Cloud Security Audit – A Command Line Security Audit Tool For Amazon Web Services

A command line security audit tool for Amazon Web ServicesAboutCloud Security Audit is a command line tool that scans for vulnerabilities in your AWS Account. In easy way you will be able to identify unsecure parts of your infrastructure and prepare your AWS account for security audit.InstallationCurrently Cloud Security Audit does not support any package managers, but the work is in progress.Building from sourcesFirst of all you need to download Cloud Security Audit to your GO workspace:$GOPATH $ go get github.com/Appliscale/cloud-security-audit$GOPATH $ cd cloud-security-auditThen build and install configuration for the application inside cloud-security-audit directory by executing:cloud-security-audit $ make allUsageInitialising SessionIf you’re using MFA you need to tell Cloud Security Audit to authenticate you before trying to connect by using flag –mfa. Example:$ cloud-security-audit –service s3 –mfa –mfa-duration 3600EC2 ScanHow to useTo perform audit on all EC2 instances, type:$ cloud-security-audit –service ec2You can narrow the audit to a region, by using the flag -r or –region. Cloud Security Audit also supports AWS profiles – to specify profile use the flag -p or –profile.Example output+—————+———————+——————————–+———————————–+———-+| AVAILABILITY | EC2 | VOLUMES | SECURITY | || | | | | EC2 TAGS || ZONE | | (NONE) – NOT ENCRYPTED | GROUPS | || | | | | || | | (DKMS) – ENCRYPTED WITH | (INCOMING CIDR = 0.0.0.0/0) | || | | DEFAULT KMSKEY | | || | | | ID : PROTOCOL : PORT | |+—————+———————+——————————–+———————————–+———-+| eu-central-1a | i-0fa345j6756nb3v23 | vol-0a81288qjd188424d[DKMS] | sg-aaaaaaaa : tcp : 22 | App:some || | | vol-0c2834re8dfsd8sdf[NONE] | sg-aaaaaaaa : tcp : 22 | Key:Val |+—————+———————+——————————–+———————————–+———-+How to read itFirst column AVAILABILITY ZONE contains information where the instance is placedSecond column EC2 contains instance ID.Third column Volumes contains IDs of attached volumes(virtual disks) to given EC2. Suffixes meaning: [NONE] – Volume not encrypted.[DKMS] – Volume encrypted using AWS Default KMS Key. More about KMS you can find hereFourth column Security Groups contains IDs of security groups that have too open permissions. e.g. CIDR block is equal to 0.0.0.0/0(open to the whole world).Fifth column EC2 TAGS contains tags of a given EC2 instance to help you identify purpose of this instance.DocsYou can find more information about encryption in the following documentation:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.htmlS3 ScanHow to useTo perform audit on all S3 buckets, type:$ cloud-security-audit –service s3Cloud Security Audit supports AWS profiles – to specify profile use the flag -p or –profile.Example output+——————————+———+———+————-+————+| BUCKET NAME | DEFAULT | LOGGING | ACL | POLICY || | | | | || | SSE | ENABLED | IS PUBLIC | IS PUBLIC || | | | | || | | | R – READ | R – READ || | | | | || | | | W – WRITE | W – WRITE || | | | | || | | | D – DELETE | D – DELETE |+——————————+———+———+————-+————+| bucket1 | NONE | true | false | false |+——————————+———+———+————-+————+| bucket2 | DKMS | false | false | true [R] |+——————————+———+———+————-+————+| bucket3 | AES256 | false | true [RWD] | false |+————————— –+———+———+————-+————+How to read itFirst column BUCKET NAME contains names of the s3 buckets.Second column DEFAULT SSE gives you information on which default type of server side encryption was used in your S3 bucket:NONE – Default SSE not enabled.DKMS – Default SSE enabled, AWS KMS Key used to encrypt data.AES256 – Default SSE enabled, AES256.Third column LOGGING ENABLED contains information if Server access logging was enabled for a given S3 bucket. This provides detailed records for the requests that are made to an S3 bucket. More information about Server Access Logging can be found hereFourth column ACL IS PUBLIC provides information if ACL (Access Control List) contains permissions, that make the bucket public (allow read/writes for anyone). More information about ACLs hereFifth column POLICY IS PUBLIC contains information if bucket’s policy allows any action (read/write) for an anonymous user. More about bucket policies here R, W and D letters describe what type of action is available for everyone.DocsYou can find more about securing your S3’s in the following documentations:https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.htmlhttps://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.htmlhttps://docs.aws.amazon.com/AmazonS3/latest/user-guide/server-access-logging.htmlLicenseApache License 2.0MaintainersMichał PołcikMaksymilian WojczukPiotr FigwerSylwia GargulaMateusz PiwowarczykDownload Cloud-Security-Audit

Link: http://feedproxy.google.com/~r/PentestTools/~3/tsuJ2vB6UAU/cloud-security-audit-command-line.html

GKE, AWS, & S3 Buckets – Application Security Weekly #67

    GKE improves authentication with Workload Identity, AWS reinforce reveals traffic tools and security solutions that improve support for DevOps, Brief history of Trusted Execution Environments, From the Enterprise’s Project: How to Explain Service Mesh in Plain English, Developers and Security Teams Under Pressure to Collaborate! Full Show Notes Follow us on Twitter: https://www.twitter.com/securityweekly […]
The post GKE, AWS, & S3 Buckets – Application Security Weekly #67 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/J6DLU006jMY/

Introducing Imperva Cloud Data Security!

We at Imperva are gearing up for the inaugural AWS re:Inforce event on June 25th and 26th in Boston, Massachusetts, where technical leaders will converge for security, identity, and compliance learning and community building. Imperva experts will be on hand this week in booth 827 on the exhibit floor to meet with our valued customers […]
The post Introducing Imperva Cloud Data Security! appeared first on Blog.

Link: http://feedproxy.google.com/~r/Imperviews/~3/uDGBJ0mnF00/

MozDef – Mozilla Enterprise Defense Platform

The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system.The Mozilla Enterprise Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.GoalsHigh levelProvide a platform for use by defenders to rapidly discover and respond to security incidents.Automate interfaces to other systems like firewalls, cloud protections and anything that has an APIProvide metrics for security events and incidentsFacilitate real-time collaboration amongst incident handlersFacilitate repeatable, predictable processes for incident handlingGo beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automationTechnicalOffer micro services that make up an Open Source Security Information and Event Management (SIEM)Scalable, should be able to handle thousands of events per second, provide fast searching, alerting, correlation and handle interactions between teams of incident handlers.MozDef aims to provide traditional SIEM functionality including:Accepting events/logs from a variety of systemsStoring events/logsFacilitating searchesFacilitating alertingFacilitating log management (archiving,restoration)It is non-traditional in that it:Accepts only JSON inputProvides you open access to your dataIntegrates with a variety of log shippers including logstash, beaver, nxlog, syslog-ng and any shipper that can send JSON to either rabbit-mq or an HTTP(s) endpoint.Provides easy integration to Cloud-based data sources such as cloudtrail or guard dutyProvides easy python plugins to manipulate your data in transitProvides extensive plug-in opportunities to customize your event enrichment stream, your alert workflow, etcProvides realtime access to teams of incident responders to allow each other to see their work simultaneouslyArchitectureMozDef is based on open source technologies including:Nginx (http(s)-based log input)RabbitMQ (message queue and amqp(s)-based log input)uWSGI (supervisory control of python-based workers)bottle.py (simple python interface for web request handling)elasticsearch (scalable indexing and searching of JSON documents)Meteor (responsive framework for Node.js enabling real-time data sharing)MongoDB (scalable data store, tightly integrated to Meteor)VERIS from verizon (open source taxonomy of security incident categorizations)d3 (javascript library for data driven documents)dc.js (javascript wrapper for d3 providing common charts, graphs)three.js (javascript library for 3d visualizations)Firefox (a snappy little web browser)Frontend processingFrontend processing for MozDef consists of receiving an event/log (in json) over HTTP(S), AMQP(S), or SQS doing data transformation including normalization, adding metadata, etc. and pushing the data to elasticsearch.Internally MozDef uses RabbitMQ to queue events that are still to be processed. The diagram below shows the interactions between the python scripts (controlled by uWSGI), the RabbitMQ exchanges and elasticsearch indices.Status:MozDef is in production at Mozilla where we are using it to process over 300 million events per day.Download MozDef

Link: http://www.kitploit.com/2019/06/mozdef-mozilla-enterprise-defense.html

Web Security Leader Rapidly Expands by Partnering with AWS and Imperva

Companies try to plan and pace their growth. Those plans go out the window when a merger or acquisition happens, as it did to DigiCert Inc.   DigiCert, based in Lehi, Utah, had long been a leading Certificate Authority (CA), providing electronic documents that verify and authenticate the identities of web sites and their visitors […]
The post Web Security Leader Rapidly Expands by Partnering with AWS and Imperva appeared first on Blog.

Link: http://feedproxy.google.com/~r/Imperviews/~3/pD-6qnSOCWo/

[python]Start up script to create VPC to launch EC2

Use case This is an interactive start up script to do from creating VPC to launching EC2. This is a follow up from this post – Functions for aws automation, I have added a few more functions to make it complete. Demonstration This is the interactive script: These are the results in AWS console: VPC … Continue reading [python]Start up script to create VPC to launch EC2

Link: http://cyruslab.net/2019/05/11/pythonstart-up-script-to-create-vpc-to-launch-ec2/

[python]Creating security group and inbound rule

This is the extension of Functions of aws automation.I have added some methods to create security groups and apply rules. In addition to the functions/methods describe here, I have created 4 more methods to accomplish these: Security group creation Inbound rule creation to the security group. Demonstration create_security_group method This method create a security group … Continue reading [python]Creating security group and inbound rule

Link: http://cyruslab.net/2019/05/08/pythoncreating-security-group-and-inbound-rule/

[python]Finding your internet gateway id in aws

On previous post, I have this function: This function looks for the internet gateway id associated with your vpc id. Json response from describe_internet_gateways The below response is from the describe_internet_gateways method in boto3, here’s the code snippet: The below is a dictionary of two main keys – InternetGateways and ResponseMetadata. Now I am only … Continue reading [python]Finding your internet gateway id in aws

Link: http://cyruslab.net/2019/05/06/pythonfinding-your-internet-gateway-id-in-aws/