aws security products.md

AWS Regions

18 regions, +2 in China, +2 GovCloud

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html

AWS CloudWatch Dashboards

Released on 2015-10-08

https://aws.amazon.com/blogs/aws/cloudwatch-dashboards-create-use-customized-metrics-views/

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html

Insights, released on 2018-11-27

https://aws.amazon.com/about-aws/whats-new/2018/11/announcing-amazon-cloudwatch-logs-insights-fast-interactive-log-analytics/

https://aws.amazon.com/blogs/aws/new-amazon-cloudwatch-logs-insights-fast-interactive-log-analytics/

AWS Trusted Advisor - Basics, 60 alerts

Basic hygiene.

https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/

9 - Cost
  EC2 Reserved Instances
  Low Use EC2 Instances
  Idle Load Balancers
  Underutilized EBS Volumes
  Unassociated EIP
  Idle RDS DB Instance
  Route 53 Latency Record Set
  EC2 Reserved Instance Lease Expired
  Underutilized Redshift Cluster
17 - Security
  Security Groups - Specific Ports Unrestricted
  Security Groups - Unrestricted
  IAM Use
  S3 Bucket Permissions
  MFA on Root Account
  RDS Security Group Access Risk
  CloudTrail Logging
  Route53 MX and SPF records
  ELB Listener Security
  ELB Security Groups
  Cloudfront Custom SSL Cert in the IAM Cert Store
  Cloudfront SSL Cert on the Origin Server
  Exposed Access Keys
  EBS Public Snapshots
  RDS Public Snapshots
  IAM Password Policy
  IAM Access key rotation
24 - Fault Tolerance
  EBS Snapshot age
  EC2 Availability Zone Balance
  ELB EC2 Instances balanced across AZs
  VPC Tunnel Redundancy, 2+
  ASG Launch Config valid
  RDS Backups enabled
  RDS Multi-AZ enabled
  ASG Health Check enabled
  S3 Bucket logging
  Route53 Name Server delegation
  Route53, High TTL
  Route53, Failover enabled
  Route53, Healthchecks
  ELB, Connection Draining
  ELB Cross-Zone
  S3 Bucket Versioning
  Direct Connect, Connection Redundancy
  Direct Connect, Location redundancy
  Direct Connect, Virtual Interface redundancy
  Aurora DB, accessibility within cluster
  EC2Config, for EC2 Windows
  PV Diver for EC2 Windows
  ENA Driver, for EC2 Windows
  NVMe Driver, for EC2 Windows
10 - Performance
  EC2, High CPU, more than 90% on 4+ days, within past 14 days
  EC2, IOPS EBS, on unoptimized AMI
  SG, large number of rules
  EC2, large number of SGs
  Route53, Alias Records
  EBS, Magnetic Volume overused
  CloudFront, S3 bucket should be changed over
  CloudFront, Header Forwarding and Cache Hit Ratio
  EC2, has throughput higher than EBS Volume
  CloudFront, Alternative Domain

**$100 / month, per account**

$100 * 12 months = **$1,200 / year**

https://aws.amazon.com/premiumsupport/plans/

AWS GuardDuty - NIDS (EC2, IAM), 52 alerts

Uses CloudTrail, VPC Flow Logs, DNS Logs, for network intrusion detection.

8 - Backdoor
2 - Behavior
  EC2/NetworkPortUnusual
  EC2/TrafficVolumeUnusual
2 - CryptoCurrency
3 - PenTest
  Kali
  Parrot
  Pentoo
3 - Persistence
  IAMUser/NetworkPermissions, changed SG, route, acl
  IAMUser/ResourcePermissions, security access control change
  IAMUser/UserPermissions, modified IAM User, Group, or Policy
1 - Policy
  IAMUser/RootCredentialUsage, AWS API as root
8 - Recon
  Recon:EC2/PortProbeUnprotectedPort
  Recon:IAMUser/TorIPCaller
  Recon:IAMUser/MaliciousIPCaller.Custom
  Recon:IAMUser/MaliciousIPCaller
  Recon:EC2/Portscan
  Recon:IAMUser/NetworkPermissions
  Recon:IAMUser/ResourcePermissions
  Recon:IAMUser/UserPermissions
1 - Resource Consumption
  IAMUser/ComputeResources, launched EC2
3 - Stealth
  IAMUser/PasswordPolicyChange
  IAMUser/CloudTrailLoggingDisabled
  IAMUser/LoggingConfigurationModified
9 - Trojan
12 - Unauthorized
  UnauthorizedAccess:IAMUser/TorIPCaller
  UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
  UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
  UnauthorizedAccess:IAMUser/MaliciousIPCaller
  UnauthorizedAccess:EC2/TorIPCaller
  UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
  UnauthorizedAccess:EC2/SSHBruteForce
  UnauthorizedAccess:EC2/RDPBruteForce
  UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
  UnauthorizedAccess:IAMUser/ConsoleLogin
  UnauthorizedAccess:EC2/TorClient
  UnauthorizedAccess:EC2/TorRelay

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html

$4.00 per 1 million CloudTrail events

100 servers = **$270 / month**
$270 * 12 months = **$3,240 / year**

https://aws.amazon.com/guardduty/pricing/

AWS Inspector - EC2, 28 alerts

EC2 resource configuration, including public ports, CVEs, lack of SSL

https://docs.aws.amazon.com/inspector/latest/userguide/inspector_limits.html

500 EC2 instances, per region, per account. These limits can be increased.

https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages_across_os.html

Amazon Linux Ubuntu 18.04, 16.04, 14.04 Debian 9.5 to 9.0, 8.7 to 8.0 RHEL 7.6 to 7.2, 6.9 to 6.2 Centos 7.6 7.2, 6.9 to 6.2 Windows Server 2016, 2012 R2, 2012, 2008 R2

https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html

**Network Reachability - 13 alerts**
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_network-reachability.html
  Amazon EC2 instances
  Application Load Balancers
  Direct Connect
  Elastic Load Balancers
  Elastic Network Interfaces
  Internet Gateways (IGWs)
  Network Access Control Lists (ACLs)
  Route Tables
  Security Groups (SGs)
  Subnets
  Virtual Private Clouds (VPCs)
  Virtual Private Gateways (VGWs)
  VPC peering connections

https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html

https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html

https://neprisstore.blob.core.windows.net/sessiondocs/doc_8ac75a77-40a4-4e08-a6c0-93b39b92abd8.pdf

**Runtime Behavior - 6 alerts**
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_runtime-behavior-analysis.html
  Non-Secure Client Protocols (Login)
  Non-Secure Client Protocols (General)
  Unused Listening TCP Ports
  Non-Secure Server Protocols
  Software Without Data Execution Prevention (DEP)
  Root Process with Non-Secure Permissions

**Best Practices - 9 alerts**
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_security-best-practices.html
  Disable Root Login over SSH
  Support SSH Version 2 Only
  Disable Password Authentication Over SSH
  Configure Password Maximum Age
  Configure Password Minimum Length
  Configure Password Complexity
  Enable ASLR
  Enable DEP
  Configure Permissions for System Directories

$0.10 per EC2 instance, network assessment, per assessment
$0.15 per EC2 instance, host assessment, per assessment

$0.25 * 100 instances * 30 assessments a month = **$750 / month**
$750 per month * 12 months = **$9,000 / year**

https://aws.amazon.com/inspector/pricing/

Nessus

Nessus is ~ $30 per server
100 instance * $30 = **$3,000 / month**
$3,000 per month * 12 months = **$36,000 / year**

Rapid7 NeXpose Qualys

AWS Config - Resources, 93 alerts

Track AWS resource configuration. Includes Managed and Custom rules.

26 - Compute (EC2, AMI, EBS, EIP, Volume, ELB, Lambda, SG, ASG)
  approved-amis-by-id (amiIds)
  approved-amis-by-tag (amisByTagKeyAndValue, up to 10)
  autoscaling-group-elb-healthcheck-required
  desired-instance-tenancy (tenancy, imageId, hostId)
  desired-instance-type (instanceType)
  ebs-optimized-instance
  ec2-instance-detailed-monitoring-enabled
  ec2-instance-managed-by-systems-manager
  ec2-instances-in-vpc (vpcId)
  ec2-managedinstance-applications-blacklisted (applicationNames, platformType)
  ec2-managedinstance-applications-required (applicationNames, platformType)
  ec2-managedinstance-association-compliance-status-check
  ec2-managedinstance-inventory-blacklisted (inventoryNames, platformType)
  ec2-managedinstance-patch-compliance-status-check
  ec2-managedinstance-platform-check (agentVersion, platformType, platformVersion)
  ec2-volume-inuse-check (deleteOnTermination)
  eip-attached
  ebs-encrypted-volumes (kmsId)
  elb-acm-certificate-required
  elb-custom-security-policy-ssl-check (ssl-protocols-and-ciphers)
  elb-logging-enabled (s3BucketNames)
  elb-predefined-security-policy-ssl-check (predefined-policy-name)
  lambda-function-settings-check (runtime, role, timeout, memorySize)
  lambda-function-public-access-prohibited
  restricted-common-ports (blockedPort1 to blockedPort5)
  restricted-ssh
10 - Database (RDS, DynamoDB, Redshift)
  db-instance-backup-enabled
  dynamodb-autoscaling-enabled
  dynamodb-table-encryption-enabled
  dynamodb-throughput-limit-check
  rds-instance-public-access-check
  rds-multi-az-support
  rds-snapshots-public-prohibited
  rds-storage-encrypted
  redshift-cluster-configuration-check
  redshift-cluster-maintenancesettings-check
15 - Management and Governance (Cloudwatch, Cloudtrail, CloudFormation, CodeBuild, CodePipeline)
  cloud-trail-cloud-watch-logs-enabled
  cloud-trail-encryption-enabled
  cloudtrail-enabled
  cloud-trail-log-file-validation-enabled
  cloudformation-stack-drift-detection-check
  cloudformation-stack-notification-check
  cloudwatch-alarm-action-check
  cloudwatch-alarm-resource-check
  cloudwatch-alarm-settings-check
  codebuild-project-envvar-awscred-check
  codebuild-project-source-repo-url-check
  codepipeline-deployment-count-check
  codepipeline-region-fanout-check
  multi-region-cloud-trail-enabled
  required-tags
2 - Network and Content Delivery (VPC)
  vpc-default-security-group-closed
  vpc-flow-logs-enabled
20 - Security, Identity, & Compliance
  (IAM User, Group, Role, MFA, ALB, ELB, CloudFront, CMK, ACM, GuardDuty, Shield)
  access-keys-rotated
  acm-certificate-expiration-check
  cmk-backing-key-rotation-enabled
  fms-shield-resource-policy-check
  fms-webacl-resource-policy-check
  guardduty-enabled-centralized
  iam-group-has-users-check (has users)
  iam-password-policy
  iam-policy-blacklisted-check (exceptionList) ???
  iam-policy-no-statements-with-admin-access (not Allow *:*)
  iam-role-managed-policy-check (required managedPolicyNames)
  iam-root-access-key-check
  iam-user-group-membership-check (requires groupName)
  iam-user-mfa-enabled
  iam-user-no-policies-check (disable inline policies)
  iam-user-unused-credentials-check (maxCredentialUsageAge = 90 days)
  mfa-enabled-for-iam-console-access
  root-account-hardware-mfa-enabled
  root-account-mfa-enabled

  iam-policy-requires-condition-resource-tags
  iam-policy-requires-arn
  ec2-instance-profile-role-secure (not Allow *:*)
10 - Storage (S3)
  s3-blacklisted-actions-prohibited*
  s3-bucket-logging-enabled
  s3-bucket-policy-grantee-check*
  s3-bucket-policy-not-more-permissive*
  s3-bucket-public-read-prohibited*
  s3-bucket-public-write-prohibited*
  s3-bucket-replication-enabled
  s3-bucket-server-side-encryption-enabled*
  s3-bucket-ssl-requests-only*
  s3-bucket-versioning-enabled

$1.00 per Rule * 85 rules * 18 regions * 1 AWS Account = **$1,530 / month**

$1,530 * 12 months = **$18,360 / year**

https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_getting-started.html

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/

https://aws.amazon.com/config/pricing/

AWS Macie

Audit S3 bucket configuration.

https://docs.aws.amazon.com/macie/latest/userguide/macie-classify-data.html

https://aws.amazon.com/macie/pricing/

AWS Systems Manager

Inventory of EC2 instances. Allows auditing what's within the EC2 instance, and running ad-hoc scripts.

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html

https://aws.amazon.com/blogs/mt/using-aws-systems-manager-inventory-with-tags/

Free, when using hosted EC2

https://aws.amazon.com/systems-manager/pricing/

AWS Security Hub

Muti-account, dashboard system for AWS GuardDuty, Inspector, and Macie. Very new, released on 2018-11-28, in Preview.

https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-aws-security-hub/

https://aws.amazon.com/security-hub/features/

Free... for now.

AWS Landing Zone

Secure account setup

https://aws.amazon.com/blogs/enterprise-strategy/aws-control-tower-and-aws-security-hub-powerful-enterprise-twins/

AWS Control Tower

In Preview, since Nov 2018. Secure account setup, multi-account

https://aws.amazon.com/controltower/