The latest articles on Forem by James Monek (@jamesmonek). https://forem.com/jamesmonek https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F502637%2Fcb6d0101-b937-498c-a793-c2e9b96f1fb9.png https://forem.com/jamesmonek en James Monek Tue, 14 Mar 2023 23:47:04 +0000 https://forem.com/aws-builders/securing-data-lake-in-aws-1e1p https://forem.com/aws-builders/securing-data-lake-in-aws-1e1p <p>Cloud security has always been a challenge for moving resources to the cloud. Particularly with constant negligence in leaving S3 buckets and data open to the public. With massive amounts of data available and the need to make data driven decisions, Amazon offers many services to build and utilize a data lake in the cloud. How can one make the move to building a data lake in the cloud while still maintaining security? Fortunately, Amazon has a service for that. Well, actually multiple services.</p> <p>For the purpose of this article, we are going to assume that you will create and store your data in S3 buckets.</p> <h2> Getting some of the basics out the way </h2> <p>For starters, let's get some of basic best practices out of the way.</p> <h3> Key Management Service </h3> <p>Absolutely encrypt everything, encryption at rest and encryption in transit. You'll want to utilize Key Management Service to generate keys to be used for your data lake. I suggest creating operational keys for data in CloudTrails, SNS notifications, RDS, and S3 buckets for services such as AWS Config and VPC Flow Logs. This ensures that if sensitive data is accidentally placed in logs and communications, it is still encrypted. Use different KMS keys for data in the lake. Yes, rotate them at least annually if not more frequently.</p> <h3> S3 </h3> <p>Misconfigured S3 buckets being left open to the world is the root of many breaches. Until recently, the best practice is to force blocking all public access at the account level.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws s3control put-public-access-block \ --account-id AccountId \ --public-access-block-configuration '{"BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true}' </code></pre> </div> <p>Amazon recently announced making the default setting for S3 buckets is deny public access, <a href="https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/">https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/</a>. I still recommend the using the S3 control and absolutely monitor for changes in those settings which I will cover later.</p> <p>While Server Side Encryption works fine, I would ensure that all your buckets are encrypted using KMS for extra protection for your lake.</p> <p>Also, ensure you are enforcing secure connections only (SSL). More information at <a href="https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule">https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule</a></p> <h3> EC2 </h3> <p>If you are using EC2 services as part of your lake, I recommend taking measures to ensure all EBS volumes are encrypted by default.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws ec2 enable-ebs-encryption-by-default </code></pre> </div> <p>Check for encryption by default on other services you may use such as AWS RDS.</p> <h2> CloudTrails </h2> <p>Everything you do in AWS, whether it's in the console, command line interface, or CloudFormation templates, you are accessing an API. All API calls get logged to CloudTrails. My suggestion here is to create CloudTrails to be sent to S3 buckets and CloudWatch log group. If you have AWS Organizations, then use Organization CloudTrail.</p> <p>I'm suggesting S3 bucket to allow for your Security Information and Event Management (SIEM) tool to be able pull from the bucket and then you can easily search for, develop dashboards, and alarms based on that data. Prime tools in this area are Elastic Search-Logstash-Kibana (ELK Stack), Splunk, and AWS Opensearch.</p> <p>Sending them to CloudWatch allows for you to create CloudWatch Alarms based on events. There are a bunch of events you can trigger on such as unauthorized login attempts, changes to security groups, etc. One I like to monitor for is using the root account, which should never be used. More information can be found at <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html">https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html</a>.</p> <h2> Guard Duty </h2> <p>One of the easiest services to enable is Guard Duty and it provides intelligent threat detection. It constantly monitors your buckets, workloads, and accounts for anomalies. Findings can also be sent to Security Hub.</p> <h2> AWS Config </h2> <p>AWS Config assess, audits, and evaluates configurations for your resources. It can detect when there are configuration drifts and alert you. At the core, Security Hub compliance packs use AWS Config to check for hundreds of compliance rules. In combination with Security Hub, I've found the tool helpful in getting your account set up securely based on your rules and then audit when configurations change. Also, remember the settings for blocking public access to S3 bucket? Set up configs to monitor changes in these settings.</p> <h2> Cloudwatch </h2> <p>Earlier in the article, I mentioned enabling CloudTrails and sending this to CloudWatch log group. The reason why I suggest doing so, is that you can create alarms based on data in these logs. Unauthorized access to resources, logins, AWS config compliance changes, policy changes, and so on. More information on creating these types of alarms is at <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Create_alarm_log_group_metric_filter.html">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Create_alarm_log_group_metric_filter.html</a>.</p> <h2> Security Hub </h2> <p>The best way I can describe Security Hub is a central location for the state of securing your account. It contains pre-built compliance packs with rules to secure your resources. Other AWS services such as Guard Duty, AWS Config, Firewall Manager sends findings to security hub. 3rd party tools such as Prowler can also send findings to Security Hub.</p> <p>When you first start with Security Hub, you'll be overwhelmed with findings. You'll want to assess those findings and correct the ones that makes sense. If you discover ones that you are comfortable with, you can suppress them. You'll want to suppress with a note and the way I handle this is through the CLI, which can be automated, <a href="https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-update-findings.html">https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-update-findings.html</a></p> <p>Security Hub re-evaluates on its schedule so there is no way to know how long it will take. Handy tip is to use the CLI to force a manual check. Security Hub will throttle you on the number of manual checks in a timeframe. More information is at <a href="https://docs.aws.amazon.com/config/latest/developerguide/evaluating-your-resources.html#evaluating-your-resources-console.">https://docs.aws.amazon.com/config/latest/developerguide/evaluating-your-resources.html#evaluating-your-resources-console.</a></p> <p>Once you get Security Hub in a cleaned state, you'll want to start with setting up notifications using your preferred channel whether that is email or Slack channels, <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html">https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html</a></p> <h2> Prowler </h2> <p>I can't speak about AWS security without mentioning Open Source Prowler which is a tool you can run against your account to generate security findings. It has hundreds of compliance rules. I have a write-up on how to use Prowler along with a CloudFormation script to deploy. The article is at <a href="https://dev.to/aws-builders/automating-prowler-for-compliance-checking-in-aws-3oef">https://dev.to/aws-builders/automating-prowler-for-compliance-checking-in-aws-3oef</a></p> <h2> Wrapping it all up </h2> <p>By no means is this article a complete list of what you can do to secure your data lake in the cloud. I haven't covered all the services I used or even touched on listed of compliance checks you can deploy. Use this as a starting point.</p> <p>One final comment about securing your environment. Always use CloudFormation templates, CDK, or CLI to develop your Infrastructure as Code. Avoid doing any of this in the console. This allows for all your work to be portable to other accounts. Trust me, it's worth the investment up front.</p> aws cloud security datalake James Monek Tue, 24 Jan 2023 00:29:58 +0000 https://forem.com/aws-builders/lambda-with-oracle-layers-30od https://forem.com/aws-builders/lambda-with-oracle-layers-30od <h2> Overview </h2> <p>Recently, I came across a need to finally use Lambda in AWS. I was looking to query an Oracle database and export the Oracle table to a CSV file. While using Python I realized the Oracle client is not available in Lambda so I needed a way to add libraries and dependancies in order to execute my code. Lambda layers allows you to do this. You can add several layers to your Lambda function. This article documents how to create the Oracle Layer for Python in Lambda with the required libraries.</p> <p>The main limitation that I discovered using Lambda layers is the size limit of 250 megs for all your code and libraries. Fortunately, I was just under this limitation but there are several ways to get around this if you run into this problem. One is to break your code into various micro services. The other is to to use EFS and place all of your libraries in the EFS volume and mount the volume on your Lambda function.</p> <h2> Building the Oracle Layer </h2> <p>Optional, but preferred, commission an EC2 instance so you can start from a clean environment.</p> <p>Verify the Python version<br> </p> <p><code>python3 --version</code><br> </p> <p>Create your project directory<br> </p> <p><code>mkdir project</code><br> </p> <p>Create a directory called python<br> </p> <p><code>mkdir python</code><br> </p> <p>Make library directory<br> </p> <p><code>mkdir lib</code><br> </p> <p>Install cx_Oracle Python library<br> </p> <p><code>pip3 install cx_Oracle -t python/</code><br> </p> <p>Download the latest Oracle Client from <a href="https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html" rel="noopener noreferrer">https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html</a><br> </p> <p><code>wget https://download.oracle.com/otn_software/linux/instantclient/218000/instantclient-basic-linux.x64-21.8.0.0.0dbru.zip -O oracli.zip</code><br> </p> <p>Unzip the Oracle Client into the library folder<br> </p> <p><code>unzip -j oracli.zip -d lib/</code><br> </p> <p>Ensure Libaio is insalled on the EC2 instance (it should be)<br> </p> <p><code>sudo yum install libaio -y</code><br> </p> <p>Copy Libaio to library<br> </p> <p><code>cp /lib64/libaio.so.1 lib/libaio.so.1</code><br> </p> <p>Zip up all your libraries to be used for the Lambda Layer<br> </p> <p><code>zip -y -r oracletable.zip python/ lib/</code><br> </p> <p>Copy your zipped library file to a S3 bucket so that the Lambda function can access it.</p> <h2> Adding Layer into Lambda </h2> <ul> <li>Copy the url to be use when creating the layer</li> <li>Go to lambda and create a layer using AWS Lambda Layer documentation.</li> <li>Create the Lambda function using AWS Lambda Documentation.</li> <li>Add your code</li> <li>Add the layer your created</li> <li>Run the Lambda function</li> <li>Using CloudFormations</li> </ul> <p>Below is an example of the CloudFormation code to create a Lambda Layer and Lambda function.</p> <p>Note: Amazon Python Power Tools Layer documentation is at <a href="https://awslabs.github.io/aws-lambda-powertools-python/2.6.0/" rel="noopener noreferrer">https://awslabs.github.io/aws-lambda-powertools-python/2.6.0/</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Role: Type: 'AWS::IAM::Role' Properties: RoleName: lambda-role-name AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com - s3.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: lambda-policy PolicyDocument: Version: "2012-10-17" Statement: # Add access to secrets manager to give access to Lambda function to use - Effect: Allow Action: - secretsmanager:GetResourcePolicy - secretsmanager:GetSecretValue Resource: 'arn:aws:secretsmanager:&lt;region&gt;:&lt;account&gt;:secret:&lt;secretname&gt;' - Effect: "Allow" Action: - s3:ListBucket Resource: - !Sub 'arn:aws:s3:::&lt;S3 Bucket&gt;' - Effect: "Allow" Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl Resource: - !Sub 'arn:aws:s3:::&lt;S3 Bucket&gt;/*' - !Sub 'arn:aws:s3:::&lt;S3 Bucket&gt;/*' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' - 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole' # Create the Oracle Layer for Python OrcaleLayer: Type: AWS::Lambda::LayerVersion Properties: CompatibleRuntimes: - python3.7 Content: S3Bucket: &lt;S3 Lambda Bucket with code&gt; S3Key: &lt;layer ip file&gt; Description: "Oracle Layer" LayerName: oracle-layer # Create Lambda Function OracleFunction: Type: AWS::Lambda::Function Properties: FunctionName: oracle-lambda Handler: oraclelambda.lambda_handler Layers: # Oracle Client Library Layer - !Ref OracleLayer # Add Python Power Tools - 'arn:aws:lambda:us-east-1:017000801446:layer:AWSLambdaPowertoolsPythonV2:13' Role: Fn::GetAtt: - Role - Arn Environment: #Pass Secret Name, Target Bucket, and S3 Prefix to the Python code Variables: SecretName: &lt;secret name&gt; TargetBucket: &lt;target bucket&gt; S3Prefix: &lt;target prefix&gt; # Location of the Python Code Code: S3Bucket: &lt;S3 Lambda Bucket with code&gt; S3Key: &lt;pthon code zip file&gt; Runtime: python3.7 Timeout: 90 TracingConfig: Mode: Active VpcConfig: SecurityGroupIds: &lt;security group id&gt; - !Ref SecurityGroupId SubnetIds: - &lt;subnet 1&gt; - &lt;subnet 2&gt; </code></pre> </div> <h2> What’s next? </h2> <p>Currently, the process for updating the layers and code is very manual. I’m looking to find ways to automate getting the CloudFormation templates and Lambda to get updated when new changes are made.</p> community discuss James Monek Sun, 27 Mar 2022 18:15:23 +0000 https://forem.com/aws-builders/automating-prowler-for-compliance-checking-in-aws-3oef https://forem.com/aws-builders/automating-prowler-for-compliance-checking-in-aws-3oef <p>Whether you are looking to improve your AWS security posture or checking compliance against cybersecurity frameworks, <a href="https://github.com/prowler-cloud/prowler">Prowler</a> is an amazing open source tool developed by <a href="https://blyx.com/">Toni de la Fuente</a>. Toni has created a tool to check over 200 security controls in AWS ranging from ensuring S3 buckers are not publicly accessible to encryption everywhere. </p> <p>Toni's Github portal provides extensive documentation on how to use the tool, but I wanted to share a CloudFormation template that I created to automate the deployment in AWS to run compliance checks and then decommission the stack and remove all resources.</p> <h2> Launching EC2 Instance for Prowler </h2> <p>First, we will want launch an EC2 instance and run a bash script to download the necessary software, install, and configure Prowler.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">ProwlerInstance</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::EC2::Instance'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ImageId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ImageId</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">InstanceType</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SubnetId</span> <span class="na">SecurityGroupIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">InstanceSecurityGroup</span> <span class="na">KeyName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">KeyName</span> <span class="na">IamInstanceProfile</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ProwlerInstanceProfile</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">Prowler</span> <span class="na">BlockDeviceMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">DeviceName</span><span class="pi">:</span> <span class="s">/dev/xvda</span> <span class="na">Ebs</span><span class="pi">:</span> <span class="na">VolumeSize</span><span class="pi">:</span> <span class="m">8</span> <span class="na">Encrypted</span><span class="pi">:</span> <span class="no">true</span> <span class="c1"># Run bash to install and configure Prowler</span> <span class="na">UserData</span><span class="pi">:</span> <span class="s">Fn::Base64:</span> <span class="s">!Sub |</span> <span class="s">#!/bin/bash -xe</span> <span class="s">sudo yum update -y</span> <span class="s">sudo yum remove -y awscli</span> <span class="s">cd /home/ec2-user</span> <span class="s">curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/home/ec2-user/awscliv2.zip"</span> <span class="s">unzip /home/ec2-user/awscliv2.zip</span> <span class="s">sudo /home/ec2-user/aws/install</span> <span class="s">sudo yum install -y python3 jq git</span> <span class="s">sudo pip3 install detect-secrets==1.0.3</span> <span class="s">git clone https://github.com/prowler-cloud/prowler /home/ec2-user/prowler</span> <span class="s">chown -R ec2-user:ec2-user /home/ec2-user/prowler</span> </code></pre> </div> <h2> Create an instance profile </h2> <p>Create an instance profile tied to a role with necessary permissions to run the audit.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">ProwlerInstanceProfile</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::InstanceProfile</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">InstanceProfileName</span><span class="pi">:</span> <span class="s">prowler-ec2-instance-profile</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">Roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">ProwlerEc2InstanceRole</span> </code></pre> </div> <h2> Provide access to run Prowler </h2> <p>Next we will want to generate a role that has view-only and security audit permission that is required by Prowler to run compliance checks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">ProwlerEc2InstanceRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="s">prowler-ec2-instance-role</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ec2.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts:AssumeRole</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/SecurityAudit</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/job-function/ViewOnlyAccess</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> </code></pre> </div> <h2> Security Group </h2> <p>We'll want to create a security group to only allow SSH access into the EC2 instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">InstanceSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Allow ssh from specific host</span> <span class="na">GroupName</span><span class="pi">:</span> <span class="s">ProwlerSecurityGroup</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VpcId</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tcp'</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="s1">'</span><span class="s">22'</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="s1">'</span><span class="s">22'</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CidrIp</span> </code></pre> </div> <h2> Parameters </h2> <p>Lastly, to improve automation, we will pass parameters into the CloudFormation template. If you launch the template via the console, some of these settings will be selected via a dropdown. For launching via the command-line interface, pass the parameters through a JSON file.</p> <p>ImageId : Default is AWS Linux 2 <strong>ami-0e1d30f2c40c4c701</strong><br><br> InstanceType : Default is <strong>t3.micro</strong><br><br> VpcId : VPC to launch EC2 instance into<br><br> SubnetId : Subnet for EC2 instance<br><br> KeyName : Keypair to use<br><br> CidrIp : CIDR range for SSH x.x.x.x/x<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Parameters</span><span class="pi">:</span> <span class="na">ImageId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">AMI - Linux </span><span class="m">2</span> <span class="na">Default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ami-0e1d30f2c40c4c701'</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Instance type to be used - t3.micro default</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">t3.micro</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC::Id</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">VPC to be used</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet::Id</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Subnet to be used</span> <span class="na">KeyName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::KeyPair::KeyName</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Keyname</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">CidrIp to be used to connect from x.x.x.x/x</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="s">AWS::CloudFormation::Interface:</span> <span class="s">ParameterGroups</span><span class="err">:</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Network</span><span class="nv"> </span><span class="s">Configuration"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ImageId</span> <span class="pi">-</span> <span class="s">InstanceType</span> <span class="pi">-</span> <span class="s">VpcId</span> <span class="pi">-</span> <span class="s">SubnetId</span> <span class="pi">-</span> <span class="s">KeyName</span> <span class="pi">-</span> <span class="s">CidrIp</span> </code></pre> </div> <h2> Final YAML Script </h2> <p>After putting all this together. The final YAML scripts looks like the following. The code is also available at <a href="https://github.com/jamesmonek/prowler-cloudformation">Github</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Create</span><span class="nv"> </span><span class="s">EC2</span><span class="nv"> </span><span class="s">instanace</span><span class="nv"> </span><span class="s">with</span><span class="nv"> </span><span class="s">Prowler</span><span class="nv"> </span><span class="s">pre-configured</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">tied</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">roles</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">run"</span> <span class="c1"># Template Parameters</span> <span class="c1"># ImageId : Default is AWS Linux 2 ami-0e1d30f2c40c4c701</span> <span class="c1"># InstanceType : Default is t3.micro</span> <span class="c1"># VpcId : VPC to launch in</span> <span class="c1"># SubnetId : Subnet to connect</span> <span class="c1"># KeyName : Keypair to use</span> <span class="c1"># CidrIp : CIDR range for SSH x.x.x.x/x</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># Create Prowler Instance - Parameters for ImageId, InstanceType, SubnetId, SecurityGroupIds, and KeyName</span> <span class="na">ProwlerInstance</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::EC2::Instance'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ImageId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ImageId</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">InstanceType</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SubnetId</span> <span class="na">SecurityGroupIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">InstanceSecurityGroup</span> <span class="na">KeyName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">KeyName</span> <span class="na">IamInstanceProfile</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ProwlerInstanceProfile</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">Prowler</span> <span class="na">BlockDeviceMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">DeviceName</span><span class="pi">:</span> <span class="s">/dev/xvda</span> <span class="na">Ebs</span><span class="pi">:</span> <span class="na">VolumeSize</span><span class="pi">:</span> <span class="m">8</span> <span class="na">Encrypted</span><span class="pi">:</span> <span class="no">true</span> <span class="c1"># Run bash to install and configure Prowler</span> <span class="na">UserData</span><span class="pi">:</span> <span class="s">Fn::Base64:</span> <span class="s">!Sub |</span> <span class="s">#!/bin/bash -xe</span> <span class="s">sudo yum update -y</span> <span class="s">sudo yum remove -y awscli</span> <span class="s">cd /home/ec2-user</span> <span class="s">curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/home/ec2-user/awscliv2.zip"</span> <span class="s">unzip /home/ec2-user/awscliv2.zip</span> <span class="s">sudo /home/ec2-user/aws/install</span> <span class="s">sudo yum install -y python3 jq git</span> <span class="s">sudo pip3 install detect-secrets==1.0.3</span> <span class="s">git clone https://github.com/prowler-cloud/prowler /home/ec2-user/prowler</span> <span class="s">chown -R ec2-user:ec2-user /home/ec2-user/prowler</span> <span class="na">ProwlerInstanceProfile</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::InstanceProfile</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">InstanceProfileName</span><span class="pi">:</span> <span class="s">prowler-ec2-instance-profile</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">Roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">ProwlerEc2InstanceRole</span> <span class="c1"># Create Security Group</span> <span class="na">InstanceSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Allow ssh from specific host</span> <span class="na">GroupName</span><span class="pi">:</span> <span class="s">ProwlerSecurityGroup</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VpcId</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tcp'</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="s1">'</span><span class="s">22'</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="s1">'</span><span class="s">22'</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CidrIp</span> <span class="c1"># Create EC2 Instance Role to run security checks and attach to instance</span> <span class="na">ProwlerEc2InstanceRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="s">prowler-ec2-instance-role</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ec2.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts:AssumeRole</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/SecurityAudit</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/job-function/ViewOnlyAccess</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># Parameters for cloudformation template with some defaults</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">ImageId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">AMI - Linux </span><span class="m">2</span> <span class="na">Default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ami-0e1d30f2c40c4c701'</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Instance type to be used - t3.micro default</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">t3.micro</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC::Id</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">VPC to be used</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet::Id</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Subnet to be used</span> <span class="na">KeyName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::KeyPair::KeyName</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Keyname</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">CidrIp to be used to connect from x.x.x.x/x</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="s">AWS::CloudFormation::Interface:</span> <span class="s">ParameterGroups</span><span class="err">:</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Network</span><span class="nv"> </span><span class="s">Configuration"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ImageId</span> <span class="pi">-</span> <span class="s">InstanceType</span> <span class="pi">-</span> <span class="s">VpcId</span> <span class="pi">-</span> <span class="s">SubnetId</span> <span class="pi">-</span> <span class="s">KeyName</span> <span class="pi">-</span> <span class="s">CidrIp</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <h2> Running Prowler </h2> <p>After launching the CloudFormation template, simply sign into the EC2 instance and change into the /home/ec2-user/prowler directory.</p> <p>To start, I recommend running Prowler with the HTML output file option. This provides a dynamic HTML file that you can review all the findings.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./prowler <span class="nt">-M</span> html </code></pre> </div> <p>You can run direct output to multiple formats at once such as csv and json<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./prowler <span class="nt">-M</span> csv,json,html </code></pre> </div> <h2> Decommissioning the resources </h2> <p>After you run Prowler, copy the output files to another system or S3 for review and record keeping. Go back into CloudFormation and delete the stack to remove all the resources that were generated.</p> <h2> Next steps </h2> <p>Prowler is also supported by AWS Security Hub, so you can send your findings directly to Security Hub. There's also a workshop available to build security dashboards in Quicksight from Prowler data. Details for this integration can be found at <a href="https://catalog.us-east-1.prod.workshops.aws/workshops/b1cdc52b-eb11-44ed-8dc8-9dfe5fb254f5/en-US">Building Prowler into a QuickSight powered AWS Security Dashboard</a>.</p> cloud aws security cloudformation James Monek Sun, 13 Mar 2022 23:24:48 +0000 https://forem.com/aws-builders/compliance-checking-in-aws-3ode https://forem.com/aws-builders/compliance-checking-in-aws-3ode <p>Storing protected data such as HIPAA in the cloud requires extra attention to ensure the data is not compromised. Using the <a href="https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final">NIST 800-171 framework</a> provides guidance for controls that can help facilitate the protection of HIPAA and other protected data sets. <a href="https://docs.aws.amazon.com/audit-manager/latest/userguide/NIST-800-171-r2-1.1.html">AWS Audit Manager</a> is a good starting point for auditing your environment against NIST 800-171 but I wanted to learn more about NIST and building controls in AWS to protect data. To do this, I wanted to use AWS Config service to monitor for compliance for controls and to use AWS Simple Notification Service to send alerts to via email and Slack. To accomplish this, AWS provides <a href="https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html">operational best practices for using AWS Config service</a> to continuous monitor many NIST 800-171 controls. From this, I pulled controls that are applicable for services being utilized to host and analyze data in AWS.</p> <h2> AWS Config Service </h2> <p>AWS Config provides services to assess and audit configurations for AWS resources. We all have read articles about S3 buckets being misconfigured and exposing data to the public. AWS Config can monitor for buckets that are configured for public access. If bucket should be misconfigured or changed to allow public access, AWS Config will report this compliance violation and you can set up remediation to automatically change the settings back.</p> <p>Lets build out Cloudfomation template that checks for compliance for blocking public access and for EBS volumes that are not encrypted.</p> <p><strong>Check for the S3 bucket public access</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># S3 Compliance checks</span> <span class="na">ConfigRuleBucketReadProhibited</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3-bucket-public-read-prohibited"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::S3::Bucket"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">checks</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">your</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">buckets</span><span class="nv"> </span><span class="s">do</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">allow</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">read</span><span class="nv"> </span><span class="s">access.</span><span class="nv"> </span><span class="s">If</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">policy</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">ACL</span><span class="nv"> </span><span class="s">allows</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">read</span><span class="nv"> </span><span class="s">access,</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">noncompliant."</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S3_BUCKET_PUBLIC_READ_PROHIBITED"</span> <span class="na">ConfigRuleBucketWriteProhibited</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3-bucket-public-write-prohibited"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::S3::Bucket"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">checks</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">your</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">buckets</span><span class="nv"> </span><span class="s">do</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">allow</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">write</span><span class="nv"> </span><span class="s">access.</span><span class="nv"> </span><span class="s">If</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">policy</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">ACL</span><span class="nv"> </span><span class="s">allows</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">write</span><span class="nv"> </span><span class="s">access,</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">noncompliant."</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S3_BUCKET_PUBLIC_WRITE_PROHIBITED"</span> <span class="na">ConfigRuleS3PublicAccess</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3-account-level-public-access-blocks"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::S3::AccountPublicAccessBlock"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">checks</span><span class="nv"> </span><span class="s">whether</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">required</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">access</span><span class="nv"> </span><span class="s">block</span><span class="nv"> </span><span class="s">settings</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">configured</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">account</span><span class="nv"> </span><span class="s">level.</span><span class="nv"> </span><span class="s">The</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">only</span><span class="nv"> </span><span class="s">NON_COMPLIANT</span><span class="nv"> </span><span class="s">when</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">fields</span><span class="nv"> </span><span class="s">set</span><span class="nv"> </span><span class="s">below</span><span class="nv"> </span><span class="s">do</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">match</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">corresponding</span><span class="nv"> </span><span class="s">fields</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">configuration</span><span class="nv"> </span><span class="s">item."</span> <span class="na">InputParameters</span><span class="pi">:</span> <span class="na">IgnorePublicAcls</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">BlockPublicPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">BlockPublicAcls</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">RestrictPublicBuckets</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS"</span> <span class="na">ConfigRuleBucketPublicAccessProhibited</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3-bucket-level-public-access-prohibited"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::S3::Bucket"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Checks</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">Simple</span><span class="nv"> </span><span class="s">Storage</span><span class="nv"> </span><span class="s">Service</span><span class="nv"> </span><span class="s">(Amazon</span><span class="nv"> </span><span class="s">S3)</span><span class="nv"> </span><span class="s">buckets</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">publicly</span><span class="nv"> </span><span class="s">accessible.</span><span class="nv"> </span><span class="s">This</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">NON_COMPLIANT</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">listed</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">excludedPublicBuckets</span><span class="nv"> </span><span class="s">parameter</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">level</span><span class="nv"> </span><span class="s">settings</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">public."</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED"</span> </code></pre> </div> <p><strong>Check that EBS Volumes are encrypted</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">#EC2 and EBS Compliance Checks</span> <span class="na">ConfigRuleEncryptedVolumes</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">encrypted-volumes"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::EC2::Volume"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">checks</span><span class="nv"> </span><span class="s">whether</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">EBS</span><span class="nv"> </span><span class="s">volumes</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">attached</span><span class="nv"> </span><span class="s">state</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">encrypted."</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ENCRYPTED_VOLUMES"</span> </code></pre> </div> <h2> Notification for compliance changes </h2> <p>Now that we have some compliance checking rules, we’ll want to notify us when resources are out of compliance. To do this, we will use a combination of AWS <a href="https://aws.amazon.com/eventbridge/">EventBridge</a> and <a href="https://aws.amazon.com/sns">Simple Notification Service</a>.</p> <p>EventBridge is a serverless event bus that we will use to detect changes to AWS Config. To get started, we will create an event rule to detect when a compliance changes. Portion of the cloud formation template is below and the particular section to note is the EventPattern.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">EventRule</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Events::Rule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">detect-config-changes"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">CloudWatch</span><span class="nv"> </span><span class="s">Event</span><span class="nv"> </span><span class="s">Rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">detects</span><span class="nv"> </span><span class="s">changes</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">AWS</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">publishes</span><span class="nv"> </span><span class="s">change</span><span class="nv"> </span><span class="s">events</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">SNS</span><span class="nv"> </span><span class="s">topic</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">notification."</span> <span class="na">State</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ENABLED"</span> <span class="na">Targets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Arn</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SnsTopic"</span> <span class="na">Id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">target-id1"</span> <span class="na">EventPattern</span><span class="pi">:</span> <span class="na">detail-type</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">Config</span><span class="nv"> </span><span class="s">Rules</span><span class="nv"> </span><span class="s">Compliance</span><span class="nv"> </span><span class="s">Change"</span> <span class="na">source</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws.config"</span> </code></pre> </div> <p>Next, we will want to build out the SNS Topic to send us an email to alert us of compliance changes. The SNS Topic section creates the subscription, where as, the TopicPolicy section provides permissions to publish the notification.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">SnsTopic</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::SNS::Topic"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Subscription</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">aws-notifications-list@example.com"</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">email"</span> <span class="na">TopicName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sns-topic"</span> <span class="na">TopicPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SNS::TopicPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">HDWTopicPolicy</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">AllowServices</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">events.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">sns:Publish'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SnsTopic</span> </code></pre> </div> <h2> Putting this all together </h2> <p>The final CloudFormation templates are below. The first stack creates the AWS Config rules and the other creates the EventBridge and SNS notifications. </p> <p><strong>AWS Config CloudFormation Template</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">Checks"</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1">#EC2 and EBS Compliance Checks</span> <span class="na">ConfigRuleEncryptedVolumes</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">encrypted-volumes"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::EC2::Volume"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">checks</span><span class="nv"> </span><span class="s">whether</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">EBS</span><span class="nv"> </span><span class="s">volumes</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">attached</span><span class="nv"> </span><span class="s">state</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">encrypted."</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ENCRYPTED_VOLUMES"</span> <span class="c1"># S3 Compliance checks</span> <span class="na">ConfigRuleBucketReadProhibited</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3-bucket-public-read-prohibited"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::S3::Bucket"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">checks</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">your</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">buckets</span><span class="nv"> </span><span class="s">do</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">allow</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">read</span><span class="nv"> </span><span class="s">access.</span><span class="nv"> </span><span class="s">If</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">policy</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">ACL</span><span class="nv"> </span><span class="s">allows</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">read</span><span class="nv"> </span><span class="s">access,</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">noncompliant."</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S3_BUCKET_PUBLIC_READ_PROHIBITED"</span> <span class="na">ConfigRuleBucketWriteProhibited</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3-bucket-public-write-prohibited"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::S3::Bucket"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">checks</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">your</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">buckets</span><span class="nv"> </span><span class="s">do</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">allow</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">write</span><span class="nv"> </span><span class="s">access.</span><span class="nv"> </span><span class="s">If</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">policy</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">ACL</span><span class="nv"> </span><span class="s">allows</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">write</span><span class="nv"> </span><span class="s">access,</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">noncompliant."</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S3_BUCKET_PUBLIC_WRITE_PROHIBITED"</span> <span class="na">ConfigRuleS3PublicAccess</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3-account-level-public-access-blocks"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::S3::AccountPublicAccessBlock"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">checks</span><span class="nv"> </span><span class="s">whether</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">required</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">access</span><span class="nv"> </span><span class="s">block</span><span class="nv"> </span><span class="s">settings</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">configured</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">account</span><span class="nv"> </span><span class="s">level.</span><span class="nv"> </span><span class="s">The</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">only</span><span class="nv"> </span><span class="s">NON_COMPLIANT</span><span class="nv"> </span><span class="s">when</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">fields</span><span class="nv"> </span><span class="s">set</span><span class="nv"> </span><span class="s">below</span><span class="nv"> </span><span class="s">do</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">match</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">corresponding</span><span class="nv"> </span><span class="s">fields</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">configuration</span><span class="nv"> </span><span class="s">item."</span> <span class="na">InputParameters</span><span class="pi">:</span> <span class="na">IgnorePublicAcls</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">BlockPublicPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">BlockPublicAcls</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">RestrictPublicBuckets</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS"</span> <span class="na">ConfigRuleBucketPublicAccessProhibited</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Config::ConfigRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ConfigRuleName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3-bucket-level-public-access-prohibited"</span> <span class="na">Scope</span><span class="pi">:</span> <span class="na">ComplianceResourceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">AWS::S3::Bucket"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Checks</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">Simple</span><span class="nv"> </span><span class="s">Storage</span><span class="nv"> </span><span class="s">Service</span><span class="nv"> </span><span class="s">(Amazon</span><span class="nv"> </span><span class="s">S3)</span><span class="nv"> </span><span class="s">buckets</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">publicly</span><span class="nv"> </span><span class="s">accessible.</span><span class="nv"> </span><span class="s">This</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">NON_COMPLIANT</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">Amazon</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">listed</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">excludedPublicBuckets</span><span class="nv"> </span><span class="s">parameter</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">bucket</span><span class="nv"> </span><span class="s">level</span><span class="nv"> </span><span class="s">settings</span><span class="nv"> </span><span class="s">are</span><span class="nv"> </span><span class="s">public."</span> <span class="na">Source</span><span class="pi">:</span> <span class="na">Owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS"</span> <span class="na">SourceIdentifier</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <p><strong>EventBridge and SNS Notifications</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Create</span><span class="nv"> </span><span class="s">SNS</span><span class="nv"> </span><span class="s">topic</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">send</span><span class="nv"> </span><span class="s">alerts</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">notifications</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">aws-notifications-list@example.com"</span> <span class="c1"># Create SNSTopic to send email to aws-notifications-list@example.com</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">SnsTopic</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::SNS::Topic"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Subscription</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">aws-notifications-list@example.com"</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">email"</span> <span class="na">TopicName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sns-topic"</span> <span class="na">TopicPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SNS::TopicPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">HDWTopicPolicy</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">AllowServices</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">events.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">sns:Publish'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SnsTopic</span> <span class="na">Topics</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SnsTopic</span> <span class="c1"># Create CloudWatch Event Rule to notify of config changes</span> <span class="na">EventRule</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::Events::Rule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">detect-config-changes"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">A</span><span class="nv"> </span><span class="s">CloudWatch</span><span class="nv"> </span><span class="s">Event</span><span class="nv"> </span><span class="s">Rule</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">detects</span><span class="nv"> </span><span class="s">changes</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">AWS</span><span class="nv"> </span><span class="s">Config</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">publishes</span><span class="nv"> </span><span class="s">change</span><span class="nv"> </span><span class="s">events</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">an</span><span class="nv"> </span><span class="s">SNS</span><span class="nv"> </span><span class="s">topic</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">notification."</span> <span class="na">State</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ENABLED"</span> <span class="na">Targets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Arn</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SnsTopic"</span> <span class="na">Id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">target-id1"</span> <span class="na">EventPattern</span><span class="pi">:</span> <span class="na">detail-type</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">Config</span><span class="nv"> </span><span class="s">Rules</span><span class="nv"> </span><span class="s">Compliance</span><span class="nv"> </span><span class="s">Change"</span> <span class="na">source</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws.config"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <h2> What’s next? </h2> <p>There are two additional items I’ll be looking to expand on. One is to add functionality for SNS to post the event in a Slack Channel when a resource comes out of compliance. Lastly, I’ll look to clean up JSON output to be more readable for the notifications.</p> James Monek Sun, 02 Jan 2022 23:11:52 +0000 https://forem.com/aws-builders/dont-bring-your-network-to-the-cloud-468m https://forem.com/aws-builders/dont-bring-your-network-to-the-cloud-468m <p>I recently had the opportunity to facilitate a workshop at the annual Cloud Forum hosted by Cornell. The purpose of the workshop was to discuss whether to bring your networking to the cloud, meaning develop a hub and spoke architecture in AWS using transit gateways and then connecting to your campus network using VPN or Direct Connect. Or is it best to use cloud native networking and connect through the internet.</p> <h2> Why would you bring your networking to the cloud? </h2> <p>Let’s explore some of the reasons why you may consider bringing your network to the cloud. Some being very legitimate reasons, while others are perceived benefits.</p> <p>Funneling all network traffic through your campus network and then through VPN is considered more secure. Initially, this sounds logical, forcing all your network traffic through your networking and firewalls allows you utilize existing security tools, risk assessments, monitoring, filtering, and SIEM. With this architecture, you need to ensure you lock down all cloud services for being exposed to the internet and force all services through your hub and spoke model. Your attack vector may be reduced but if your on-premise infrastructure is compromised, the attacker will still be able to access your cloud resources. Seems like a win-win scenario and it may be.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9oh4dgm82zb080bybent.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9oh4dgm82zb080bybent.png" alt="Image description"></a></p> <p>One downside of this architecture is the limitations of bandwidth of the VPN tunnel and the cost of direct connections. You also need to account for redundancy in this model, which will increase costs. Many higher education institutions have multiple high speed ISP connections for performance and redundancy. By not using the commodity ISP, you lose redundancy and high bandwidth.</p> <p>Having your data travel across wild west of the internet adds a layer of complexity when debugging performance issues with applications and services. Whereas, the Direct Connect model comes with expectation of performance.</p> <p>DDoS attacks are real and can bring the institution’s access to the internet to a crawl or be decommissioned altogether. This mean that during an attack, access to cloud services through the ISPs will be inaccessible. Campus resources will continue to function and more than likely the Direct Connect will be unaffected by the attack, so cloud direct services will be accessible. Of course, the simple answer is to connect to those cloud resources from an alternative location such as remote home office, but this can be disruptive for higher education institutions.</p> <h2> Argument for not bringing your networking to the cloud </h2> <p>As noted, most higher education institutions have multiple high speed ISPs. By not forcing traffic through your network, you can take advantage of those high bandwidth connections and inherent redundancies. You lose the additional data transfer costs and connection fees associated with VPN and Direct Connect.</p> <p>By relying solely on cloud services, you gain the benefit of building redundancy and resilience for your applications and services by using elastic load balancers, Route 53, auto-scaling, and design architectures across availability zones and regions. Many cloud networking services have solid integration with other services you will be utilizing.</p> <p>Bringing traditional networking to the cloud can add complexity and, in some regards, less secure. It may mean adding 3rd party appliances or services to match on-premise architecture. Whereas, using cloud native networking, you utilize cloud services to the fullest, improve security within your architecture, and is often more cost efficient. Just as in lift and shift model of moving servers into the cloud, you lose the value of cloud services. Don’t do the same with your networking.</p> <h2> No one solutions for every use case </h2> <p>Something to consider is Software Defined Networking (SDN) and how it can be used to bridge the gaps between on-premise networks and the cloud by providing a central view of all networks, allowing for agility, virtualization, and portability.</p> <p>The important takeaways from this are that you don’t need to limit your networking architect to one model or path, you can bring both your network to the cloud and use cloud native networking. You’ll need to consider security, costs, performance, supportability, and user experience when selecting the path to the cloud. Selecting the right networking architecture can be challenging but keep in mind some of these points and use cases.</p> <p>Special thanks and credits to John Bailey. Asst. Director, Cloud Systems at Washington University in St. Louis. John initially held a lightning round session and lead the workshop design for this topic.</p> aws cloud networking