Cloud Infrastructure Security Report · AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security

Cloud Infrastructure Security ReportPrepared for Acme Corp

From: Jul 24, 2016 at 09:08 PDT To: Jul 24, 2017 at 09:08 PDT

Cloud Account(s): Dev Account, Staging Account, Production Account

Table of Contents

Executive Summary

Con�guration & Compliance Risks

Network Security Risks

IAM Risks

Executive Summary

ResourcesMonitored 814 Open Alerts 49 Accounts

Monitored3

Alerts By Status

460Alerts

Resolved Open

Open Alerts By Violation Type

79Alerts

Con�g Network Anomaly

Resources By Risk Rating

Date

Reso

urce

(s)

A B C F

Jan '17Sep '16 May '170

200

400

600

Open Alerts By Severity

49Alerts

Medium Low High

https://app-demo.redlock.io/dashboard/ciso

https://app-demo.redlock.io/alerts?filters#alert.status=open&endTime=1500912524000&startTime=1469376524000

https://app-demo.redlock.io/settings/cloud_accounts

Executive Summary

Severity: High Medium LowPolicy Compliance Summary

Name Compliance Standard Resource(s) Passed Resource(s) Failed

RDS instances are notencrypted PCI DSS v3.2, CIS 15 69

Account Hijacking attempts N/A 200 16

Default Security Group doesnot restrict all tra�c CIS 16 12

Security groups allow internettra�c PCI DSS v3.2, CIS 58 12

Security Groups allow internettra�c to SSH port (22) CIS 50 12

S3 buckets are accessible topublic PCI DSS v3.2 50 9

Internet exposed instances Network N/A 6

Excessive login failures N/A 200 4

SSH from internet to non-ELB& non-NAT resources Network N/A 3

Publicly accessible AMIs N/A 2 2

EBS snapshots are accessibleto public N/A 4 1

CloudTrail logs are notencrypted using CustomerMaster Keys (CMKs)

CIS 3 1

Access logging not enabledon S3 buckets PCI DSS v3.2 10 53

MFA not enabled for IAMusers PCI DSS v3.2, CIS 8 28

Access keys are not rotatedfor 90 days N/A 21 21

VPC Flow Logs not enabled CIS 11 12

Customer Master Key (CMK)rotation is not enabled PCI DSS v3.2, CIS 1 9

IAM password policy does nothave a minimum of 14characters

PCI DSS v3.2, CIS 3 1

IAM password policy does nothave a uppercase character PCI DSS v3.2, CIS 3 1

IAM password policy allowspassword reuse PCI DSS v3.2, CIS 3 1

IAM password policy does nothave password expirationperiod

PCI DSS v3.2, CIS 3 1

IAM password policy does notexist PCI DSS v3.2, CIS 3 1

IAM password policy does nothave a lowercase character PCI DSS v3.2, CIS 3 1

IAM password policy does notexpire in 90 days CIS 3 1

Inactive users for more than30 days PCI DSS v3.2, CIS 9 34

Security Groups not in use N/A 98 27

Accessing logging not enabledon all cloud trail buckets CIS 1 18

IAM policies are not attachedto groups only CIS 12 1

Con�guration & Compliance RisksRedLock platform ingests con�guration data from various cloud services to identify potential compliance risks for customers. This data isscanned by RedLock’s advanced policy engine to identify compliance violations based on CIS (Center for Internet Security), PCI DSS(Payment Card Industry Data Security Standard), and other industry best practices.

Publicly accessible AMIs

Resource Type: VM Image

Resource(s) Failed: 2

Resource(s) Passed: 2

Compliance: N/A

First Seen: May 31, 2017 at 13:05 PDT

Last Seen: Jun 27, 2017 at 01:12 PDT

Description:

Checks to ensure that AMIs are not accessible to public. Amazon Machine Image (AMI) provides information to launch an instance in thecloud. The AMIs may contain proprietary customer information and should be accessible only to authorized internal users

Resource(s) Failed:

public-image-test, public-image-test

Recommendations:

1. Login to the AWS Console and navigate to 'EC2' service.

2. Navigate to the AMI that was reported in the alert.

3. Click on 'Modify Image Permission' and make sure 'public' is deselected to make sure the image is not available to public.


Default Security Group does not restrict all tra�c

Resource Type: Security Group



Compliance: CIS


Last Seen: Jul 21, 2017 at 16:18 PDT

Description:

Checks to ensure that the default security group restricts all inbound and outbound tra�c. A VPC comes with a default security group whose initial con�guration deny all inbound tra�c from internet and allow all outbound tra�c. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. As a result, the instance may accidentally send outbound tra�c

Resource(s) Failed:

default

Recommendations:

1. Login to the AWS Console and navigate to the 'VPC' service.

2. For each region, select the 'Security Groups' and then click on the 'default' security group.

3. Delete the 'Inbound Rules' and 'Outbound Rules' which will restrict all tra�c to the default security group.


Security groups allow internet tra�c




Compliance: PCI DSS v3.2, CIS



Description:

Checks to ensure that Security Groups do not allow all tra�c from internet. A Security Group acts as a virtual �rewall that controls the tra�c for one or more instances. Security groups should have restrictive ACLs to only allow incoming tra�c from speci�c IPs to speci�c ports where the application is listening for connections.

Resource(s) Failed:

default

Recommendations:

If the Security Groups reported indeed need to restrict all tra�c, follow the instructions below:

1. Login to the AWS console and navigate to the 'VPC' service.

2. Click on the 'Security Group' speci�c to the alert.

3. Click on 'Inbound Rules' and remove the row with the ip value as 0.0.0.0/0.

4. Click on the 'Outbound Rules' and remove the row which has the ip value as 0.0.0.0/0.


CloudTrail logs are not encrypted using Customer Master Keys (CMKs)

Resource Type: CloudTrail Setting


Resource(s) Passed: N/A

Compliance: CIS



Description:

Checks to ensure that CloudTrail logs are encrypted. AWS CloudTrail is a service that enables governance, compliance, operational & riskauditing of the AWS account. It is a compliance and security best practice to encrypt the CloudTrail data since it may contain sensitiveinformation.

Resource(s) Failed:

trail-1

Recommendations:

1. Login to AWS Console and navigate to the 'CloudTrail' service.

2. For each trail, under Con�guration > Storage Location, select 'Yes' to 'Encrypt log �les' setting and then choose and existing KMS key orcreate a new one to encrypt the logs with.


Security Groups allow internet tra�c to SSH port (22)




Compliance: CIS



Description:

Checks to ensure that Security Groups do not allow inbound tra�c on SSH port (22) from public internet. Doing so, may allow a bad actor tobrute force their way into the system and potentially get access to the entire network

Resource(s) Failed:

Qualys Virtual Scanner Appliance -Pre-Authorized Scanning- HVM-2-2-27-2-PA-AutogenByAWSMP-, launch-wizard-1, build-server-sg, Bastion stage, splunk, W Sec Group, ssh-from-world, SSH from internet, launch-wizard-1, incoming-from-dev_vpc-and-ssh-from-everywhere ...and 2 More

Recommendations:

If the Security Groups reported indeed need to restrict all tra�c, follow the instructions below:


2. Select the 'Security Group' reported in the alert. Click on the 'Inbound Rule'.

3. Remove the row which has port value as 22 and ip value as 0.0.0.0/0 or any row without any port value but ip value as 0.0.0.0/0.


RDS instances are not encrypted

Resource Type: Managed Database






Description:

Checks to ensure that RDS instances are encrypted. Amazon Relational Database Service (Amazon RDS) is a web service that makes iteasier to setup and manage databases. Amazon allows customers to turn on encryption for RDS which is recommended for complianceand security reasons

Resource(s) Failed:

res-055772715862, res-841793971818, res962538314265, res704132753494, res-713815611333, gaurav-7, res-790717076026, gaurav-test-rr, res2-824141832381, res938284595466 ...and 59 More

Recommendations:

You can only enable encryption for an Amazon RDS instance when you create it, not after the DB instance is created. If you want enableencryption for RDS instance, follow the instructions below for further details.

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html


EBS snapshots are accessible to public

Resource Type: Snapshot Settings



Compliance: N/A



Description:

Checks to ensure that EBS snapshots are not accessible to public. Amazon Elastic Block Store (Amazon EBS) provides persistent blockstorage volumes for use with Amazon EC2 instances in the AWS Cloud. If EBS snapshots are inadvertently shared to public, anyunauthorized user with AWS console access can gain access to the snapshots and gain access to sensitive data

Resource(s) Failed:

snap-012ce8630ade1662f

Recommendations:

1. Login to the 'AWS Console' and access the 'EC2' service.

2. Under the 'Elastic Block Storage', click on the 'Snapshots'.

3. For the speci�c Snapshots, change the value of �eld 'Property' to 'Private'.

4. Under the section 'Encryption Details', set the value of 'Encryption Enabled' to 'Yes'.


S3 buckets are accessible to public

Resource Type: Bucket ACL



Compliance: PCI DSS v3.2



Description:

Checks for publicly accessible S3 buckets. Amazon S3 allows customer to store and retrieve any type of content from anywhere in the web.Often, customers have legitimate reasons to expose the S3 bucket to public, for example to host website content. However, these bucketsoften contain highly sensitive enterprise data which if left open to public may result in sensitive data leaks

Resource(s) Failed:

redlock-brb, staging�les-redlock, redlock-2.io, www.redlock-2.io, redlockstage, staging�les-dev, cf-templates-6dxf8zsnr80o-us-east-1, redlockdev, cf-templates-6dxf8zsnr80o-us-west-1

Recommendations:

1. Login to the AWS Console and navigate to the 'S3' service.

2. Click on the 'S3' resource reported in the alert.

3. Click on the 'Permissions'.

4. Under 'Manage Public Permissions', make sure 'Everyone' is deselected.


IAM password policy does not have password expiration period

Resource Type: Password Policy






Description:

Checks to ensure that IAM password policy has an expiration period. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Resource(s) Failed:

123456789

Recommendations:

1. Login to the AWS console and navigate to the 'IAM' service.

2. Click on 'Account Settings', check 'Enable password expiration' and enter a password expiration period.


IAM password policy does not have a lowercase character







Description:

Checks to ensure that IAM password policy requires a lowercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Resource(s) Failed:

987654321

Recommendations:


2. Click on 'Account Settings', check 'Require at least one lowercase letter '.


Customer Master Key (CMK) rotation is not enabled

Resource Type: Managed Key Rotation Status






Description:

Checks to ensure that CMKs are rotated periodically. AWS KMS (Key Management Service) allows customers to create master keys toencrypt sensitive data in different services. As a security best practice, it is important to rotate the keys periodically so that if the keys arecompromised, the data in the underlying service is still secure with the new keys

Resource(s) Failed:

0636ffa0-e046-46f4-9688-6be3dafce925, b31e435c-da23-4ec3-a5ba-f6df798937cb, 59ac8c16-a5dc-4ac6-8418-bc913dc74fa4, 8297770e-dd15-4372-a6e1-e7e4a7c17efc, 9852bd97-427f-46ab-b1ec-689e044b131d, 031ab3c5-e27b-494e-98e9-3db5d476b233, f5d2d2bb-f24b-46e1-a0a1-f398d84b9a77, 2b2ce210-c3dd-4053-b9f7-d41e16a522c1, c95dd657-a5f5-4476-a292-2389a690a10b

Recommendations:

1. Identify the resource (key) related to this policy.

2. In the IAM Service > Encryption Keys, select the speci�c key.

3. Under the 'Key Policy, ensure that 'Rotate this key every year' is enabled.


IAM password policy allows password reuse







Description:

Checks to ensure that IAM policy does not allow password reuse . AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Resource(s) Failed:

112233445

Recommendations:


2. Click on 'Account Settings', check 'Prevent password reuse'.


VPC Flow Logs not enabled

Resource Type: Virtual Network



Compliance: CIS



Description:

Checks for VPCs without �ow logs turned on. VPC Flow logs capture information about IP tra�c going to and from network interfaces inyour VPC. Flow logs are used as a security tool to monitor the tra�c that is reaching your instances. Without the �ow logs turned on, it isnot possible to get any visibility into network tra�c

Resource(s) Failed:

vpc-ae912ecb, vpc-81d91ae8, vpc-1060d979, vpc-f713fd9e, vpc-a601eacf, vpc-ef56278a, vpc-c9a82fac, david-vpc, vpc-f8feb49d, vpc-e4b5578d ...and 2 More

Recommendations:

1. Login to the AWS and navigate to the 'VPC' service.

2. Navigate to the VPC that was reported in the alert.

3. Click on the 'Flow logs' tab and follow the instructions below to enable Flow Logs for the VPC.

https://aws.amazon.com/blogs/aws/vpc-�ow-logs-log-and-view-network-tra�c-�ows/


IAM password policy does not exist







Description:

Checks to ensure that IAM password policy is in place for the cloud accounts. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Resource(s) Failed:

121322334

Recommendations:

1. Login to AWS Console and navigate to the 'IAM' Service.

2. Click on 'Account Settings', make sure that one or more options under 'Password policy' are selected.


IAM password policy does not expire in 90 days




Compliance: CIS



Description:

Checks to ensure that IAM policy has password expiration set to 90 days. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Resource(s) Failed:

201345678320

Recommendations:


2. Click on 'Account Settings', check 'Enable password expiration' and set the value to '90 days'.


MFA not enabled for IAM users

Resource Type: IAM Credentials Report






Description:

Checks to ensure that MFA is enabled for all IAM users

Resource(s) Failed:

redlock-prod-ses-smtp-user.071417, tools, stage-s3-user, demo-s3-user, redlock_assumerole, 188619942792, 188619942792, 188619942792, 188619942792, 188619942792 ...and 18 More

Recommendations:

1. Login to the AWS and navigate to the 'IAM' service.

2. Navigate to the user that was reported in the alert.

3. Under 'Security Credentials', check "Assigned MFA Device" and follow the instructions to enable MFA for the user.


IAM password policy does not have a minimum of 14 characters







Description:

Checks to ensure that IAM password policy requires minimum of 14 characters. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Resource(s) Failed:

868672345672

Recommendations:


2. Click on 'Account Settings', enter 14 or more in the 'Minimum password length' �eld.


IAM password policy does not have a uppercase character







Description:

Checks to ensure that IAM password policy requires an uppercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place.

Resource(s) Failed:

132465879221

Recommendations:


2. Click on 'Account Settings', check 'Require at least one uppercase letter '.


Access keys are not rotated for 90 days




Compliance: N/A



Description:

Checks to ensure that access keys are rotated every 90 days. Access keys are used to sign API requests to AWS. As a security best practice, it is recommended that all access keys are regularly rotated to make sure that in the event of key compromise, unauthorized users are not able to gain access to your AWS services

Resource(s) Failed:

34521687912

Recommendations:


2. Click on the user that was reported in the alert.

3. Click on 'Security Credentials' and for each 'Access Key'.

4. Follow the instructions below to rotate the Access Keys that are older than 90 days.

https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/


Access logging not enabled on S3 buckets

Resource Type: Bucket Logging Con�g



Compliance: PCI DSS v3.2



Description:

Checks for S3 buckets without access logging turned on. Access logging allows customers to view complete audit trail on sensitiveworkloads such as S3 buckets. It is recommended that Access logging is turned on for all S3 buckets to meet audit & compliancerequirement

Resource(s) Failed:

redlock-dev-ingestion, redlock-brb, redlock-demo-ingestion, redlock-stage-util, redlock-dev-util, redlock-demo-util, redlock-redshift-logs, redlock-s3-logs, redlock-cloud-trail, redlock-dev-web.redlock.io ...and 43 More

Recommendations:


2. Click on the the S3 bucket that was reported and click on the 'Properties' tab.

3. Under the 'Logging' section, select 'Enable Logging' option.


Inactive users for more than 30 days







Description:

Checks to ensure that users have not been inactive for more than 30 days. Inactive user accounts are an easy target for attacker because any activity on the account will largely get unnoticed.

Resource(s) Failed:

534216987235

Recommendations:

1. Make sure that the user has legitimate reason to be inactive for such an extended period.

2. Delete the user account, if the user no longer needs access to the console or no longer exists.


Accessing logging not enabled on all cloud trail buckets

Resource Type: Bucket ACL



Compliance: CIS

First Seen: Jul 11, 2017 at 13:30 PDT


Description:

Checks to ensure that access logging is enabled on the CloudTrail S3 bucket. S3 Bucket access logging generates access records for eachrequest made to your S3 bucket. An access log record contains information such as the request type, the resources speci�ed in the requestworked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3bucket.

Resource(s) Failed:

redlock-stage-archive, redlock-redshift-logs, redlock-demo-ingestion, redlock-dev-archive, redlock-demo-static, redlock-dev-web.redlock.io, redlock.io, redlock-stage-static, redlock.com, redlock-cloud-trail ...and 8 More

Recommendations:


2. Click on the the S3 bucket that was reported click on the 'Properties' tab.

3. Under the 'Logging' section, select 'Enable Logging' option.


IAM policies are not attached to groups only

Resource Type: IAM User Managed Policies



Compliance: CIS


Last Seen: May 31, 2017 at 13:05 PDT

Description:

By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.

Resource(s) Failed:

2-8721345981-list-attached-user-policies

Recommendations:

1. Login to the AWS Console and navigate to the 'IAM' service.

2. Identify the users that was speci�cally assigned the IAM policy.

3. If a group with similar policy already exists, put the user in that group. If such a group does not exist, create a new group with relevantpolicy and assign user to the group.


Security Groups not in use




Compliance: N/A



Description:

Checks to ensure if security groups are used by one or more cloud workloads. Security groups act as a virtual �rewall to control networktra�c for your instances. It is AWS security best practice to make sure that security groups are assigned to one or more instances and arenot left unused. Unused security groups with weak ACL may get inadvertently attached to a cloud workload compromising its security.

Resource(s) Failed:

Production NAT Instance, Inspector Test, splunk, incoming_ssh_from_world, Public To Private Web, ankur-demo, Private ELB, load-balancer-incoming-443, Cache private stage, ssh-from-world ...and 17 More

Recommendations:


2. Navigate to the 'Security Groups' reported in the alerts.

3. If the Security Groups are indeed not in use, delete them.

4. As a security best practice, make sure that only production approved security groups are getting used while creating new workloads.

Network Security RisksRedLock continuously monitors north-south and east-west network tra�c using �ow logs and third-party threat intelligence feeds to identifysecurity risks to sensitive workloads.

SSH from internet to non-ELB & non-NAT resources

Resource Type: Other



Compliance: Network


Last Seen: Jun 02, 2017 at 09:56 PDT

Description:

Identify all resources (non-ELB & non-NAT) in the AWS account which have had SSH connection from internet.

Resource(s) Failed:

Bastion Dev, Bastion Prod backup, Bastion Prod primary, Dev Database

Network Security Risks

Internet exposed instances




Compliance: Network

First Seen: Jun 02, 2017 at 13:32 PDT


Description:

Detects any network tra�c to sensitive cloud workloads from public internet and suspicious locations. Cloud workloads should have appropriate Security Groups and ACLs in place so that only external facing workloads such as load balancers, web servers, bastion hosts are exposed to the internet. If the cloud workloads are exposed to internet, they may become vulnerable to external threats.

Resource(s) Failed:

Bastion Prod primary, Bastion Prod backup, InspectorEC2InstanceLinux, Bastion Dev, Bastion Prod backup, Bastion Prod primary, Dev Database

Recommendations:1. Login to the AWS Console and search for the resource reported in the alert.

2. Check to see if the security group for the resource indeed allows connections from internet.

3. Assign another security group to the resource that has more restrictive ACL which does not permit connection from internet.

IAM RisksRedLock platform continuously monitors user and resource activities to detect suspicious behavior such as account hijacking, brute forcelogin attempts, and unusual access to cloud services. It does so by ingesting IAM logs from cloud environments, and applies advancedmachine learning algorithms to detect suspicious user behavior.

Account Hijacking attempts




Compliance: N/A



Description:

Detects potential account hijacking attempts by identifying unusual login activities. This can happen if there are concurrent login attempts made in short duration from two different geo-locations or from a previously not known browser, OS or location

Resource(s) Failed:

John, Kate, Leo

Recommendations:

1. Make sure that the account credentials were not reused from different locations.

2. Occasionally, impossible time travel anomalies are incorrectly identi�ed if the login attempts were made over VPN. Please provide VPNaddresses to the RedLock admin if that happens to be the case.

3. If this is indeed an account hijacking attempt, disable the user account temporarily or ask the user to change the password.

IAM Risks

Insider Threat




Compliance: N/A



Description:

Detects suspicious user activity by profiling individual user activities and detecting patterns that have not been seen before.

Resource(s) Failed:

David, Alexia, Carlos, Sandra

Recommendations:

1. Make sure that the enterprise user indeed has performed suspicious activity in your cloud environment

2. Deactivate user account or remove permissions from the user account

Documents

Cloud Infrastructure Security Report · AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security