Often, we hear about publicly exposed AWS S3 buckets or security attacks, such as DDoS, brute-force, etc. Every problem in AWS, be it security, compliance, or bill spikes, was/is due to engineering problems. When it comes to AWS security, wrong Security Group (SG) configurations seems to top the charts.
AWS security audits cannot be a fortnightly activity as generally practiced. It must be an everyday activity. As AWS practitioners, we all know this is effort intensive, especially with manual approach of using AWS console.
If you are an SMB or an enterprise, you will have hundreds of instances running in multiple SGs. Just imagine the amount of time invested just for DeSecOps activities to maintain the security posture.
Moreover, maintaining security posture on AWS is not an one-man army fight. Security is everyone’s responsibility. It’s teamwork between a CISO or a CTO and his team of DevSecOps or DevOps engineers. Everyone needs to understand the security posture of their AWS accounts at multiple levels, from their respective job roles’ perspective, right from top level to granular level, to this end.
A Focused Visual Environment Offering Real-Time AWS Security Cues
In a dynamic AWS ecosystem, where several resources are provisioned, scaled up or scaled down on-demand, chances of overlooking misconfigurations are high. Because, rules defined under SGs are buried under KBs of code and visualizing traffic flow from logs of VPC flow log data is immensely challenging for a human mind.
A single console offering visual cues to any security vulnerabilities, to everyone in the team, helps identify such vulnerabilities 100X faster!
Lets walk you through a couple of security audits a CXO or a DevSecOps engineer must perform. Watch how easy it is to perform on a visual console!
Case in Point #1
Checking for open TCP/UDP ports associated with relevant IP and security groups:
Unrestricted inbound/ingress access to TCP/UDP ports can invite malicious activity. The typical plan of action is to keep a check on instances’ SGs for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) to any of these ports and restrict access to only those IP addresses that require it to implement the principle of least privilege.
On the AWS console, you need to hop between Network and Security section and then Security groups via EC2 or RDS dashboard. Check for the tabs shown below the tabulated list. This might take few minutes depending on the number of instances.
However, using TotalCloud, you can check the ingress and egress and check for SGs containing resources that allow data outside the Infrastructure at a glance.
Observe the video below:
This will take anywhere between 5 to 10 seconds, irrespective of the number of instances you are using.
Case in Point #2
Finding SSH open ports and ensuring they are used only for jump box/bastion hosts
Network security at the subnet level using a bastion host, NAT instances, or NAT Gateways helps in protecting data. An SG allowing bastion connectivity for existing private instances must only accept SSH or RDP inbound requests from bastion hosts across AZs.
Whereas, the inbound & outbound traffic must be restricted at the protocol level, where in the inbound rule base should accept SSH connections only from the specific IP addresses. The outbound connection should again be restricted to SSH or RDP access to the private instances of your AWS infrastructure.
On the AWS console, you need to go to VPC console, scroll down to SGs and check for inbound and outbound data under each SG. This might take few minutes to hours depending on the number of instances.
However, using TotalCloud, you can check the ingress and egress and check for SGs containing resources that allow data outside the Infrastructure at a glance.
Observe the video below:
Conclusion: A Centralized Focus View with Visual Cues for Real-time DevSecOps
Change is the only constant. In a dynamic cloud setup, several teams engage. Having a centralized view of live data that acts as visual cues to vulnerabilities, helps identifying security issues in real-time. The ability to zoom in and zoom out at multiple levels, along with the capability to filter out traffic rules, helps everyone in the team to act and secure their infrastructure.
With immersive visualization of such data, anyone in the team can perform continuous security and understand security posture 100X faster and better compared to dashboards. TotalCloud’s Security View is exactly that! Do give it a try!
Note: Originally published at blog.totalcloud.io on November 28, 2018.
Top comments (0)