100 Days of DevOps — Day 42-Audit your AWS Environment

Prashant Lakhera
Mar 24, 2019 · 5 min read

Welcome to Day 42 of 100 Days of DevOps, Focus for today is Audit your AWS Environment.

On Day 40 I discussed AWS config which is used to meet your compliance need, today let discuss how you can Audit your AWS environment using tools like

  • AWS Trusted Advisor
  • Scout2

What is AWS Trusted Advisor

AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.

Go to Trusted Advisor → https://console.aws.amazon.com/trustedadvisor
Green: No issue or concern found
Yellow: Investigation is recommended
Red: Critical action recommended
  • If you further expand the Trusted Advisor page and explore the details, anything which is not in red will list the criteria for details and recommended actions
  • Open the security group, which is highlighted in red
  • Change the Port 21 to only listen to your company IP range
  • Refresh the security advisor and as you can see port 21 is no longer appear

NOTE: You can only refresh the status every 5 min, so if the refresh button is greyed out please wait for 5 min.

This is the simple example of how you can use Trusted Advisor to fix security issues.

Similarly, you can look for other security recommendation and fixed it

Scout2

One other tool I will highly recommend everyone to use is Scout2 as it gives you much more detailed information for auditing purpose.

  • Installation is pretty straightforward
pip install awsscout2
  • Export your keys
export AWS_ACCESS_KEY_ID=" "
export AWS_SECRET_ACCESS_KEY=" "
  • Run it
# Scout2Fetching IAM config...groups           policies              roles              users  credential_report    password_policy3/3              48/48              40/40                2/2                1/1                1/1Fetching Route53Domains config...domains1/1Fetching SES config...regions         identities3/3                0/0Fetching RDS config...regions   parameter_groups          instances          snapshots    security_groups      subnet_groups14/14                2/2                0/0                0/0              14/14                1/1Fetching CloudTrail config...regions             trails14/14              57/57Fetching ELB config...regions               elbs14/14                0/0Fetching EFS config...regions       file_systems6/6                0/0Fetching ELBV2 config...regions                lbs       ssl_policies14/14                1/1                7/7Fetching CloudWatch config...regions             alarms14/14                2/2Fetching Lambda config...regions          functions14/14                3/3Fetching RedShift config...regions   parameter_groups           clusters    security_groups14/14                0/0                0/0                0/0Fetching S3 config...bucketsFailed to get encryption configuration for cloudwatch-to-s3-logs: 'S3' object has no attribute 'get_bucket_encryption'1/11Failed to get encryption configuration for mytests3bucketforcloudtrail: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for s3-event-notification-topic-mydemo-bucket: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for my-tf-test-bucket-terraform-12345676: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for s3-cloudtrail-bucket-with-terraform-code: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for config-bucket-349934551430: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for mys3bucket-withkms-serverside-encryption: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for mytestcloudtrailbucketforevent: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for mys3kmsbuckettestforencryption: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for testingcloudtraillogfilevalidationbucket: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for mytestkmsbuckettest: 'S3' object has no attribute 'get_bucket_encryption'11/11Fetching CloudFormation config...regions             stacks14/14                1/1Fetching SQS config...regions             queues14/14                0/0Fetching EC2 config...regions          instances          snapshots network_interfaces            volumes    security_groups14/14                4/4              38/38              11/11                7/7              30/30Fetching VPC config...regions            subnets       route_tables       vpn_gateways               vpcs  customer_gateways       network_acls    vpn_connections          flow_logs peering_connections14/14              48/48              18/18                0/0              16/16                0/0              16/16                0/0                2/2                0/0Fetching EMR config...regions           clusters14/14                0/0Fetching Direct Connect config...regions        connections14/14                0/0Fetching ElastiCache config...regions           clusters    security_groups14/14                0/0                0/0Fetching Route53 config...hosted_zones2/2Fetching SNS config...regions             topics      subscriptions14/14                5/5                4/4Processing CloudTrail config...Matching EC2 instances and IAM roles...'subnets'Path: ['services', u'vpc', u'regions', u'us-west-2', u'flow_logs']Key = flow_logsValue = fl-03eca4e646e3ce517Path = []Saving data to scout2-report/inc-awsconfig/aws_config.jsSaving config...File 'scout2-report/inc-awsconfig/aws_config.js' already exists. Do you want to overwrite it (y/n)? ySaving data to scout2-report/inc-awsconfig/exceptions.jsSaving config...File 'scout2-report/inc-awsconfig/exceptions.js' already exists. Do you want to overwrite it (y/n)? yCreating scout2-report/report.html ...File 'scout2-report/report.html' already exists. Do you want to overwrite it (y/n)? yOpening the HTML report...
  • In the end, you will get the nice UI interface
  • For eg: If I click on EC2 and further drill down, similar to Trusted Advisor(you will see Green, Orange and Red)
  • If you further drill down it will give you the detailed information

NOTE: As per the GitHub link Scout2 project is now migrated to ScoutSuite

Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.

Reference

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade