Cloud Security Audit – A Command Line Security Audit Tool For Amazon Web Services

A command line security audit tool for Amazon Web ServicesAboutCloud Security Audit is a command line tool that scans for vulnerabilities in your AWS Account. In easy way you will be able to identify unsecure parts of your infrastructure and prepare your AWS account for security audit.InstallationCurrently Cloud Security Audit does not support any package managers, but the work is in progress.Building from sourcesFirst of all you need to download Cloud Security Audit to your GO workspace:$GOPATH $ go get github.com/Appliscale/cloud-security-audit$GOPATH $ cd cloud-security-auditThen build and install configuration for the application inside cloud-security-audit directory by executing:cloud-security-audit $ make allUsageInitialising SessionIf you’re using MFA you need to tell Cloud Security Audit to authenticate you before trying to connect by using flag –mfa. Example:$ cloud-security-audit –service s3 –mfa –mfa-duration 3600EC2 ScanHow to useTo perform audit on all EC2 instances, type:$ cloud-security-audit –service ec2You can narrow the audit to a region, by using the flag -r or –region. Cloud Security Audit also supports AWS profiles – to specify profile use the flag -p or –profile.Example output+—————+———————+——————————–+———————————–+———-+| AVAILABILITY | EC2 | VOLUMES | SECURITY | || | | | | EC2 TAGS || ZONE | | (NONE) – NOT ENCRYPTED | GROUPS | || | | | | || | | (DKMS) – ENCRYPTED WITH | (INCOMING CIDR = 0.0.0.0/0) | || | | DEFAULT KMSKEY | | || | | | ID : PROTOCOL : PORT | |+—————+———————+——————————–+———————————–+———-+| eu-central-1a | i-0fa345j6756nb3v23 | vol-0a81288qjd188424d[DKMS] | sg-aaaaaaaa : tcp : 22 | App:some || | | vol-0c2834re8dfsd8sdf[NONE] | sg-aaaaaaaa : tcp : 22 | Key:Val |+—————+———————+——————————–+———————————–+———-+How to read itFirst column AVAILABILITY ZONE contains information where the instance is placedSecond column EC2 contains instance ID.Third column Volumes contains IDs of attached volumes(virtual disks) to given EC2. Suffixes meaning: [NONE] – Volume not encrypted.[DKMS] – Volume encrypted using AWS Default KMS Key. More about KMS you can find hereFourth column Security Groups contains IDs of security groups that have too open permissions. e.g. CIDR block is equal to 0.0.0.0/0(open to the whole world).Fifth column EC2 TAGS contains tags of a given EC2 instance to help you identify purpose of this instance.DocsYou can find more information about encryption in the following documentation:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.htmlS3 ScanHow to useTo perform audit on all S3 buckets, type:$ cloud-security-audit –service s3Cloud Security Audit supports AWS profiles – to specify profile use the flag -p or –profile.Example output+——————————+———+———+————-+————+| BUCKET NAME | DEFAULT | LOGGING | ACL | POLICY || | | | | || | SSE | ENABLED | IS PUBLIC | IS PUBLIC || | | | | || | | | R – READ | R – READ || | | | | || | | | W – WRITE | W – WRITE || | | | | || | | | D – DELETE | D – DELETE |+——————————+———+———+————-+————+| bucket1 | NONE | true | false | false |+——————————+———+———+————-+————+| bucket2 | DKMS | false | false | true [R] |+——————————+———+———+————-+————+| bucket3 | AES256 | false | true [RWD] | false |+————————— –+———+———+————-+————+How to read itFirst column BUCKET NAME contains names of the s3 buckets.Second column DEFAULT SSE gives you information on which default type of server side encryption was used in your S3 bucket:NONE – Default SSE not enabled.DKMS – Default SSE enabled, AWS KMS Key used to encrypt data.AES256 – Default SSE enabled, AES256.Third column LOGGING ENABLED contains information if Server access logging was enabled for a given S3 bucket. This provides detailed records for the requests that are made to an S3 bucket. More information about Server Access Logging can be found hereFourth column ACL IS PUBLIC provides information if ACL (Access Control List) contains permissions, that make the bucket public (allow read/writes for anyone). More information about ACLs hereFifth column POLICY IS PUBLIC contains information if bucket’s policy allows any action (read/write) for an anonymous user. More about bucket policies here R, W and D letters describe what type of action is available for everyone.DocsYou can find more about securing your S3’s in the following documentations:https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlhttps://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.htmlhttps://docs.aws.amazon.com/AmazonS3/latest/user-guide/server-access-logging.htmlLicenseApache License 2.0MaintainersMichał PołcikMaksymilian WojczukPiotr FigwerSylwia GargulaMateusz PiwowarczykDownload Cloud-Security-Audit

Link: http://feedproxy.google.com/~r/PentestTools/~3/tsuJ2vB6UAU/cloud-security-audit-command-line.html

Introducing Imperva Cloud Data Security!

We at Imperva are gearing up for the inaugural AWS re:Inforce event on June 25th and 26th in Boston, Massachusetts, where technical leaders will converge for security, identity, and compliance learning and community building. Imperva experts will be on hand this week in booth 827 on the exhibit floor to meet with our valued customers […]
The post Introducing Imperva Cloud Data Security! appeared first on Blog.

Link: http://feedproxy.google.com/~r/Imperviews/~3/uDGBJ0mnF00/

How Our Threat Analytics Multi-Region Data Lake on AWS Stores More, Slashes Costs

Data is the lifeblood of digital businesses, and a key competitive advantage. The question is: how can you store your data cost-efficiently, access it quickly, while abiding by privacy laws? At Imperva, we wanted to store our data for long-term access. Databases would’ve cost too much in disk and memory, especially since we didn’t know […]
The post How Our Threat Analytics Multi-Region Data Lake on AWS Stores More, Slashes Costs appeared first on Blog.

Link: http://feedproxy.google.com/~r/Imperviews/~3/0WO62f69Eys/

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.
Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

Link: https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/