Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Download as PPTX, PDF0 likes164 views
This document discusses using ScoutSuite to audit cloud security in AWS. It provides instructions for installing and running ScoutSuite against an AWS account to check for common misconfigurations. The document concludes with recommendations for quick wins like restricting security groups and enabling encryption, as well as longer-term work such as enabling CloudTrail logging and meeting PCI DSS requirements.
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
- 1. Cloud Security Hardening та аудит хмарної безпеки за допомогою ScoutSuite
- 2. Syllabus • Common misconfigurations in AWS EC2 via ScoutSuite • General security hardening • Conclusions
- 3. For Linux: https://github.com/nccgroup/ScoutSuite git clone https://github.com/nccgroup/ScoutSuite.git cd ScouteSuite pip3 install –r requirements.txt python3 scout.py aws --profile owasp --report-dir test For MacOS better to use docker - clone the repository, change directory docker build -t scoutsuite:latest . docker run --rm -t -v $HOME/<user/.aws:/root/.aws:ro -v "$(pwd)/results:/opt/scoutsuite-report" scoutsuite:latest aws --profile default
- 7. CloudTrail – view events for your AWS account Cloud trail gives an ability to config data events been saved to external S3 bucket or to AWS Lambda.
- 27. Conclusions: Quick Wins • Check security groups at EC2 dashboard – open unused ports. • Enable default encryption for new volumes. • Config SSH port for inbound traffic from direct IP. • Double check your IAM Groups, Users, Policies. • MFA for root and admin accounts.
- 28. Conclusions: 2nd tier work • CloudTrail – saving log to external instance. • Enable encryption for all critical endpoints. • Enable backup for all critical endpoints. • Enable minor updates.
- 29. Conclusions: PCI DSS as an example • 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic • 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system • 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. • 6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers • 7.1 Limit access to system components and cardholder data critical endpoints to only those individuals whose job requires such access • Passwords requirements (8.2.3 - 8.2.5) • 8.3 Secure all individual non-console administrative access and all remote access to the CDE critical endpoints using multi-factor authentication. • Requirement 10: Track and monitor all access to network resources
- 30. Resources: https://github.com/nccgroup/ScoutSuite - utility https://github.com/nccgroup/sadcloud - vuln env https://github.com/nccgroup/ScoutSuite/wiki https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-Privileges- Policy
Editor's Notes
- #23: Redshift - petabyte-scale cloud based data warehouse product designed for large scale data set storage and analysis.