Total Pageviews

Translate

September 2, 2019

AWS Security Automation - SSH Compliance Auto-Remediation (AWS Config and Lambda) - Part 1

by 4hathacker  |  in AWS SecOps at  11:54 AM

Hi folks!!!

In the previous series of 3 posts about MFA Compliance, we went through a set of meaningful aspects related to security compliance, how to follow along with compliance documents and how to setup a compliance for MFA in AWS. Feel free to have a look at them here



In this post, we will be looking at compliance management for access via SSH to the EC2 instances using control implementation and enforcement over Security Groups.

SSH Compliance: If the access to instance via SSH is restricted to public IP's of organization behind the firewall/proxy, this is COMPLIANT, else NON-COMPLIANT. 
Strategy:

Using AWS Config Managed Config Rules with AWS Lambda function, we can check for the compliance. This compliance check will be triggered within a specified interval with the help of AWS CloudWatch Scheduled Rule. 

Setup:

A. Configure an AWS Managed Config Rule for EC2:SecurityGroup resources using Config Management Console. For the first time, you need to setup AWS Config service as below. Otherwise, create a Config Rule directly.

1. Click on "Services" drop down, type "Config" and select "AWS Config" . This will provide you with a screen to setup AWS Config. In case if below image appears, then AWS Config setup is already there. If not, follow from below steps.

2. From the left panel, select "Settings" and select resources in "Specific types" as   "EC2:SecurityGroup". Please note that AWS Config is a regional construct, and this will consider only the Security Groups present in this region. Select "Create a bucket" option and fill the desired bucket name you want. Also select AWS Config Service linked role and move forward.


3. In the rules tab, search for restricted-ssh rule  and select it. Move forward then.


4. Click on "Confirm" in the bottom of Review panel.



B. Write a Lambda function with a CloudWatch Events Scheduled Rule to trigger the Lambda Function which will check the compliance in a specified interval.

"Core Logic for SecOpsRemediateSGLambda function" 



1. Go to AWS Lambda from "Services" drop down and select "Create Function". Select the following as mentioned in the below images.


 Note: Remember to select the policy templates attached to role as: AWS Config Rules permissions and AWS SNS Publish policy.


2. After selecting, "Create Function" you can see the following "SecOpsRemediateSGLambda".


3. For remediation action, we need to attach an inline policy with permissions as below.

Note: Do not attach the AWS Managed Policy for EC2FullAccess to the Lambda function. Its always best practice to attach only those permissions to the policy which are required to perform an action.



















4. Now, we need to add a CloudWatch Scheduled Rule trigger to this Lambda. Click on "Add Trigger" option from the Lambda function console for "SecOpsRemediateSGLambda". Fill the details as mentioned below in the image and move forward.


Keep the state of trigger disabled for now and enable it while testing.


C. Setup an SNS Topic for SecOps Team to notify SecOps team about Lambda Remediation in case

of NON-COMPLIANCE. We already have created this with previous blog posts. Feel free to take a look back.

D. Setup a demo Security Group (4hathackerSecOpsSG) to test if the flow and remediation action to remove the SG Rules is working.


Check:

1. Add 4 rules to the demo security group - 4hathackerSecOpsSG


 2. The rules attached as below have 3 non compliant and one compliant rule.

3. After sometime, you can see in the AWS Config Rules that this resource has been evaluated as NON-COMPLIANT. Upon checking this our, Lambda will take remediation action.


4. You can see the log events to analyze the actions taken by Lambda function for maintaining the compliance. Please note that the notification will only be sent whenever Lambda will do any remediation action.


5. Post Lambda Remediation, come back to Security Group and observe that non-compliant rules have been removed.



Advantage:

No manual action required by SecOps/Security team to check for non compliant security groups having SSH open to world. The remediation action will take only 3-5 minutes to process.

Scope of Improvement:

1. There is no synchronization between Lambda and Config rule to detect for changes in the Security Group configuration. Both are acting like separate entities. There could be a case, when Lambda will automatically detect for AWS Config changes for Security Group and take remediation action.

2. There is only remediation for IPv4 viz. "0.0.0.0/0" and not for IPv6 i.e. "::/0".

3. There is a dependency over AWS Managed Config Rule for restricted-ssh which is fine in this case. But what about other admin ports for protocols like, FTP, SMTP, RDP, etc. There is no rule present in AWS Config for all these ports. So, the use case needs to be generic.

4. Being a regional construct, we are monitoring the Security Group resources for only a single AWS region. So, we need to deploy this Lambda function to all the regions where our applications are present and this require a generic CloudFormation Template like what we did for MFA Compliance. Feel free to create your own template for the same.

In the next post, we will see how we can generalize this compliance management for other admin ports. Till then, stay tuned!!!

3 comments:

  1. Looking for a pipe cutting machine in your area ? Then we are the best for you, who suit your expectations. We have huge experience in this field. We are 100% dedicated to finding you a high quality pipe cutting machine.
    If you want to know more, Please check out Cheers Electronic Technical Co.LTD: https://www.terminal-crimping.com/Pipe-Tube-Cutting-Tools.html

    ReplyDelete
  2. RECOVERY OF STOLEN FUNDS (SCAM FOCUS).
    BINARY OPTIONS, BITCOINS and LOAN SCAM.
    Things you need to know about The Global-KOS C.E.H RECOVERY COMPANY.
    (leroysteckler@gmail.com)
    ⏱️2MIN.
    Hiring a professional hacker has been one of the world most technical valued navigating information. High prolific information and Privileges comes rare as it has been understood that what people do not see, they will never know.
    This is The Global KOS hacking agency where every request concerning lost funds or hacking related issues are fixed within a short period of time.
    The crucial benefit of contacting The Global-KOS hackers is
    • ZERO TRACE: After a successful hack recovery is carried out by the Global-KOS, no active or passive attacks will be used to trace any of our hacks to our clients or our organization. One common practice that attackers employ to evade detection is to break into poorly secured systems and use those hijacked systems as proxies through which they can launch and route attacks. So in a nutshell, attackers effort on this platform are useless because our systems are protected with a vigorous firewall switching and a firm security system to prevent unauthorized bodies from tracking or modifying our network accessible resources. I.e the hacker and clients are 100% safe and anonymous.
    Secondly,
    ADVANTAGE TO CLIENTS:
    • REPEAT CLIENTS and SERVICES: E.g, after helping a client recover all money lost to fraudulent practices, most of this clients comes back requesting we provide the same service in disguise as a different person. We found a way to issue serial Numbers to each clients who seeks our help and services for identification purposes because we are not interested in your names nor location. But we urge that individuals shouldn't abuse this opportunities as we have provided value to you.
    However, on this platform of recovery, you will be assigned to a designated professional hacker who is systematically known for operating on a dark web protocol. The operation of these hackers is to potentially deploy a distinguished cyber security technique to retrieving back the victims stolen funds via the application of a diverse CM breacher which enables you to track the data location of a scammer and extract every data on the con database. This is achieved using the systematic courier tracking method.
    Which of the uneasy situation do you find yourself in right now?
    ✅(BITCOIN INVESTMENTS, BINARY OPTIONS OR LOAN SCAM?
    This shocking study points to one harsh reality we all face today. It saddens our mind when a client expresses annoyance or dissatisfaction of unethical behaviors of scammers. We have striven to make tenacious efforts to help those who are victims of this fleas get off their traumatic feeling of loss.
    The company is large enough to provide comprehensive range of services such as.
    • MOBILE PHONE HACKS.(Catching A Cheating Spouse)��
    • CREDIT SCORE UPGRADE,
    • PENETRATION OF WEBSITES AND DATABASE.
    • UNLOCKING FROZEN CRYPTO WALLET��
    • EMAIL HACKS
    • HACKING A FRAUDULENT WEBSITE.��
    • UBER FREE PAYMENT LICENCE.��

    For prolific services and info,
    Contact:
    ✉️Email: theglobalkos@gmail.com
    leroysteckler@gmail.com
    ®Global KOS™
    2020.

    ReplyDelete
  3. How many times we can change the IP of our system during SSH Compliance Session? My internet connection is not so strong as PhD Dissertation Writing Services and you have.

    ReplyDelete

Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.