Any security compliance of aws code samples?
Suppose I want to check following things :-
a)Security groups
security - open ports, SG, keys, Protocols
b)ELB security
exposed ports
c)ec2
SG, exposed ports, instances must be configured in vpc
d)IAM:
Full admin privilege in IAM policy, user-level MFA status, password policy status
e)lambda :
admin role, unauthorized cross-account access
How to collect this information through code? Is there any aws java sdk avaliable to check this things?
I found one tool Chef Inspec where i can write rule and get report but can't able to pass list of instances, it check for instance by instance..
Is there any other tool or java sdk to get all these things?
Related
I need to restrict creation of VPCsof all the projects irrespective of the IAM roles.
I tried the organisation policies, I was not able to find any policy which restricts the creation of resources.
Is there any other way I can do restrict creation of VPCs?
It's not possible to restrict VPC creation using Organization policies but there's another approach utilizing IAM roles & permissions.
Have a look at the documentation regarding roles needed to administer all your networks.
The most powerful role is roles/compute.networkAdmin which gives you control over every aspect of networking in your project;
Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
If you want to limit users' permissions assign them a roles/compute.networkUser role:
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.
And if you want some examples have a look at this document describing a IAM roles for Networking-related Job Functions.
Recently, the IAM key of GCP was exposed, and miner was installed.
In the case of AWS, 2fa can be set when accessing with an access key, or access can be made only from a specific IP.
If there was such a setting, the accident would not have occurred immediately even if the key was exposed.
I searched for ACL and 2FA settings in GCP, but there is no key setting, only the instance access setting is checked.
Is it possible to set up GCP's Web Console access, 2FA for access to IAM key, and IP ACL?
In addition, an IP-based ACL is required for BigQuery, but it is impossible to access the ACL for BigQuery access when contacting other teams, and it is only controlled by IAM.
If IAM is exposed by user error, is there any way GCP can prevent this?
You can enforce 2fa and IP control on IAM service (with IAM conditions and context-aware access).
Google helps you as it can:
The support contact you in case of abnormal activity, such as miner installed your VM and thus suspicious network activity
The public repository, such as Github, are periodically scanned by google and in case of service account key file found, you are notified
Platform proposes you solution to mitigate the risk
Context aware accesss
IAM condition
Organisation policy to disable the capacity to generate service account key file. Only a small group of users are able to generate them after the validation of the user request. The target is to limit the number of key and to generate them only when the use case require them
SCC (Security Command Center) findings can raise primitive role on service account: too much roles, use predefined role instead
IAM recommender that propose you to reduce the permission scope based on the 90 last days of activities
So a set of tools to be proactive and reactive to events.
You can set up 2 step-verification(2sv) which is triggerd when trying to access GCP vm instances.
Follow this guide to set up 2sv to your instance.
Also, VPC service control can add additional sercurity layer for managed service like bigQuery.
You can block specific IP address bia this service.
This article will help you a lot in using VPC Service Control.
I work with a team of developers that has a shared database hosted in AWS. This team is "virtual" (comprised of remote workers--there is no officesi).
There is an AWS security group that has rules that allow each of the developers to access the database (by IP address). The senior developers have logins and admin permissions to AWS allowing them to change the security group rules--for example when someone's IP address changes.
The problem is that some of the junior developers have "jumpy" IP addresses which change frequently. Each time the IP address changes, a senior developer needs to stop work, login to AWS, and correct the security group rule for the junior developer. This is not sustainable.
Is there a way we can set up AWS so the junior developers can have logins to AWS, but their permissions only allow them to access a single, particular security group? That way the juniors can login to AWS and self-serve on the IP address update, and management doesn't need to worry that they have access to other, restricted areas in AWS?
To directly answer your question, there are multiple ways to achieve what you want and IAM and SCP are the things to take a look at.
With IAM you can either use IAM Permission boundaries to limit the privileges that a certain user has or rely on the ABAC approach where you assign a certain tag to the resource to which you want to grant access to. In your case you can have a "junior" tag set on the SG in question and a respective IAM policy that grants permissions based on it.
Another option is to use a Service Control Policy (in case you have AWS Organization enabled). With SCPs you can limit certain actions on account level (e.g. Deny action on ec2, unless a certain criteria is met).
All of the above are on identity access level.
Networking-wise you can alter your design a bit by setting up an AWS Client VPN in front of the RDS.
I'm trying to set up a Site to Site connection between our on-premise server and our cloud infrastructure. In our premises we have a SonicWall firewall installed and, since SonicOS 6.5.1.0 it's now easy to put an AWS access key and AWS Secret Key and let the software configure everything via SDK.
The problem is that the tutorial on how to configure the firewall (p. 8) says:
The security policy used, either for a group to which the user belongs or attached to the user directly, must
include the following permissions:
• AmazonEC2FullAccess – For AWS Objects and AWS VPN
• CloudWatchLogsFullAccess – For AWS Logs
Since it's not ideal to give anyone the full access to Amazon EC2 do you know which features SonicWall actually needs so I can disable everything else and follow the principle of least privilege?
Without looking into the code for SonicWall itself, it is not going to be easy to know exactly which API calls it's going to make to EC2. If you are prepared to at least temporarily grant full EC2 access, you could use AWS CloudTrail to monitor exactly which API calls are being made by the IAM user associated with your on-premises server, and then update your specific policy to match those calls.
Alternatively, start with the full access IAM policy template and go through and deny any calls you think are completely unrelated to SonicWall's functionality.
If you trust SonicWall then probably the easiest thing to do is to just allow the full EC2 access it claims is required (or start there and gradually remove them until something breaks!)
Is there a policy action in IAM that will restrict the visibility of resources in the colnsole to only a tagged set? So for example can i use ec2:Describe with a StringEquals condition for the tag such that a group of users will only ever see the set of EC2 servers their project is using?
Ideally i dont want all users in this VPC to see all servers regardless if they are read only
Its not currently possible:
Note Currently, the Amazon EC2 ec2:Describe* API actions do not
support resource-level permissions, so you cannot control which
individual resources users can view in the console. Therefore, the *
wildcard is necessary in the Resource element of the above statement.
For more information about which ARNs you can use with which Amazon
EC2 API actions, see Supported Resource-Level Permissions for Amazon
EC2 API Actions.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html
On option you have, that might work is to use multiple, independent AWS accounts, so each user can get there own 'sandbox' to play in, but setup consolidate billing so that that aspect of the accounts are all shared by one master account.