Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Category: Blogs

Categories
Blogs

Amazon Inspector: Automated and continual vulnerability management at scale

How To Use Amazon Inspector: an automated and continual vulnerability management at scale.

What is Amazon Inspector?

Amazon Inspector automatically discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure.

How it works.

Amazon Inspector is an automated vulnerability management service that scans AWS workloads for software vulnerabilities and unintended network exposure. At a high level, AWS Inspector is dependent on an SSM agent to be installed in the EC2 instance that will be used to scan and report the security findings. Additionally, the EC2 will need a role that grants SSM to the EC2 instance. AWS Inspector uses the SSM agent to connect to the instance. Note that as of November of 2023, there is a new agentless scan option that is in preview.

AWS Inspector can be supported at the organizational level and scan all accounts in the organization; however, the scope of this blog will be a single account.

In this use case, we will see how Amazon Inspector helps to identify the network vulnerability by performing an accessibility check.

Let’s proceed as follows.

Login to your AWS account using your admin account or an account with admin privileges.

Creation of a new IAM role for the EC2 use case

Remember, the AWS Inspector is dependent on an SSM role or a role with SSM permissions to be able to communicate with the SSM agent inside the EC2. Let’s create this role.

Navigate to IAM, click on Roles then click on the Create role button. You will be prompted to select an entity type, in our case select “AWS service”, and for service select EC2. This will create a trust policy that will allow EC2 to assume it. Click Next.

Now we must add permissions to the role that the EC2 will assume. Under the Add permissions config screen, search for AmazonSSMManagedInstanceCore, select it, and click Next.

In the next window, give the role a name (SSMRoleForInspector) and click Create role.

Creation of EC2 Instance

Go to the AWS Management Console, select instances in the EC2 console, then click Launch instances in the instances dashboard shown below.

Add the Name as nameEC2Demo, and under instance type, select t2. Micro which is free tier eligible. Scroll down.

Under application and OS, select the QuickStart tab then select Amazon Linux. Under AMI select Linux 2 AMI this is also free tier eligible.

Scroll down to the firewall and security section, Select the existing security group then choose the default security group. Click on the launch instance.

Attach the SSM agent role to the EC2 instance.

Select your instance, click on Actions, then click Security, and then click on Modify IAM role.

Within the Modify IAM role screen, select the role you created earlier. In my case, I am selecting SSMRoleForInspector Click on Update IAM role.

Select your instance then move to the security tab, Select the default security group. Then click edit the inbound rule.

Click Add a new rule and open the port21 to anywhere from the internet then click Save rule.

Note: Port 21 is not recommended to keep open on our instances. We are inducing a security thread here.

Running an Amazon Inspector -To Discover the security vulnerabilities.

Go to the management console under services and select Amazon Inspector. Then click Get Started.

Activate Inspector and view your permissions.

Once Inspector is activated, we will get a green banner as our first scan is underway.

Go to Account Management, then move to the Instances tab and select unmanaged instances. You will see the below message.

This means this instance is not managed by SSM. Please click on the instructions hyperlink to remediate the issue.

Eventually, it will redirect to AWS Systems Manager, in input parameters, choose the instance ID and Click Execute.

Once execution is completed, Go to Amazon Inspector and select the instance findings.

Go to findings, where you will see the induced security thread as high.

Go to EC2 Instances, Inbound security group, and delete the induced port21. Click Save rules.

To review the findings again, Go to Account Management, Instances, and select unmanaged instances. Follow the instructions like giving out instance ID etc. Click execute.

With this, we have seen now how Amazon Inspector helps to find the Network Reachability vulnerability.

To avoid billing, terminate the instances that you had created and make sure you deactivate the Amazon inspector for all instances.

This brings us to the end of this demo. Stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

How To Monitor AWS API Activity with AWS CloudTrail

How To Monitor AWS API Activity with AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. AWS CloudTrail is a service that you can use to capture information about the API actions happening in your AWS account, AWS SDKs, command line tools, and other AWS services.

What is CloudTrail?

CloudTrail continuously monitors and logs account activity across all AWS services, including actions taken by a user, role, or AWS service. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Why Use CloudTrail?

Here are some key reasons to use CloudTrail:

Audit Compliance: CloudTrail logs provide detailed records of all API calls, which can be used to audit compliance.
Security Analysis: The API call logs can be analyzed to detect anomalous activity and unauthorized access to determine security issues.
Operational Issues: The activity history can help troubleshoot operational issues by pinpointing when an issue began and what actions were taken.
Resource Changes: You can identify what changes were made to AWS resources by viewing CloudTrail events.

CloudTrail Log Files

CloudTrail log files contain the history of API calls made on your account. These log files are stored in Amazon S3 buckets that you specify. You can define S3 buckets per region or use the same bucket for all regions.

The log files capture API activity from all Regions and are delivered every 5 minutes. You can easily search and analyze the logs using Amazon Athena, Amazon Elasticsearch, and other tools.

CloudTrail Events

CloudTrail categorizes events into two types:

Management events

Provides information about management operations performed on resources in your AWS account. These include operations like creating, modifying, and deleting resources.

Data events

Provides information about resource operations performed on or in a resource. These include operations like Amazon S3 object-level API activity.

By default, AWS logs and retains management events for a period of 90 days. but this timeframe might need to be revised for your requirements. To overcome this, you can create a CloudTrail trail, enabling you to log events in S3 for indefinite retention. Each trail you create can be region-specific or it can be applied to all regions. Furthermore, you can leverage CloudWatch events to trigger actions based on API calls that are made and logged in CloudTrail.

Using information generated by CloudTrail.

In the above architecture, we have AWS CloudTrail that will log API actions for 90 days. We can then choose to create a trail and log our events to Amazon S3 indefinitely. Furthermore, we can also enable log file integrity validation. This checks whether the events that are being logged have been tampered with or not, hence ensuring the accuracy of logged events for auditing and compliance since we need to ensure that the information is accurate and has not been modified. Additionally, we can also trigger notifications through SNS topics upon log file publication. We can also forward data to CloudWatch logs, enabling actions like setting alarms or using subscription filters. Alarms triggered by CloudWatch logs can execute Lambda functions or notify through SNS topics. Again, forwarding information to CloudWatch Events can trigger Lambda functions based on API actions. So, we see there are lots of ways we can use the information generated by CloudTrail.

Hands-on creation of CloudTrail trail.

Log into the management console then in the search box under services, type CloudTrail, then select CloudTrail under services.
In the CloudTrail dashboard click Create a Trail.
Under trail name, give it a name and call it management events. We will create this trail only for this account so we will not tick the box for enable for all accounts in my organization.

It’s going to need a storage location, and by default, it will create an S3 bucket. And give it a unique name. So, we will leave that as the default.
To encrypt the information in your bucket select the new key and call it CloudTrail.

Logfile validation is enabled by default Scroll down.
Under CloudWatch, enable it. CloudTrail will need a role to send a trail to CloudWatch so select a new role and give it a name then scroll down and click next.
Under the type of event, we will move with the management events.
API activity will be read and write then click next, review and click create a trail.
We have successfully created a trail and we can see its status is logging.

This brings us to the end of this blog. Cleanup.


Stay tuned for more.


If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.


Thank you!


Categories
Blogs

Benefits of Using AWS Secrets Manager Part One

Safeguarding Your Secrets: The Importance of Using AWS Secrets Manager Part One

What is a Secrets Manager?

Secrets Manager is a specialized tool or service designed to securely store, manage, and retrieve sensitive information. In addition, it enables us to replace embedded credentials in our code, including passwords with an API call to Secrets Manager to retrieve the secret programmatically. This ensures that anyone examining our code cannot compromise the secrets, as they no longer exist in the application code. Additionally, the secrets are independent of the development of the application. Furthermore, we can configure the Secrets Manager to automatically rotate the secret for us according to a specified schedule. Consequently, this allows us to replace long-term secrets with short-term ones, thereby significantly reducing the risk of compromise.

Key Benefits of Using a Secrets Manager:

  • Enhanced Security
  • Centralized Management
  • Automated Rotation
  • Audit Trails

The concepts required to understand AWS Secret Manager.

Secret– It consists of secret information, the secret value, plus metadata about the secret. A secret value can be a string or binary. To store multiple string values in one secret, we recommend that you use a JSON text string with key/value pairs.

A secret’s metadata includes: An Amazon Resource Name (ARN)
Version – A secret has versions that hold copies of the encrypted secret value. Moreover, when you change the secret value or rotate the secret, Secrets Manager creates a new version. Secrets Manager doesn’t store a linear history of secrets with versions. Alternatively, it keeps track of three specific versions by labeling them: The current version — AWSCURRENT The previous version — AWSPREVIOUS The pending version (during rotation) — AWSPENDING
Rotation – Rotation is the process of periodically updating a secret to make it more difficult for an attacker to access the credentials. In Secrets Manager, you can set up automatic rotation for your secrets. Additionally, when Secrets Manager rotates a secret, it updates the credentials in both the secret and the database or service.
Rotation strategy– Secrets Manager offers two rotation strategies:
Single User: This strategy updates credentials for one user in one secret. The user must have permission to update their password. This is the simplest rotation strategy, and it is appropriate for most use cases.
Alternating Users: This strategy updates credentials for two users in one secret. In addition, you create the first user, and during the first rotation, the rotation function clones it to create the second user. Every time the secret rotates, the rotation function alternates which user’s password it updates. However, most users lack permission to clone themselves, so you must provide the credentials for a superuser in another secret.

Who Can Use Secrets Manager

Mainly the users of Secrets Manager can have one of the below-mentioned roles:
IT Admins: If you are an IT Admin who is responsible for storing and managing secrets.
Security Admin: As a Security Admin responsible for ensuring regulatory and compliance requirements, you can use Secrets Manager. Furthermore, you can audit and monitor secret usage and ensure necessary secret rotation.
Developer: If you are a developer, you can onboard the Secrets Manager so that you don’t have to worry about managing secrets.

Features

Rotate Secrets Safely: Without worrying about updating or deploying the code, you can easily rotate secrets.
Manage Access with Fine-grained Policies: Certain Identity and Access Management (IAM) policies enable the management of access to the secrets. For example, you can create a policy that enables developers to access the secrets during development purposes.
Secure and audit secrets centrally: By encrypting the secrets with encryption keys you can secure your secrets as well. You can easily achieve this by using the Amazon Key Management Service (KMS) to encrypt data.
Pay as you go: The charges will only apply based on the number of secrets managed by the Secrets Manager and the number of Secrets Manager API calls you make.
Retrieve Secrets programmatically: With Secrets Manager, you can programmatically retrieve encrypted secret values at runtime.

Use cases of AWS Secrets Manager?

  • Newer service, meant for storing secrets.
  • Capability to force rotation of secrets every X days.
  • Automate generation of secrets on rotation (uses Lambda).
  • Integration with Amazon RDS (MySQL, PostgreSQL, Aurora).
  • Ability to encrypt secrets using KMS.
  • Mostly meant for RDS integration.
This brings us to the end of this blog. stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

How to Store Secrets with Secrets Manager – Part II

How to Store Secrets with Secrets Manager - Part II

Securing secrets is crucial in modern software development, and AWS Secrets Manager serves as a key solution. As a fully managed service from Amazon Web Services (AWS), it effectively safeguards sensitive information, such as API keys and database passwords.

AWS Secrets Manager enables you to centralize and manage access to sensitive data, reducing the risk of unauthorized access. Additionally, it facilitates regular rotation and auditing of secrets, enhancing overall application security. Moreover, its seamless integration with other AWS services simplifies the implementation of security best practices in your infrastructure.
Task: Creating an RDS Database, Managing Credentials with Secrets Manager, and Auditing with CloudTrail.

We will embark on this task by first creating an RDS Database, ensuring seamless management of credentials through Secrets Manager. Subsequently, dive into auditing processes with CloudTrail to maintain a comprehensive and secure AWS environment.

a) Sign in to AWS Management Console and create an RDS MySQL instance.
b) Store a new secret.
c) Verify the secret created.
d) Using cloud trail to monitor secret manager activities.

Hands-on:

a) Sign in to AWS Management Console and create an RDS MySQL instance.
Log into the AWS management console and in the search box, type RDS then select RDS under services.
In the RDS console, click on Create Database.

In the Create database screen, select the following:
Choose a database creation method: Standard create
Engine type: MySQL
Templates: free tier
In the settings and DB instance class tab, fill in the details as follows:
DB instance identifier: SecretManagerLab (any name)
Master username: admin (any username for your database instance)
Master password: dcVRBrxLbhacVU6 (any password for your instance)
DB instance class: db.t2. micro
Note: Make sure to remember the username and password or simply paste in a text file.
In the Storage tab, keep everything as default and make sure to undo the checkbox for Enable storage autoscaling.
In the connectivity tab, make sure that the public access is set to No.
Keep everything else as default. After this click Create Database.

It takes some time for your database to be created.

We’ve created an RDS MySQL instance successfully!
b) Store a new secret.

In the search box, type secrets manager and select secrets manager under services.
In the AWS Secret Manager dashboard, click on Store a new secret.
Now in Secret type, please select Credentials for Amazon RDS database and enter the following details:
User name: (username of our database instance, here we used admin)
Password: (password of our db instance, here we used dcVRBrxLbhacVU6)
Encryption key: (keep it as default)
Select the database instance you created in the previous step, (named SecretManagerLab) and click next.
On the next screen, give the Secret name as any name (LabSecret ) and keep everything else as default. Click next.

Secret ‘LabsSecret’ has been stored, with Secret Manager.

c) Verify the secret created.

Once the secret is created and rotation is configured click on the secret name [LabsSecret]
Now click on the Retrieve secret value button
We can see the details of our secret value including the password.
d) Using cloud trail to monitor secret manager activities.

Search for CloudTrail in the search then select it under services.
In the lookup attributes, select Event name and Enter event name as GetSecretValue.

You can see the user’s name of all the users who tried to access the secret and the event time.
AWS Secrets Manager is a service provided by Amazon Web Services (AWS) that helps you manage and protect sensitive information such as passwords, API keys, and other credentials. It allows you to securely store, access, and rotate these secrets, reducing the risk of unauthorized access and improving overall security for your applications and services.

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

This brings us to the end of this demo. Make sure to pull down everything.

If you have any questions concerning this article or have an AWS project that requires our assistance, please leave a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

How To Filter Traffic with AWS Web Application Firewall – Part One

How To Filter Traffic with AWS Web Application Firewall - Part One

AWS Web Application Firewall WAF

What is AWS Web Application Firewall?

AWS Web Application Firewall is a web application firewall that helps you protect your web applications against common web exploits that might affect availability and compromise security.

WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. It typically protects web applications from attacks such as cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection, among others

How does it work?

By deploying a WAF for a web application, a shield is placed between the web application and the internet. WAF is a reverse proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.

AWS Web Application Firewall WAF

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic.|


AWS WAF supports and can be used to control how resources like Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer (ALB), or AWS AppSync GraphQL API respond to web requests.

AWS WAF components

Web ACLs — Web Access Control List (Web ACL) is used to protect a set of AWS resources. You create a Web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and specify how to handle requests that match the criteria. A default action for the Web ACL is a set that indicates whether to block or allow requests that pass the rules inspections. A web ACL is an AWS WAF resource.
Rules — Rules contain a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, it is a match. We can use rules to block or allow matching requests. We can also count matching requests using rules.
Rule groups — You can define rules directly inside a web ACL or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your rule groups.

Rule groups are reusable. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups. We can also define our rule groups.
Priority of Rules — If we define more than one Rule in a Web ACL, AWS WAF evaluates each request against the Rules in order based on the Priority value. AWS WAF processes rules with lower priority first. The priorities need not be consecutive, but they must all be different.

AWS Managed Rule groups

AWS WAF Bot control — protection against automatic bots, provides additional visibility through,Cloudwatch, and generates labels that you can use to control bot traffic to your applications (paid rule group, Capacity 50)

Free rule groups

Admin protection — Contains rules that allow blocking external access to admin pages
Amazon IP reputation list — Contains rules based on Amazon threat Intelligence. Useful if you want to block sources associated with bots or other threats
Anonymous IP list — Used to filter out viewers that may try to hide their identity from your applications (e.g. block requests from VPN, proxies, Tor nodes, and hosting providers)
Core rule set — Generally applicable to web applications. This protects a wide range of vulnerabilities, including those described in OWASP publications
I have known Bad inputs — Rules that allow blocking of request patterns that are known to be invalid and associated with exploitations.
Linux operating system — Rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux. Prevent file content exposure and execution of codes by attackers.

Custom rules can be created to block, allow, or count traffic/access which

  • Originates from a country
  • Originates from a CIDR range
  • Requests with a specific header, URI path, or body, And also set whether the traffic that does not match any of the Web ACL rules should be blocked, allowed, or counted.
IP Set: An IP set provides a collection of IP addresses and IP address ranges that you want to use together in a rule statement. IP sets are AWS resources.

AWS WAF charges are based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive.

Web ACL $5.00 per month
Rule $1.00 per month
Request $0.60 per 1 million requests (for inspection up to 1500 WCUs)

AWS WAF web ACL capacity units (WCUs)

Every rule has a relative cost. AWS WAF calculates rule capacity when you create or update a rule. AWS WAF calculates capacity differently for each rule type

Rule group WCUs

The WCU requirements for a rule group are determined by the rules that you define inside the rule group. The maximum capacity for a rule group is 5,000 WCUs.

Conclusion

AWS WAF provides a managed solution to protect your web applications against common exploits and vulnerabilities. By leveraging WAF’s advanced rulesets and integration with services like Application Load Balancer, you can effectively filter malicious web traffic while allowing legitimate users access.

Stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!