Wednesday, February 3, 2021

AWS IAM 101/201 and security notes.

Let's start from basic: What's is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

What does exactly IAM provide:

  • Shared access to your AWS account
  • Granular permissions
  • Secure access to AWS resources for applications that run on Amazon EC2
  • Multi-factor authentication (MFA)
  • Identity federation
  • Identity information for assurance
  • PCI DSS Compliance (debatable, IMHO) 
  • Integrated with many AWS services
  • Eventually Consistent
  • Free to use
Do all AWS services work with IAM? 

Not exactly: Here the list:

IAM currently supports the following authorization models:

  • Role-based access control (RBAC). RBAC defines permissions based on a person's job function, known outside of AWS as a role. 
  • Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called tags. Tags can be attached to IAM principals (users or roles) and to AWS resources. 

AWS IAM principals:

- User

- Roles

- Groups 

Sunday, January 24, 2021

Lack of the spelling checks for the AWS IAM API actions and security implications

 AWS IAM policy language used everywhere:

- to define IAM policy itself

- to define resource-based policy like S3 bucket policy

- to define the most important AWS control - SCP (Service Control Policy)

- to define VPC endpoint policies 

Let's take a look at the AWS IAM policy structure:


This policy's vital element is "Action," which is a list of AWS APIs that will be Allowed or Denied by the policy. 


Currently, there are several thousands of AWS actions. A list of all of them could be found here.  


It's extremely easy to make a typo in the action name when you are creating a policy. 


But, AWS will detect and warn you, right? 


Nope!


It might come as a surprise even for the experienced cloud engineers, but AWS does not verify API actions spelling.  

Proof: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html


Yes, when you are using a policy generator, you can choose from the dropdown list of the available API actions.  

But if you are using CLI, Cloudformation, Terraform, or any SDK, your policy will be accepted as long as a policy syntax and grammar will pass (policy grammar, but not action names or resource ARNs )


So what? Not a big deal? If policy not working, you can troubleshoot it using the policy simulator, right, and find a problem? 


The challenge is that even an AWS native policy simulator will not check API (action names) spelling. It will show if the desired actions are allowed or blocked but will not point you to the simple typo in your policy. 


As long as your policy is for the ALLOW effect, it's not a big deal. You might spend some time troubleshooting and not understanding why access is not granted, but generally, it should be OK, right?


Even in the case of ALLOW, not precisely: 

when you are using Infra as a code, you might make a typo in production-related IAM/SCP/etc. policy and cause quite an outage!


What about policies that suppose to protect, a.k.a DENY effect? Implications, in this case, might be quite catastrophic:


- SCP that implements your AWS Account level preventative controls will allow actions that you think you have blocked, making controls not-exiting.


- IAM policy will not protect against destructive or unsafe actions.


- Resource-based policy might become unintentionally too open.


Luckily, AWS has a second layer of protection ( and implicitDeny ) that, up to a certain extent, will compensate for such mistakes: as long as API call (Action name) is not explicitly Allowed, it will be deemed as implicitDeny. This helps and might save your backend, but not in all cases. Moreover, relying on this it's definitely a bad security practice. 


What could be a solution to the problem we just discussed? 


A process and a tool of the IAM policy validation for the syntax and spelling.


The process is an IAM policy linting that must be done before any deployment or during PR review in your code repo.


As for the tool, it might be home built linting tool (example: extension or rule to the CloudFormation Linter  https://github.com/aws-cloudformation/cfn-python-lint ) or an open-source linting tool that performs IAM action names validation. (example:  https://github.com/duo-labs/parliament)


Note, the tool must be regularly and automatically synced with the latest list of the AWS IAM actions or manually updated to reflect any changes AWS might do to the subj. 


Monday, January 4, 2021

My notes on the AWS security: "Where we’ve been, where we’re going" reInvent 2020 session by Steve Schmidt.

 

After finally having time to watch some AWS reInvent 2020 sessions over the holidays, I decided to make some notes and share them in case someone will find this useful.

My notes on "Where we’ve been, where we’re going" reInvent 2020 session by Steve Schmidt :

Topics:

1) 2020 security highlights 

2) Security product launches 

3) Enabling Zero Trust 

4) Ten places to focus on today

2020 security highlights (new features):

GuardDuty:

  • new threat and service coverage 
  • S3 data advance (s3 protection)
  • better organization support (designated account to manage GD in the organization)
Firewall Manager:
  • support for AWS WAF and AWS Managed Rules
  • supports centralized logging (for WAF)
AWS Detective now supports IAM role session analysis (better understands assumed roles cases )

AWS IAM Access Analyzer works the awesome way in the organization (very useful with huge amount of the use cases) 

AWS Single SignOn adds AWS CloudFormation support

ACM private CA:

  • Using AWS ACM private CA could be shared  (using AWS RAM) with other accounts to allow them to provision, manage, and deploy private certificates.
  • Better integration of the certificate lifecycle for the private CA with supported AWS services (LB, API GW, IoT..)
  • ACM supports 5X more APIs (performance )
  • ACM support for the AWS S3 bucket encryption (looks like only for CRL and audit report exports)

AWS Nitro Enclaves is GA: use case: an isolated environment for very sensitive data . 

AWS Macies reduces the costs to up  80% and dashboard redesign.

AWS Security Hub:

  • GA. 
  • auto-remediation support
  • CIS, AWS best practices and PCI DSS security standards 
  • prepackaged with 10 playbooks 
  • Single dashboard for the patching status in the Security Hub using AWS patch manager (part of system manager) 

AWS Detective now supports VPC flow logs and does aggregations and dashboarding for this.   

Security product launches  

AWS Nitro Enclaves

AWS Audit Manager

  • continuously assess control for the risk and compliance (helps with evidence collection for the Auditors and proactively collects evidences) 
  • Currently supports following frameworks:  CIS, GDPR, PIC DSS + build own assessment templates
  • Highlights: known and custom assessment templates,   automated evidence collection, built-in audit workflow.
Cloud Audit Academy - training for the auditor to better understand what the cloud is and how to perform cloud audit.

AWS Network Firewall (based on the docs looks like managed Suricata IPS): 

  • inspect all traffic entering or leaving VPC.
  • zonal service with AZ isolated inspection points
  • basically, a fleet of AWS managed firewall ec2 instances behind a load balancer
  • supports DNS names in the firewall rules. 
  • IDS/IPS functionality as well

Enabling Zero Trust  

Zero Trust - augmenting network-based controls with identity-based controls 

Network:

  • First dimension
  •  Network 
  • Microperimeters? 
  • Security above network? 
  • Gateways or proxies? 
  • More dynamic VPNs? 
  •  Combinations?

Identity

  • Second dimension 
  •  Identity 
  • Humans? 
  • Machines? 
  • Software components? 
  • Combinations?

Avoid binary choice: just identity or just network controls. 

One size doesn't fit all in each case Zero Trust might and will be implemented differently.

Ten places to focus on today:

from 2019: 
  1. Accurate account info 
  2. Use MFA
  3. No hard-coding secrets
  4. Limit security groups
  5. Intentional data policies
  6. Centralize AWS CloudTrail logs
  7. Validate IAM roles
  8. Take action on GuardDuty findings
  9. Rotate your keys
  10. Be involved in dev cycle

new one (2020): 

  1. Use AWS Organizations
  2. Understand your usage
  3. Use cryptography services
  4. Federation for human access
  5. Block public access on accounts
  6. Edge protect external resources 
  7. Patch and measure 
  8. No hard / soft defense (perimeter is both: Network and Identity)
  9. Transparent leadership reviews
  10. Diverse hiring

Thursday, May 28, 2020

Deployment time security audit using CloudFormation custom resource.


To prevent deployment of the potentially sensitive resources or infrastructure into the AWS account that might not meet current organizational security standard we can use AWS CloudFormation custom resource to perform quick security audit (or kind of sanity check) of the cloud account before processing with deployment.

Why we need this if we can scan/audit account as a part of the CI/CD pipeline? For the cases when deployments are performed manually or to have CI/CD independent "portable" CloudFormation template that has all security checks built-in and not bolt-on.

How it will look like:

  1. To you normal CloudFormation template you will add a custom resource.
  2. This custom resource it technically speaking a Lambda function that created and called during CloudFormation stack deployment.
  3. This Lambda function will perform quick (to meet CloudFormation deployment timeouts restrictions) security audit of the account where template going to be deployed
  4. As result of this audit Lambda will return status that will be interpreted by CloudFormation as a resource creation outcome.
  5. If AWS environment pass security check - deployment of other resources in you stack continue as usual
  6. If AWS environment fail security check - stack deployment will interrupted and rolled back as a result of the custom resource failure. 
I will publish example on such functionality on my Github shorty and will update this post with more details. 

Sunday, May 24, 2020

Nmap.me new version - now with vulnerability scan


Now service:
  • Does full port and vulnerability scan of the caller's IP
  • Immediately perform and return tcp scan results. Starts vulnerability scan in background.
  • Visit nmap.me again in about 30min(depends on load), and results of the vulnerability scan (port, service, vulnerability, CVE) for you IP will be displayed. 
  • You can use, console friendly endpoint : scan.nmap.me , or
  •  use a human readable website: nmap.me
Scan results examples:

Good  scan results:

Not so good scan  results:



As previously service is built using AWS native capabilities, serverless and containerized approach and design to be extremely scalable.



Quick FAQ:

What's new? Now it does full vulnerability scan of the IP.

What it does? Scan your external IP for open TCP ports and known vulnerabilities.
How to use? Simply do _curl scan.nmap.me_ from your console/terminal or open this webite in browser. You will get TCP scan results immediately and you will need to visit same page in an hour to get vulnerability scan results.

What it's scanning for?: Uses nmap NSE script to perform scan for known vulnerabilities. Based on https://github.com/vulnersCom/nmap-vulners

How fast? Whole TCP scan takes about a few second and results are immediately shown. After this vuln scan is starting. Depending of the backend load it might take about an hour to get scanned. After this simply visit the same page again to get vulnerability scan results. Scan results for each requester IP are cached for 1 hour (TCP scan) and 24 hours (Vuln scan) to reduce load and prevent abuse.

Friday, May 15, 2020

Using MFA with AWS CLI

It quite obvious nowadays that you must use MFA if it's available.
Enabling MFA for your user account in AWS IAM will automatically enforce it for the AWS Web UI login. 

But what about AWS CLI, your code using AWS SDK and 3d party SDK based tools?
In this case, to leverage MFA you need to enforce it using "Condition" statement for the IAM policy assigned to you user as it described in following AWS manual:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

In nutshell something like this:

Enforce MFA for the assume role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/anika" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:multifactorAuthPresent": true } } } ] }

Add MFA to you AWS CLI profile:

[profile role-with-mfa] region = us-west-2 role_arn= arn:aws:iam::128716708097:role/cli-role source_profile = cli-user mfa_serial = arn:aws:iam::128716708097:mfa/cli-user

Simple? Not exactly - here some tricky things that not covered by AWS documentation (at least I was not able to find).

1. AWS documentation a bit misleading: in the AIM statement and documentation user name  mentioned is Anika but all CLI configs are pointing to the non existing cli profile "cli-user"

2. AWS CLI MFA configuration will work ONLY when you are assuming Role. Yep, if you have one simple account, few users  and groups (as many small companies do) you can't leverage this functionality without some small trick(item 3)

3. You can still leverage MFA with CLI using role:

  • Strip all access from the user you are using to login, except "assume role", or alternatively,  enforce the MFA for all the actions using condition from the above.  
Note:
If you will strip all permissions you will need to assume role even if you are using WEB UI.
If you use alternative approach and enforce MFA for all API actions you can keep using WEB UI without assuming role the same way as you was doing before.
  • Create a role (exampe: MyOrganizationAccountAccessRole) to assume in the same account with MFA enforced and all required access rights. If you have more than one account - create this role in other accounts as well with the same MFA enforcement condition.
  • Create extra profile my-account-mfa (in addition to the main account profile my_account ) for the accessing the same account (my-account) using this role: 
[profile my-account-mfa]
role_arn = arn:aws:iam:: 123456789:role/MyOrganizationAccountAccessRole
source_profile = my_account
mfa_serial = arn:aws:iam:: 123456789:mfa/it-security@ca

[profile my_account]
output = json
region = us-east-1
mfa_serial = arn:aws:iam::123456789:mfa/it-security@ca

[profile my_second_account]
ole_arn = arn:aws:iam:: 987654321:role/MyOrganizationAccountAccessRole
source_profile = my_account
mfa_serial = arn:aws:iam:: 123456789:mfa/it-security@ca

Note : all profile reference  my_account profile as a source


If needed create an extra profile(my_second_account) for any other account you need to access using the role.

Use  profile  my-account-mfa for you CLI access to the main account or for any tools. You will see MFA request and after providing MFA everything will work like a charm.

Enjoy and stay secure!

Wednesday, December 4, 2019

Nmap.me completetly rebuilded

To improve performance and service scalability nmap.me was completely rebuild leveraging aws native services and serverless approach.

Now service:
  • support both http and https
  • has dedicated scanning endpoint: scan.nmap.me
  • has a human readable website: nmap.me
  • scanning endpoint now api driven and will support rest api calls for advanced functionality
  • serverless and scalable
Main functionality so far unchanged: 
What it does? TCP Scan of you external IP.
What it scanning for: 100 most used tcp ports. Actually a bit more than 100 - I'm slowly adding more ports.
How to use: simply curl scan.nmap.me from your console/terminal or open it in browser or visit nmap.me(javascript will trigger scan)
How fast: whole scan takes about a second. Results for each requester IP are cached for 1 hour to reduce load and prevent abuse.

Why? Needed quick way to check open ports on server/gateway/fw/router while being inside the console.