.

This is all about Security Groups and compliance management. There are a lot of things, one can try and learn for security groups compliance management. I found a visual guide for best practices from Internet2 Confluence site which is available here.

Feel free to have a look and Stay tuned for more exciting things related to AWS, Security,  and Automation...

Wondering if I will start writing with Python and Core Security... Please share your views about it in comments section...


1 comment:

  1. RECOVERY OF STOLEN FUNDS (SCAM FOCUS).
    BINARY OPTIONS, BITCOINS and LOAN SCAM.
    Things you need to know about The Global-KOS C.E.H RECOVERY COMPANY.
    (leroysteckler@gmail.com)
    ⏱️2MIN.
    Hiring a professional hacker has been one of the world most technical valued navigating information. High prolific information and Privileges comes rare as it has been understood that what people do not see, they will never know.
    This is The Global KOS hacking agency where every request concerning lost funds or hacking related issues are fixed within a short period of time.
    The crucial benefit of contacting The Global-KOS hackers is
    • ZERO TRACE: After a successful hack recovery is carried out by the Global-KOS, no active or passive attacks will be used to trace any of our hacks to our clients or our organization. One common practice that attackers employ to evade detection is to break into poorly secured systems and use those hijacked systems as proxies through which they can launch and route attacks. So in a nutshell, attackers effort on this platform are useless because our systems are protected with a vigorous firewall switching and a firm security system to prevent unauthorized bodies from tracking or modifying our network accessible resources. I.e the hacker and clients are 100% safe and anonymous.
    Secondly,
    ADVANTAGE TO CLIENTS:
    • REPEAT CLIENTS and SERVICES: E.g, after helping a client recover all money lost to fraudulent practices, most of this clients comes back requesting we provide the same service in disguise as a different person. We found a way to issue serial Numbers to each clients who seeks our help and services for identification purposes because we are not interested in your names nor location. But we urge that individuals shouldn't abuse this opportunities as we have provided value to you.
    However, on this platform of recovery, you will be assigned to a designated professional hacker who is systematically known for operating on a dark web protocol. The operation of these hackers is to potentially deploy a distinguished cyber security technique to retrieving back the victims stolen funds via the application of a diverse CM breacher which enables you to track the data location of a scammer and extract every data on the con database. This is achieved using the systematic courier tracking method.
    Which of the uneasy situation do you find yourself in right now?
    ✅(BITCOIN INVESTMENTS, BINARY OPTIONS OR LOAN SCAM?
    This shocking study points to one harsh reality we all face today. It saddens our mind when a client expresses annoyance or dissatisfaction of unethical behaviors of scammers. We have striven to make tenacious efforts to help those who are victims of this fleas get off their traumatic feeling of loss.
    The company is large enough to provide comprehensive range of services such as.
    • MOBILE PHONE HACKS.(Catching A Cheating Spouse)��
    • CREDIT SCORE UPGRADE,
    • PENETRATION OF WEBSITES AND DATABASE.
    • UNLOCKING FROZEN CRYPTO WALLET��
    • EMAIL HACKS
    • HACKING A FRAUDULENT WEBSITE.��
    • UBER FREE PAYMENT LICENCE.��

    For prolific services and info,
    Contact:
    ✉️Email: theglobalkos@gmail.com
    leroysteckler@gmail.com
    ®Global KOS™
    2020.

    ReplyDelete

Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.