awslabs / aws-security-assessment-solution Goto Github PK

Cybersecurity remains a very important topic and point of concern for many CIOs, CISOs, and their customers. To meet these important concerns, AWS has developed a primary set of services customers should use to aid in protecting their accounts. Amazon GuardDuty, AWS Security Hub, AWS Config, and AWS Well-Architected reviews help customers maintain a strong security posture over their AWS accounts. As more organizations deploy to the cloud, especially if they are doing so quickly, and they have not yet implemented the recommended AWS Services, there may be a need to conduct a rapid security assessment of the cloud environment.

We have developed an inexpensive, easy to deploy, secure, and fast solution to provide our customers with a security assessment report. These reports are generated using the open source project Prowler. Prowler performs point in time security assessment based on AWS best practices and can help quickly identify any potential risk areas in a customer’s deployed environment. If you are interested in conducting these assessments on a continuous basis, AWS recommends enabling Security Hub’s Foundational Security Best Practices standard. If you are interested in integrating your Prowler assessment results with Security Hub, you can follow the instructions in the Prowler Documentation.

Note: Prowler is not an AWS owned solution. Customers should independently review Prowler before running this solution. Any dependencies associated with Prowler should be kept up to date. This solution installs the latest version available from pip package installer.

The solution is deployed with AWS CloudFormation. When deployed, an AWS CodeBuild project and an Amazon S3 bucket to store the Prowler generated reports are created. An AWS Lambda function is then used to start the AWS CodeBuild project.

The parameter (user input) defaults will run a basic scan in a single account. However, you can choose different parameters to run more extensive scans or to scan multiple accounts. The deployment process takes less than 5 minutes to complete. The solution’s AWS CloudFormation templates are provided for review in this Github repository.

Once the template is deployed, the CodeBuild project will run. The default assessment takes around 5 minutes to complete. The time to complete a security assessment will vary depending on the number of resources and the scan options selected. At the end of the assessments the reports are delivered to the created S3 Bucket.

You can use this project to run Prowler across multiple accounts in an AWS Organization, or a single account. We provide instructions to use AWS CloudShell or the AWS console. Choose an option to get started.

To run the Self-Service Security Assessment solution (SATv2) against a single account, follow the instructions below. You can choose to use the AWS CLI or the AWS Console.

Self-Service Security Assessment solution (SAT) also supports multi-account scans. You must deploy a prerequisite role to each account you want to perform the scan on. To run SATv2 for multiple accounts, follow the instructions below. You can choose to use the AWS CLI or the AWS Console.

These instructions assume you already have the prerequisites for stack set operations. For more information, visit the AWS CloudFormation User Guide.

Note: StackSets don't apply to the management account. To assess the management account, deploy the 1-sat2-member-role as a CloudFormation Stack.

After the solution is deployed, a Lambda function starts the CodeBuild project. After the CodeBuild project is finished building, the Prowler results will be uploaded to the created Amazon S3 bucket. If you configured notifications, you will get an email when the Prowler scan is complete. If you configured reporting, you will have a consolidated csv file in the /reporting folder.

If you didn't configure email alerts, you can monitor the progress from the CodeBuild console.

To review the results, follow these steps.

1. Navigate to the Amazon S3 console in the account you deployed Prowler.

2. Select the bucket that starts with sat2-prowler-prowlerfindingsbucket-

3. Choose the folder with the date and time of the scan.

4. For each account, there will be 4 file types (csv, html, json, json-ocsf) in the format prowler-output-<aws-account-id>-<datetime>.

5. Select one of the html objects.

6. Choose Open.

   

7. A new window will open with your report. You can use the filters to identify and prioritize the findings.

   

By default, SAT2 will run a basic scan which includes 13 checks. You can choose to run an intermediate or full check by choosing a different ProwlerScanType parameter value.

For example, a single account scan using the intermediate scan option would use this command:

aws cloudformation deploy --template-file 2-sat2-codebuild-prowler.yaml \
--stack-name sat2-prowler \
--capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides ProwlerScanType=Intermediate

• Manual check - Maintain current contact details.
• Find obsolete Lambda runtimes.
• Ensure CloudTrail is enabled in all regions
• Ensure AWS Config is enabled in all regions.
• Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port.
• Check if GuardDuty is enabled
• Ensure IAM password policy require at least one lowercase letter
• Ensure IAM password policy require at least one number
• Ensure IAM password policy require at least one symbol
• Ensure IAM password policy requires at least one uppercase letter
• Ensure MFA is enabled for the root account
• Ensure access keys are rotated every 90 days or less
• Ensure there are no S3 buckets open to Everyone or Any AWS user.

This scan will add --severity critical high to the Prowler scan options. With this selected Prowler will run all security checks that result in critical or high severity.

This option doesn't add any additional parameters to the Prowler scan. It will result in Prowler running the full 283 checks.

You can also use the full scan to customize the scan however you would like.

For ProwlerScanType choose Full.

For ProwlerOptions, append the check. For example, to check only if GuardDuty is enabled, enter:

aws --ignore-exit-code-3 -c guardduty_is_enabled

You can optionally specify an email address in the EmailAddress parameter when you deploy the CloudFormation template. This will create an SNS topic and send an email when the CodeBuild job completes.

This may be helpful when running longer scans, or across many accounts.

For example, a single account scan with email notifications would use this command:

aws cloudformation deploy --template-file 2-sat2-codebuild-prowler.yaml \
--stack-name sat2-prowler \
--capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides [email protected]

With or without the optional EmailAddress parameter set, you can view the progress in the CodeBuild console.

1. Navigate to the CodeSuite console.

2. In the navigation pane, under Build, choose Build projects.

3. Choose the Build project that begins with ProwlerCodeBuild-.

4. Under Build history, you will see the last run.

   

5. Optionally, you can choose Start build to run another scan with the options you choose when you deployed the solution.

You can optionally enable reporting to summarize multiple Prowler scan csv files into a single file. This may be helpful when running Prowler across multiple accounts in an AWS Organization. The reporting summary feature is off by default. To enable reporting, set the Reporting parameter to true when you deploy the CloudFormation template. This will create an Athena WorkGroup, a Glue table, and automatically run a query to consolidate the results. The summarized csv file is located in the same S3 bucket as the Prowler results in the /reporting folder.

If you specify an email address while reporting is enabled, you will get a second email when the Athena query is finished.

For example, a multi-account scan with reporting and email alerts enabled would use this command:

aws cloudformation deploy --template-file 2-sat2-codebuild-prowler.yaml \
--stack-name sat2-prowler \
--capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides MultiAccountScan=true Reporting=true [email protected]

A saved query is created as an example. This query counts the checks that failed across all the accounts assessed. To review and run the query, follow these steps:

1. Navigate to the Amazon Athena console.

2. Choose the workgroup that begins with sat2-prowler-*.

3. Choose the Saved queries tab.

4. Select the query you want to run by choosing the ID.

   

5. Choose Run to run the query.

   

1. Is there a cost?
   • This solution is designed to run within AWS Free Tier.
   • For Amazon CodeBuild, customer's get 100 build minutes per month.
   • For customers that have already exceeded free tier with CodeBuild, S3, and Lambda, this solution costs less than $1 to run.
2. Is this a continuous monitoring and reporting tool?
   • No. This is a one-time assessment, we recommend customers use AWS Security Hub for continuous assessments.
3. Does this integrate with GuardDuty, Security Hub, CloudWatch, etc.?
   • No. You can follow the instructions in this blog to integrate Prowler and Security Hub.
4. How do I remediate the issues in the reports?
   • Generally, the issues should be described in the report with readily identifiable corrections. Please follow up with the public documentation for each tool (Prowler) as well. If this is insufficient, please reach out to your AWS Account team or AWS Support to help you understand the reports and work towards remediating issues.

After you run the solution, you should delete the CloudFormation Stacks to remove resources that are no longer needed. The S3 bucket with the Prowler scan results will remain.

To remove the security assessment solution from your account, follow these steps.

1. Navigate to the AWS CloudFormation console in the account you ran the tool from (ProwlerAccountID).

2. In the navigation pane, choose Stacks.

3. Choose the sat2-prowler Stack.

4. Choose Delete.

If you deployed the member role StackSet to scan multiple accounts, follow these steps.

1. Navigate to the AWS CloudFormation console in the account you created the member role StackSet.

2. In the navigation pane, choose StackSets.

3. Choose the sat2-member-roles StackSet.

4. Choose Actions, then Delete stacks form StackSet.

5. Specify the same AWS OU ID when you created the StackSet.

6. For Specify regions, choose Add all regions.

7. Choose Next, and Submit.

After change finishes, you can delete the StackSet.

1. Choose the sat2-member-roles StackSet.

2. Choose Actions, then Delete StackSet.

If you want to remove the Amazon S3 bucket with the scan results, follow the steps in the Amazon S3 user guide to delete the objects and bucket. If you run the solution again, a new S3 bucket will be created for your results.

See CONTRIBUTING for more information.

This project is licensed under the Apache-2.0 License.