I recently had cause to do some auditing of a pre-built AWS environment. The lazy guy in me tried out some free tools to speed things up.
First up was Security Monkey. This was made by Netflix. It can be found on their github: https://github.com/Netflix/security_monkey. It's actually really well documented, and I just followed their setup guide verbatim - I had a working setup in about half an hour, and good visibility of the AWS account and some suggested vulnerabilities.
Whilst it is definitely useful for a one time audit, it seems to excel at continuous monitoring. With Security Monkey you have the ability to add comments and justifications to issues it found - so if you have something it considers a flaw, but you're aware and have mitigated in other ways, you can justify it and it will stop moaning. It re-scans the environment every 15 minutes or something, so it keeps you constantly up to date as changes are made.
The detail you can find in Security Monkey is great - but I didn't find the UI all that intuitive. It took me a while to figure out how to navigate around and find what I was looking for. Once I got used to it it was perfectly fine though.
Next I tried Scout 2 - not because Security Monkey was inadequate, I just wanted a second opinion.
This can also be found on github - https://github.com/nccgroup/Scout2
I didn't find their documentation quite so detailed as Security Monkey, so I took some notes as I set it up - the basic order of events was:
- Create a policy called Scout2 in IAM in the account you are going to be interrogating. Make up your own if you like, or just use the one provided in the github - https://github.com/nccgroup/AWS-recipes/blob/master/IAM-Policies/Scout2-Default.json
- Create a user in the same account, with access type programmatic. It won't need management console access. Save the keys somewhere safe.
- Attach the policy to the account.
- Stand up an EC2 - I just used a t2.micro using the amazon image, it was plenty sufficient. It can be in any account - it's just going to use the API to access stuff. You don't even need an EC2 to be honest, you can just use the AWS API on your local machine. Use a decent security group, allowing http and ssh from your IP.
- Run through the following sequence on the EC2:
- sudo apt-get update
- sudo apt-get install python-pip
- pip install scout2
- echo "accesskey,secretacccesskey" >> \~/creds.csv
- Scout2 --csv-credentials creds.csv --regions eu-west-1 (obviously change the regions as you require)
- sudo apt-get install apache2
- sudo systemctl start apache2
- sudo mv scout2-report/ /var/www/html/
At this point you should be able to browse to the server on http and see the report.
I quite liked the view in Scout2. It picked up a few different things to Security Monkey, and presented it in a different format.
Both of these products were decent - they both have their uses and I would definitely use them both for auditing again in the future. Obviously you still need some common sense and knowledge to review what it's presenting you, but for a quick starter for ten it saves a lot of digging around the AWS dashboard to review all the configurations.
There are plenty of other tools on Google to be found and they all have their merits - there are also a number of useful tools provided by AWS themselves which aren't to be dismissed.