The use of ‘Infrastructure as a Service’ (IaaS) presents many challenges in regards to security. Most importantly it requires rethinking how applications and infrastructure are secured and audited. The perspective on how to do this needs to be rethought and security teams need to build new processes and procedures to accomplish old world tasks such as Perimeter Assessments, Penetration Tests, Vulnerability Assessments, User-Rights Reviews, and Security Audits.
CloudCheckr was designed to address this new paradigm and helps with many of the new security requirements for the public cloud. CloudCheckr provides over 100 security checks for AWS. Out of the box, CloudCheckr will perform an assessment of the security settings and save that into its Best Practices results. CloudCheckr offers reports and alerting around AWS CloudTrail and Config data, as well as in-depth VPC and security group analysis, as well as perimeter assessments.
Using CloudCheckr, the security team can review security for an entire AWS environment on daily basis.
Security Best Practice Checks
CloudCheckr’s Security best practice checks alert you to any potential issues within your AWS deployment. The checks range from looking at your security group and network ACL rules, to ensuring your Root User isn’t accessing your account, finding publicly accessible resources to ensuring you have proper IAM policies in place. The checks also ensure that you have enabled AWS security features like CloudTrail and they have been configured properly.
You can find more about CloudCheckr’s Best Practice report here: http://support.cloudcheckr.com/reports/best-practice-report/
CloudTrail is an AWS service that records any interaction with your AWS account and logs those interactions within a user-defined S3 bucket. The log information includes the timestamp, source IP address, IAM identity, request and response parameters, and resource (if any) of the interaction.
CloudCheckr offers several reports around CloudTrail including a summary reporting, a List of Trails so you can monitor the configuration and health of your CloudTrail log delivery, an Events reporting where you can search, filter, and group your log event history, as well as alerting so you can be notified when critical events occur within your AWS account.
For more information on CloudTrail please visit: http://support.cloudcheckr.com/reports/security-reporting/cloudtrail-reports/
AWS Config provides resource inventory, configuration history, and configuration change details to AWS customers. Config allows you to take snapshots of your AWS deployment so you can see exactly how each resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
CloudCheckr takes this Config data and allows you to search and filter by resources and configuration changes. You can preform side-by-side comparisons to see exactly what has been modified at the resource level. You can also load any of your configuration snapshots into CloudCheckr, where they are fully searchable.
For more information on config reporting please visit here:http://support.cloudcheckr.com/reports/security-reporting/aws-config/
Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
CloudCheckr provides several important reports to give you visibility and control over your VPCs, their traffic, and the resources residing within those VPCs. You can see a full inventory of each of your VPCs, including their route tables, network ACLs, internet gateways, subnets, resources, etc. The Traffic Analysis report will show you exactly how traffic flows in, and through, your VPCs. There are also summary and details reporting for your subnets and network ACLs.
For more information on VPC, please visit: http://support.cloudcheckr.com/reports/security-reporting/vpc-summary/
Security groups act as a virtual firewall that controls the traffic for some AWS resources. Security groups contain Inbound and Outbound rules that dictate who and what is able to connect to the resources.
CloudCheckr provides a summary and details report for security groups across several services. These reports provide important details about each of your security groups, including their Inbound and Outbound rules, and which resources the security groups are associated with.
For more information on Security Groups please visit: http://support.cloudcheckr.com/reports/security-reporting/security-groups/
The Perimeter Assessment report shows you an analysis of all the entry points from the public Internet into your AWS account. Reviewing the public entry points allows you to determine if you’ve unintentionally left any openings in your AWS environment that expose you to the public Internet. The report will provide you with a list of your publicly accessible resources both within, and outside of VPCs, grouped by region. When expanding on the resources within the report you’ll also see the rule(s) that are making the resources publicly accessible.
Each day CloudCheckr takes an inventory of your AWS deployment and compares that against the previous day. Any resources that have been added, deleted, or modified will be included in this report.
For more information on Change Monitoring please visit: http://support.cloudcheckr.com/reports/security-reporting/change-monitoring/
The Security Permissions Report shows you a comprehensive set of permissions and policies against your S3 buckets and EC2 instances.
For your EC2 instances, the report will list the security groups, instances, network ACL rules, and IAM policies that are associated with the resource.
For S3 buckets, you’ll see all access control lists, bucket policy permissions and IAM policies that allow access to the buckets.
The S3 Encryption Report shows results of a security sweep of available S3 buckets seen from this account. Following the scan the total number of objects in the S3 bucket and will display a count of the number of encrypted objects as well as list the unencrypted objects found.
Additionally, the report indicates the date and time (UTC) of the last successful security scan. The report will not display the object name of any Encrypted Object or any other identifiable characteristic(s).