18 regions, +2 in China, +2 GovCloud
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
Released on 2015-10-08
https://aws.amazon.com/blogs/aws/cloudwatch-dashboards-create-use-customized-metrics-views/
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html
Insights, released on 2018-11-27
https://aws.amazon.com/blogs/aws/new-amazon-cloudwatch-logs-insights-fast-interactive-log-analytics/
Basic hygiene.
https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/
9 - Cost
EC2 Reserved Instances
Low Use EC2 Instances
Idle Load Balancers
Underutilized EBS Volumes
Unassociated EIP
Idle RDS DB Instance
Route 53 Latency Record Set
EC2 Reserved Instance Lease Expired
Underutilized Redshift Cluster
17 - Security
Security Groups - Specific Ports Unrestricted
Security Groups - Unrestricted
IAM Use
S3 Bucket Permissions
MFA on Root Account
RDS Security Group Access Risk
CloudTrail Logging
Route53 MX and SPF records
ELB Listener Security
ELB Security Groups
Cloudfront Custom SSL Cert in the IAM Cert Store
Cloudfront SSL Cert on the Origin Server
Exposed Access Keys
EBS Public Snapshots
RDS Public Snapshots
IAM Password Policy
IAM Access key rotation
24 - Fault Tolerance
EBS Snapshot age
EC2 Availability Zone Balance
ELB EC2 Instances balanced across AZs
VPC Tunnel Redundancy, 2+
ASG Launch Config valid
RDS Backups enabled
RDS Multi-AZ enabled
ASG Health Check enabled
S3 Bucket logging
Route53 Name Server delegation
Route53, High TTL
Route53, Failover enabled
Route53, Healthchecks
ELB, Connection Draining
ELB Cross-Zone
S3 Bucket Versioning
Direct Connect, Connection Redundancy
Direct Connect, Location redundancy
Direct Connect, Virtual Interface redundancy
Aurora DB, accessibility within cluster
EC2Config, for EC2 Windows
PV Diver for EC2 Windows
ENA Driver, for EC2 Windows
NVMe Driver, for EC2 Windows
10 - Performance
EC2, High CPU, more than 90% on 4+ days, within past 14 days
EC2, IOPS EBS, on unoptimized AMI
SG, large number of rules
EC2, large number of SGs
Route53, Alias Records
EBS, Magnetic Volume overused
CloudFront, S3 bucket should be changed over
CloudFront, Header Forwarding and Cache Hit Ratio
EC2, has throughput higher than EBS Volume
CloudFront, Alternative Domain
**$100 / month, per account**
$100 * 12 months = **$1,200 / year**
https://aws.amazon.com/premiumsupport/plans/
Uses CloudTrail, VPC Flow Logs, DNS Logs, for network intrusion detection.
8 - Backdoor
2 - Behavior
EC2/NetworkPortUnusual
EC2/TrafficVolumeUnusual
2 - CryptoCurrency
3 - PenTest
Kali
Parrot
Pentoo
3 - Persistence
IAMUser/NetworkPermissions, changed SG, route, acl
IAMUser/ResourcePermissions, security access control change
IAMUser/UserPermissions, modified IAM User, Group, or Policy
1 - Policy
IAMUser/RootCredentialUsage, AWS API as root
8 - Recon
Recon:EC2/PortProbeUnprotectedPort
Recon:IAMUser/TorIPCaller
Recon:IAMUser/MaliciousIPCaller.Custom
Recon:IAMUser/MaliciousIPCaller
Recon:EC2/Portscan
Recon:IAMUser/NetworkPermissions
Recon:IAMUser/ResourcePermissions
Recon:IAMUser/UserPermissions
1 - Resource Consumption
IAMUser/ComputeResources, launched EC2
3 - Stealth
IAMUser/PasswordPolicyChange
IAMUser/CloudTrailLoggingDisabled
IAMUser/LoggingConfigurationModified
9 - Trojan
12 - Unauthorized
UnauthorizedAccess:IAMUser/TorIPCaller
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
UnauthorizedAccess:IAMUser/MaliciousIPCaller
UnauthorizedAccess:EC2/TorIPCaller
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
UnauthorizedAccess:EC2/SSHBruteForce
UnauthorizedAccess:EC2/RDPBruteForce
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
UnauthorizedAccess:IAMUser/ConsoleLogin
UnauthorizedAccess:EC2/TorClient
UnauthorizedAccess:EC2/TorRelay
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
$4.00 per 1 million CloudTrail events
100 servers = **$270 / month**
$270 * 12 months = **$3,240 / year**
https://aws.amazon.com/guardduty/pricing/
EC2 resource configuration, including public ports, CVEs, lack of SSL
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_limits.html
500 EC2 instances, per region, per account. These limits can be increased.
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages_across_os.html
Amazon Linux Ubuntu 18.04, 16.04, 14.04 Debian 9.5 to 9.0, 8.7 to 8.0 RHEL 7.6 to 7.2, 6.9 to 6.2 Centos 7.6 7.2, 6.9 to 6.2 Windows Server 2016, 2012 R2, 2012, 2008 R2
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html
**Network Reachability - 13 alerts**
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_network-reachability.html
Amazon EC2 instances
Application Load Balancers
Direct Connect
Elastic Load Balancers
Elastic Network Interfaces
Internet Gateways (IGWs)
Network Access Control Lists (ACLs)
Route Tables
Security Groups (SGs)
Subnets
Virtual Private Clouds (VPCs)
Virtual Private Gateways (VGWs)
VPC peering connections
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html
https://neprisstore.blob.core.windows.net/sessiondocs/doc_8ac75a77-40a4-4e08-a6c0-93b39b92abd8.pdf
**Runtime Behavior - 6 alerts**
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_runtime-behavior-analysis.html
Non-Secure Client Protocols (Login)
Non-Secure Client Protocols (General)
Unused Listening TCP Ports
Non-Secure Server Protocols
Software Without Data Execution Prevention (DEP)
Root Process with Non-Secure Permissions
**Best Practices - 9 alerts**
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_security-best-practices.html
Disable Root Login over SSH
Support SSH Version 2 Only
Disable Password Authentication Over SSH
Configure Password Maximum Age
Configure Password Minimum Length
Configure Password Complexity
Enable ASLR
Enable DEP
Configure Permissions for System Directories
$0.10 per EC2 instance, network assessment, per assessment
$0.15 per EC2 instance, host assessment, per assessment
$0.25 * 100 instances * 30 assessments a month = **$750 / month**
$750 per month * 12 months = **$9,000 / year**
https://aws.amazon.com/inspector/pricing/
Nessus is ~ $30 per server
100 instance * $30 = **$3,000 / month**
$3,000 per month * 12 months = **$36,000 / year**
Rapid7 NeXpose Qualys
Track AWS resource configuration. Includes Managed and Custom rules.
26 - Compute (EC2, AMI, EBS, EIP, Volume, ELB, Lambda, SG, ASG)
approved-amis-by-id (amiIds)
approved-amis-by-tag (amisByTagKeyAndValue, up to 10)
autoscaling-group-elb-healthcheck-required
desired-instance-tenancy (tenancy, imageId, hostId)
desired-instance-type (instanceType)
ebs-optimized-instance
ec2-instance-detailed-monitoring-enabled
ec2-instance-managed-by-systems-manager
ec2-instances-in-vpc (vpcId)
ec2-managedinstance-applications-blacklisted (applicationNames, platformType)
ec2-managedinstance-applications-required (applicationNames, platformType)
ec2-managedinstance-association-compliance-status-check
ec2-managedinstance-inventory-blacklisted (inventoryNames, platformType)
ec2-managedinstance-patch-compliance-status-check
ec2-managedinstance-platform-check (agentVersion, platformType, platformVersion)
ec2-volume-inuse-check (deleteOnTermination)
eip-attached
ebs-encrypted-volumes (kmsId)
elb-acm-certificate-required
elb-custom-security-policy-ssl-check (ssl-protocols-and-ciphers)
elb-logging-enabled (s3BucketNames)
elb-predefined-security-policy-ssl-check (predefined-policy-name)
lambda-function-settings-check (runtime, role, timeout, memorySize)
lambda-function-public-access-prohibited
restricted-common-ports (blockedPort1 to blockedPort5)
restricted-ssh
10 - Database (RDS, DynamoDB, Redshift)
db-instance-backup-enabled
dynamodb-autoscaling-enabled
dynamodb-table-encryption-enabled
dynamodb-throughput-limit-check
rds-instance-public-access-check
rds-multi-az-support
rds-snapshots-public-prohibited
rds-storage-encrypted
redshift-cluster-configuration-check
redshift-cluster-maintenancesettings-check
15 - Management and Governance (Cloudwatch, Cloudtrail, CloudFormation, CodeBuild, CodePipeline)
cloud-trail-cloud-watch-logs-enabled
cloud-trail-encryption-enabled
cloudtrail-enabled
cloud-trail-log-file-validation-enabled
cloudformation-stack-drift-detection-check
cloudformation-stack-notification-check
cloudwatch-alarm-action-check
cloudwatch-alarm-resource-check
cloudwatch-alarm-settings-check
codebuild-project-envvar-awscred-check
codebuild-project-source-repo-url-check
codepipeline-deployment-count-check
codepipeline-region-fanout-check
multi-region-cloud-trail-enabled
required-tags
2 - Network and Content Delivery (VPC)
vpc-default-security-group-closed
vpc-flow-logs-enabled
20 - Security, Identity, & Compliance
(IAM User, Group, Role, MFA, ALB, ELB, CloudFront, CMK, ACM, GuardDuty, Shield)
access-keys-rotated
acm-certificate-expiration-check
cmk-backing-key-rotation-enabled
fms-shield-resource-policy-check
fms-webacl-resource-policy-check
guardduty-enabled-centralized
iam-group-has-users-check (has users)
iam-password-policy
iam-policy-blacklisted-check (exceptionList) ???
iam-policy-no-statements-with-admin-access (not Allow *:*)
iam-role-managed-policy-check (required managedPolicyNames)
iam-root-access-key-check
iam-user-group-membership-check (requires groupName)
iam-user-mfa-enabled
iam-user-no-policies-check (disable inline policies)
iam-user-unused-credentials-check (maxCredentialUsageAge = 90 days)
mfa-enabled-for-iam-console-access
root-account-hardware-mfa-enabled
root-account-mfa-enabled
iam-policy-requires-condition-resource-tags
iam-policy-requires-arn
ec2-instance-profile-role-secure (not Allow *:*)
10 - Storage (S3)
s3-blacklisted-actions-prohibited*
s3-bucket-logging-enabled
s3-bucket-policy-grantee-check*
s3-bucket-policy-not-more-permissive*
s3-bucket-public-read-prohibited*
s3-bucket-public-write-prohibited*
s3-bucket-replication-enabled
s3-bucket-server-side-encryption-enabled*
s3-bucket-ssl-requests-only*
s3-bucket-versioning-enabled
$1.00 per Rule * 85 rules * 18 regions * 1 AWS Account = **$1,530 / month**
$1,530 * 12 months = **$18,360 / year**
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
https://aws.amazon.com/config/pricing/
Audit S3 bucket configuration.
https://docs.aws.amazon.com/macie/latest/userguide/macie-classify-data.html
https://aws.amazon.com/macie/pricing/
Inventory of EC2 instances. Allows auditing what's within the EC2 instance, and running ad-hoc scripts.
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html
https://aws.amazon.com/blogs/mt/using-aws-systems-manager-inventory-with-tags/
Free, when using hosted EC2
https://aws.amazon.com/systems-manager/pricing/
Muti-account, dashboard system for AWS GuardDuty, Inspector, and Macie. Very new, released on 2018-11-28, in Preview.
https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-aws-security-hub/
https://aws.amazon.com/security-hub/features/
Free... for now.
Secure account setup
In Preview, since Nov 2018. Secure account setup, multi-account