Cloud Infrastructure Security Report · AWS CloudTrail is a service that enables governance,...
Transcript of Cloud Infrastructure Security Report · AWS CloudTrail is a service that enables governance,...
Cloud Infrastructure Security ReportPrepared for Acme Corp
From: Jul 24, 2016 at 09:08 PDT To: Jul 24, 2017 at 09:08 PDT
Cloud Account(s): Dev Account, Staging Account, Production Account
Table of Contents
Executive Summary
Con�guration & Compliance Risks
Network Security Risks
IAM Risks
Executive Summary
ResourcesMonitored 814 Open Alerts 49 Accounts
Monitored3
Alerts By Status
460Alerts
Resolved Open
Open Alerts By Violation Type
79Alerts
Con�g Network Anomaly
Resources By Risk Rating
Date
Reso
urce
(s)
A B C F
Jan '17Sep '16 May '170
200
400
600
Open Alerts By Severity
49Alerts
Medium Low High
Executive Summary
Severity: High Medium LowPolicy Compliance Summary
Name Compliance Standard Resource(s) Passed Resource(s) Failed
RDS instances are notencrypted PCI DSS v3.2, CIS 15 69
Account Hijacking attempts N/A 200 16
Default Security Group doesnot restrict all tra�c CIS 16 12
Security groups allow internettra�c PCI DSS v3.2, CIS 58 12
Security Groups allow internettra�c to SSH port (22) CIS 50 12
S3 buckets are accessible topublic PCI DSS v3.2 50 9
Internet exposed instances Network N/A 6
Excessive login failures N/A 200 4
SSH from internet to non-ELB& non-NAT resources Network N/A 3
Publicly accessible AMIs N/A 2 2
EBS snapshots are accessibleto public N/A 4 1
CloudTrail logs are notencrypted using CustomerMaster Keys (CMKs)
CIS 3 1
Access logging not enabledon S3 buckets PCI DSS v3.2 10 53
MFA not enabled for IAMusers PCI DSS v3.2, CIS 8 28
Access keys are not rotatedfor 90 days N/A 21 21
VPC Flow Logs not enabled CIS 11 12
Customer Master Key (CMK)rotation is not enabled PCI DSS v3.2, CIS 1 9
IAM password policy does nothave a minimum of 14characters
PCI DSS v3.2, CIS 3 1
IAM password policy does nothave a uppercase character PCI DSS v3.2, CIS 3 1
IAM password policy allowspassword reuse PCI DSS v3.2, CIS 3 1
IAM password policy does nothave password expirationperiod
PCI DSS v3.2, CIS 3 1
IAM password policy does notexist PCI DSS v3.2, CIS 3 1
IAM password policy does nothave a lowercase character PCI DSS v3.2, CIS 3 1
IAM password policy does notexpire in 90 days CIS 3 1
Inactive users for more than30 days PCI DSS v3.2, CIS 9 34
Security Groups not in use N/A 98 27
Accessing logging not enabledon all cloud trail buckets CIS 1 18
IAM policies are not attachedto groups only CIS 12 1
Con�guration & Compliance RisksRedLock platform ingests con�guration data from various cloud services to identify potential compliance risks for customers. This data isscanned by RedLock’s advanced policy engine to identify compliance violations based on CIS (Center for Internet Security), PCI DSS(Payment Card Industry Data Security Standard), and other industry best practices.
Publicly accessible AMIs
Resource Type: VM Image
Resource(s) Failed: 2
Resource(s) Passed: 2
Compliance: N/A
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jun 27, 2017 at 01:12 PDT
Description:
Checks to ensure that AMIs are not accessible to public. Amazon Machine Image (AMI) provides information to launch an instance in thecloud. The AMIs may contain proprietary customer information and should be accessible only to authorized internal users
Resource(s) Failed:
public-image-test, public-image-test
Recommendations:
1. Login to the AWS Console and navigate to 'EC2' service.
2. Navigate to the AMI that was reported in the alert.
3. Click on 'Modify Image Permission' and make sure 'public' is deselected to make sure the image is not available to public.
Con�guration & Compliance Risks
Default Security Group does not restrict all tra�c
Resource Type: Security Group
Resource(s) Failed: 12
Resource(s) Passed: 16
Compliance: CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:18 PDT
Description:
Checks to ensure that the default security group restricts all inbound and outbound tra�c. A VPC comes with a default security group whose initial con�guration deny all inbound tra�c from internet and allow all outbound tra�c. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. As a result, the instance may accidentally send outbound tra�c
Resource(s) Failed:
default
Recommendations:
1. Login to the AWS Console and navigate to the 'VPC' service.
2. For each region, select the 'Security Groups' and then click on the 'default' security group.
3. Delete the 'Inbound Rules' and 'Outbound Rules' which will restrict all tra�c to the default security group.
Con�guration & Compliance Risks
Security groups allow internet tra�c
Resource Type: Security Group
Resource(s) Failed: 12
Resource(s) Passed: 58
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 11, 2017 at 20:41 PDT
Description:
Checks to ensure that Security Groups do not allow all tra�c from internet. A Security Group acts as a virtual �rewall that controls the tra�c for one or more instances. Security groups should have restrictive ACLs to only allow incoming tra�c from speci�c IPs to speci�c ports where the application is listening for connections.
Resource(s) Failed:
default
Recommendations:
If the Security Groups reported indeed need to restrict all tra�c, follow the instructions below:
1. Login to the AWS console and navigate to the 'VPC' service.
2. Click on the 'Security Group' speci�c to the alert.
3. Click on 'Inbound Rules' and remove the row with the ip value as 0.0.0.0/0.
4. Click on the 'Outbound Rules' and remove the row which has the ip value as 0.0.0.0/0.
Con�guration & Compliance Risks
CloudTrail logs are not encrypted using Customer Master Keys (CMKs)
Resource Type: CloudTrail Setting
Resource(s) Failed: 1
Resource(s) Passed: N/A
Compliance: CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 11, 2017 at 20:41 PDT
Description:
Checks to ensure that CloudTrail logs are encrypted. AWS CloudTrail is a service that enables governance, compliance, operational & riskauditing of the AWS account. It is a compliance and security best practice to encrypt the CloudTrail data since it may contain sensitiveinformation.
Resource(s) Failed:
trail-1
Recommendations:
1. Login to AWS Console and navigate to the 'CloudTrail' service.
2. For each trail, under Con�guration > Storage Location, select 'Yes' to 'Encrypt log �les' setting and then choose and existing KMS key orcreate a new one to encrypt the logs with.
Con�guration & Compliance Risks
Security Groups allow internet tra�c to SSH port (22)
Resource Type: Security Group
Resource(s) Failed: 12
Resource(s) Passed: 50
Compliance: CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:18 PDT
Description:
Checks to ensure that Security Groups do not allow inbound tra�c on SSH port (22) from public internet. Doing so, may allow a bad actor tobrute force their way into the system and potentially get access to the entire network
Resource(s) Failed:
Qualys Virtual Scanner Appliance -Pre-Authorized Scanning- HVM-2-2-27-2-PA-AutogenByAWSMP-, launch-wizard-1, build-server-sg, Bastion stage, splunk, W Sec Group, ssh-from-world, SSH from internet, launch-wizard-1, incoming-from-dev_vpc-and-ssh-from-everywhere ...and 2 More
Recommendations:
If the Security Groups reported indeed need to restrict all tra�c, follow the instructions below:
1. Login to the AWS Console and navigate to the 'VPC' service.
2. Select the 'Security Group' reported in the alert. Click on the 'Inbound Rule'.
3. Remove the row which has port value as 22 and ip value as 0.0.0.0/0 or any row without any port value but ip value as 0.0.0.0/0.
Con�guration & Compliance Risks
RDS instances are not encrypted
Resource Type: Managed Database
Resource(s) Failed: 69
Resource(s) Passed: 15
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:18 PDT
Description:
Checks to ensure that RDS instances are encrypted. Amazon Relational Database Service (Amazon RDS) is a web service that makes iteasier to setup and manage databases. Amazon allows customers to turn on encryption for RDS which is recommended for complianceand security reasons
Resource(s) Failed:
res-055772715862, res-841793971818, res962538314265, res704132753494, res-713815611333, gaurav-7, res-790717076026, gaurav-test-rr, res2-824141832381, res938284595466 ...and 59 More
Recommendations:
You can only enable encryption for an Amazon RDS instance when you create it, not after the DB instance is created. If you want enableencryption for RDS instance, follow the instructions below for further details.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
Con�guration & Compliance Risks
EBS snapshots are accessible to public
Resource Type: Snapshot Settings
Resource(s) Failed: 1
Resource(s) Passed: 4
Compliance: N/A
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 20, 2017 at 10:31 PDT
Description:
Checks to ensure that EBS snapshots are not accessible to public. Amazon Elastic Block Store (Amazon EBS) provides persistent blockstorage volumes for use with Amazon EC2 instances in the AWS Cloud. If EBS snapshots are inadvertently shared to public, anyunauthorized user with AWS console access can gain access to the snapshots and gain access to sensitive data
Resource(s) Failed:
snap-012ce8630ade1662f
Recommendations:
1. Login to the 'AWS Console' and access the 'EC2' service.
2. Under the 'Elastic Block Storage', click on the 'Snapshots'.
3. For the speci�c Snapshots, change the value of �eld 'Property' to 'Private'.
4. Under the section 'Encryption Details', set the value of 'Encryption Enabled' to 'Yes'.
Con�guration & Compliance Risks
S3 buckets are accessible to public
Resource Type: Bucket ACL
Resource(s) Failed: 9
Resource(s) Passed: 50
Compliance: PCI DSS v3.2
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks for publicly accessible S3 buckets. Amazon S3 allows customer to store and retrieve any type of content from anywhere in the web.Often, customers have legitimate reasons to expose the S3 bucket to public, for example to host website content. However, these bucketsoften contain highly sensitive enterprise data which if left open to public may result in sensitive data leaks
Resource(s) Failed:
redlock-brb, staging�les-redlock, redlock-2.io, www.redlock-2.io, redlockstage, staging�les-dev, cf-templates-6dxf8zsnr80o-us-east-1, redlockdev, cf-templates-6dxf8zsnr80o-us-west-1
Recommendations:
1. Login to the AWS Console and navigate to the 'S3' service.
2. Click on the 'S3' resource reported in the alert.
3. Click on the 'Permissions'.
4. Under 'Manage Public Permissions', make sure 'Everyone' is deselected.
Con�guration & Compliance Risks
IAM password policy does not have password expiration period
Resource Type: Password Policy
Resource(s) Failed: 1
Resource(s) Passed: N/A
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks to ensure that IAM password policy has an expiration period. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.
Resource(s) Failed:
123456789
Recommendations:
1. Login to the AWS console and navigate to the 'IAM' service.
2. Click on 'Account Settings', check 'Enable password expiration' and enter a password expiration period.
Con�guration & Compliance Risks
IAM password policy does not have a lowercase character
Resource Type: Password Policy
Resource(s) Failed: 1
Resource(s) Passed: N/A
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks to ensure that IAM password policy requires a lowercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.
Resource(s) Failed:
987654321
Recommendations:
1. Login to the AWS console and navigate to the 'IAM' service.
2. Click on 'Account Settings', check 'Require at least one lowercase letter '.
Con�guration & Compliance Risks
Customer Master Key (CMK) rotation is not enabled
Resource Type: Managed Key Rotation Status
Resource(s) Failed: 9
Resource(s) Passed: 1
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:18 PDT
Description:
Checks to ensure that CMKs are rotated periodically. AWS KMS (Key Management Service) allows customers to create master keys toencrypt sensitive data in different services. As a security best practice, it is important to rotate the keys periodically so that if the keys arecompromised, the data in the underlying service is still secure with the new keys
Resource(s) Failed:
0636ffa0-e046-46f4-9688-6be3dafce925, b31e435c-da23-4ec3-a5ba-f6df798937cb, 59ac8c16-a5dc-4ac6-8418-bc913dc74fa4, 8297770e-dd15-4372-a6e1-e7e4a7c17efc, 9852bd97-427f-46ab-b1ec-689e044b131d, 031ab3c5-e27b-494e-98e9-3db5d476b233, f5d2d2bb-f24b-46e1-a0a1-f398d84b9a77, 2b2ce210-c3dd-4053-b9f7-d41e16a522c1, c95dd657-a5f5-4476-a292-2389a690a10b
Recommendations:
1. Identify the resource (key) related to this policy.
2. In the IAM Service > Encryption Keys, select the speci�c key.
3. Under the 'Key Policy, ensure that 'Rotate this key every year' is enabled.
Con�guration & Compliance Risks
IAM password policy allows password reuse
Resource Type: Password Policy
Resource(s) Failed: 1
Resource(s) Passed: N/A
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks to ensure that IAM policy does not allow password reuse . AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.
Resource(s) Failed:
112233445
Recommendations:
1. Login to the AWS console and navigate to the 'IAM' service.
2. Click on 'Account Settings', check 'Prevent password reuse'.
Con�guration & Compliance Risks
VPC Flow Logs not enabled
Resource Type: Virtual Network
Resource(s) Failed: 12
Resource(s) Passed: 11
Compliance: CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 11, 2017 at 20:41 PDT
Description:
Checks for VPCs without �ow logs turned on. VPC Flow logs capture information about IP tra�c going to and from network interfaces inyour VPC. Flow logs are used as a security tool to monitor the tra�c that is reaching your instances. Without the �ow logs turned on, it isnot possible to get any visibility into network tra�c
Resource(s) Failed:
vpc-ae912ecb, vpc-81d91ae8, vpc-1060d979, vpc-f713fd9e, vpc-a601eacf, vpc-ef56278a, vpc-c9a82fac, david-vpc, vpc-f8feb49d, vpc-e4b5578d ...and 2 More
Recommendations:
1. Login to the AWS and navigate to the 'VPC' service.
2. Navigate to the VPC that was reported in the alert.
3. Click on the 'Flow logs' tab and follow the instructions below to enable Flow Logs for the VPC.
https://aws.amazon.com/blogs/aws/vpc-�ow-logs-log-and-view-network-tra�c-�ows/
Con�guration & Compliance Risks
IAM password policy does not exist
Resource Type: Password Policy
Resource(s) Failed: 1
Resource(s) Passed: N/A
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks to ensure that IAM password policy is in place for the cloud accounts. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.
Resource(s) Failed:
121322334
Recommendations:
1. Login to AWS Console and navigate to the 'IAM' Service.
2. Click on 'Account Settings', make sure that one or more options under 'Password policy' are selected.
Con�guration & Compliance Risks
IAM password policy does not expire in 90 days
Resource Type: Password Policy
Resource(s) Failed: 1
Resource(s) Passed: N/A
Compliance: CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks to ensure that IAM policy has password expiration set to 90 days. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.
Resource(s) Failed:
201345678320
Recommendations:
1. Login to the AWS console and navigate to the 'IAM' service.
2. Click on 'Account Settings', check 'Enable password expiration' and set the value to '90 days'.
Con�guration & Compliance Risks
MFA not enabled for IAM users
Resource Type: IAM Credentials Report
Resource(s) Failed: 28
Resource(s) Passed: 8
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:18 PDT
Description:
Checks to ensure that MFA is enabled for all IAM users
Resource(s) Failed:
redlock-prod-ses-smtp-user.071417, tools, stage-s3-user, demo-s3-user, redlock_assumerole, 188619942792, 188619942792, 188619942792, 188619942792, 188619942792 ...and 18 More
Recommendations:
1. Login to the AWS and navigate to the 'IAM' service.
2. Navigate to the user that was reported in the alert.
3. Under 'Security Credentials', check "Assigned MFA Device" and follow the instructions to enable MFA for the user.
Con�guration & Compliance Risks
IAM password policy does not have a minimum of 14 characters
Resource Type: Password Policy
Resource(s) Failed: 1
Resource(s) Passed: N/A
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks to ensure that IAM password policy requires minimum of 14 characters. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.
Resource(s) Failed:
868672345672
Recommendations:
1. Login to the AWS console and navigate to the 'IAM' service.
2. Click on 'Account Settings', enter 14 or more in the 'Minimum password length' �eld.
Con�guration & Compliance Risks
IAM password policy does not have a uppercase character
Resource Type: Password Policy
Resource(s) Failed: 1
Resource(s) Passed: N/A
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks to ensure that IAM password policy requires an uppercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.
Resource(s) Failed:
132465879221
Recommendations:
1. Login to the AWS console and navigate to the 'IAM' service.
2. Click on 'Account Settings', check 'Require at least one uppercase letter '.
Con�guration & Compliance Risks
Access keys are not rotated for 90 days
Resource Type: IAM Credentials Report
Resource(s) Failed: 21
Resource(s) Passed: 21
Compliance: N/A
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 12, 2017 at 12:44 PDT
Description:
Checks to ensure that access keys are rotated every 90 days. Access keys are used to sign API requests to AWS. As a security best practice, it is recommended that all access keys are regularly rotated to make sure that in the event of key compromise, unauthorized users are not able to gain access to your AWS services
Resource(s) Failed:
34521687912
Recommendations:
1. Login to the AWS console and navigate to the 'IAM' service.
2. Click on the user that was reported in the alert.
3. Click on 'Security Credentials' and for each 'Access Key'.
4. Follow the instructions below to rotate the Access Keys that are older than 90 days.
https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/
Con�guration & Compliance Risks
Access logging not enabled on S3 buckets
Resource Type: Bucket Logging Con�g
Resource(s) Failed: 53
Resource(s) Passed: 10
Compliance: PCI DSS v3.2
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:18 PDT
Description:
Checks for S3 buckets without access logging turned on. Access logging allows customers to view complete audit trail on sensitiveworkloads such as S3 buckets. It is recommended that Access logging is turned on for all S3 buckets to meet audit & compliancerequirement
Resource(s) Failed:
redlock-dev-ingestion, redlock-brb, redlock-demo-ingestion, redlock-stage-util, redlock-dev-util, redlock-demo-util, redlock-redshift-logs, redlock-s3-logs, redlock-cloud-trail, redlock-dev-web.redlock.io ...and 43 More
Recommendations:
1. Login to the AWS Console and navigate to the 'S3' service.
2. Click on the the S3 bucket that was reported and click on the 'Properties' tab.
3. Under the 'Logging' section, select 'Enable Logging' option.
Con�guration & Compliance Risks
Inactive users for more than 30 days
Resource Type: IAM Credentials Report
Resource(s) Failed: 34
Resource(s) Passed: 9
Compliance: PCI DSS v3.2, CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:17 PDT
Description:
Checks to ensure that users have not been inactive for more than 30 days. Inactive user accounts are an easy target for attacker because any activity on the account will largely get unnoticed.
Resource(s) Failed:
534216987235
Recommendations:
1. Make sure that the user has legitimate reason to be inactive for such an extended period.
2. Delete the user account, if the user no longer needs access to the console or no longer exists.
Con�guration & Compliance Risks
Accessing logging not enabled on all cloud trail buckets
Resource Type: Bucket ACL
Resource(s) Failed: 18
Resource(s) Passed: 1
Compliance: CIS
First Seen: Jul 11, 2017 at 13:30 PDT
Last Seen: Jul 21, 2017 at 16:18 PDT
Description:
Checks to ensure that access logging is enabled on the CloudTrail S3 bucket. S3 Bucket access logging generates access records for eachrequest made to your S3 bucket. An access log record contains information such as the request type, the resources speci�ed in the requestworked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3bucket.
Resource(s) Failed:
redlock-stage-archive, redlock-redshift-logs, redlock-demo-ingestion, redlock-dev-archive, redlock-demo-static, redlock-dev-web.redlock.io, redlock.io, redlock-stage-static, redlock.com, redlock-cloud-trail ...and 8 More
Recommendations:
1. Login to the AWS Console and navigate to the 'S3' service.
2. Click on the the S3 bucket that was reported click on the 'Properties' tab.
3. Under the 'Logging' section, select 'Enable Logging' option.
Con�guration & Compliance Risks
IAM policies are not attached to groups only
Resource Type: IAM User Managed Policies
Resource(s) Failed: 1
Resource(s) Passed: 12
Compliance: CIS
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: May 31, 2017 at 13:05 PDT
Description:
By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.
Resource(s) Failed:
2-8721345981-list-attached-user-policies
Recommendations:
1. Login to the AWS Console and navigate to the 'IAM' service.
2. Identify the users that was speci�cally assigned the IAM policy.
3. If a group with similar policy already exists, put the user in that group. If such a group does not exist, create a new group with relevantpolicy and assign user to the group.
Con�guration & Compliance Risks
Security Groups not in use
Resource Type: Security Group
Resource(s) Failed: 27
Resource(s) Passed: 98
Compliance: N/A
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 21, 2017 at 16:18 PDT
Description:
Checks to ensure if security groups are used by one or more cloud workloads. Security groups act as a virtual �rewall to control networktra�c for your instances. It is AWS security best practice to make sure that security groups are assigned to one or more instances and arenot left unused. Unused security groups with weak ACL may get inadvertently attached to a cloud workload compromising its security.
Resource(s) Failed:
Production NAT Instance, Inspector Test, splunk, incoming_ssh_from_world, Public To Private Web, ankur-demo, Private ELB, load-balancer-incoming-443, Cache private stage, ssh-from-world ...and 17 More
Recommendations:
1. Login to the AWS Console and navigate to the 'VPC' service.
2. Navigate to the 'Security Groups' reported in the alerts.
3. If the Security Groups are indeed not in use, delete them.
4. As a security best practice, make sure that only production approved security groups are getting used while creating new workloads.
Network Security RisksRedLock continuously monitors north-south and east-west network tra�c using �ow logs and third-party threat intelligence feeds to identifysecurity risks to sensitive workloads.
SSH from internet to non-ELB & non-NAT resources
Resource Type: Other
Resource(s) Failed: 3
Resource(s) Passed: N/A
Compliance: Network
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jun 02, 2017 at 09:56 PDT
Description:
Identify all resources (non-ELB & non-NAT) in the AWS account which have had SSH connection from internet.
Resource(s) Failed:
Bastion Dev, Bastion Prod backup, Bastion Prod primary, Dev Database
Network Security Risks
Internet exposed instances
Resource Type: Other
Resource(s) Failed: 6
Resource(s) Passed: N/A
Compliance: Network
First Seen: Jun 02, 2017 at 13:32 PDT
Last Seen: Jul 21, 2017 at 14:41 PDT
Description:
Detects any network tra�c to sensitive cloud workloads from public internet and suspicious locations. Cloud workloads should have appropriate Security Groups and ACLs in place so that only external facing workloads such as load balancers, web servers, bastion hosts are exposed to the internet. If the cloud workloads are exposed to internet, they may become vulnerable to external threats.
Resource(s) Failed:
Bastion Prod primary, Bastion Prod backup, InspectorEC2InstanceLinux, Bastion Dev, Bastion Prod backup, Bastion Prod primary, Dev Database
Recommendations:1. Login to the AWS Console and search for the resource reported in the alert.
2. Check to see if the security group for the resource indeed allows connections from internet.
3. Assign another security group to the resource that has more restrictive ACL which does not permit connection from internet.
IAM RisksRedLock platform continuously monitors user and resource activities to detect suspicious behavior such as account hijacking, brute forcelogin attempts, and unusual access to cloud services. It does so by ingesting IAM logs from cloud environments, and applies advancedmachine learning algorithms to detect suspicious user behavior.
Account Hijacking attempts
Resource Type: Other
Resource(s) Failed: 16
Resource(s) Passed: N/A
Compliance: N/A
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 11, 2017 at 20:57 PDT
Description:
Detects potential account hijacking attempts by identifying unusual login activities. This can happen if there are concurrent login attempts made in short duration from two different geo-locations or from a previously not known browser, OS or location
Resource(s) Failed:
John, Kate, Leo
Recommendations:
1. Make sure that the account credentials were not reused from different locations.
2. Occasionally, impossible time travel anomalies are incorrectly identi�ed if the login attempts were made over VPN. Please provide VPNaddresses to the RedLock admin if that happens to be the case.
3. If this is indeed an account hijacking attempt, disable the user account temporarily or ask the user to change the password.
IAM Risks
Insider Threat
Resource Type: Other
Resource(s) Failed: 4
Resource(s) Passed: N/A
Compliance: N/A
First Seen: May 31, 2017 at 13:05 PDT
Last Seen: Jul 11, 2017 at 08:42 PDT
Description:
Detects suspicious user activity by profiling individual user activities and detecting patterns that have not been seen before.
Resource(s) Failed:
David, Alexia, Carlos, Sandra
Recommendations:
1. Make sure that the enterprise user indeed has performed suspicious activity in your cloud environment
2. Deactivate user account or remove permissions from the user account