SecOps with Security Monkey

Cloud Security


If you are working on cloud technologies and specifically AWS/Cloud Security, the first few questions you would get would be around security, data safety, cost effectiveness etc. Additionally, companies in the financial or healthcare sectors may be concerned about how workable cloud technologies would be for them.

Based on my considerable experience and battle scars, I would recommend looking at Security Monkey which we open sourced in 6/30/2014.

Security Monkey has been an invaluable tool that I end up using everyday over the last one year. Referencing here is my chrome browser history reflecting my usage statistics,

TIP : Script to import Chrome Browser history to Elastic Search https://github.com/nagwww/chrome-history
What is Security Monkey ?
Security Monkey is an OpenSource application from Netflix ( NetflixOSS) which monitors/alerts/reports one or multiple AWS accounts for anomalies

Here are some common scenarios where Security Monkey can be of help, especially in a multi-account(AWS) environment:

Security groups are virtual firewalls. Every AWS instance needs to be launched with at least once security group

Security Monkey monitors security groups across multiple AWS accounts and,

  • Generates an Audit report of all the issues ( Ex : Security groups which are wide open to the internet or ingress from 0.0.0.0/0, etc.)
  • Creates an email alert when security group changes are done, which can come in handy when you have a PCI/SOX/HIPPA compliance related environment.
  • Alerts you when a user/developer adds 0.0.0.0/0 to a security group.
  • Searches for particular IP/CIDR blocks which is really helpful if you have multiple AWS accounts.
  • Helps you identify the Security group name given the security group ID. This is helpful since for cross-account security group access, AWS now no longer shows the security group name, but does show the ID.
  • Historical Information : Security Monkey acts as the source control for your security groups. For instance, to know the state of a security group from a month ago, one can go back and perform a diff of the current state.
  • Keeps track of your PCI/SOX/HIPPA compliant environment for changes, where you can set an alert to email when a change is performed to a security group or send it to your internal auditor/change control management team directly.
  • Alerts when a new Security Group is created.
  • Helps locate a security group which no longer exists in AWS or was deleted knowing or unknowingly.

Amazon S3 is a simple web services interface that you can use to store and retrieve any amount of data for a wide variety of reasons, ex : hosting, storage, backup, archiving, etc.

Security Monkey monitors AWS S3 buckets across multiple AWS accounts and,

  • Security Monkey acts as the source control for your S3 buckets policies, ACL, lifecycle rules.
  • Generates an audit report of all the current issues ( Ex : AWS S3 buckets which are accessible to everyone shared across unknown AWS accounts and have conditional statements )
  • Creates an e-mail alert when a S3 bucket is added or deleted.
  • AWS S3 resource policies are used to grant fine grain access controls for S3 buckets and objects. All the ACL’s and policies are stored in security monkey which triggers alerts when changes are done. Comes handy when you have sensitive S3 buckets and you want to monitor for changes.
  • Tracks S3 buckets for bucket-level encryption.
  • Tracks versioning of buckets.
  • Tracks the lifecycle object of an S3 bucket. Lifecycle rules enable you to automatically archive/delete S3 objects based on predefined rule sets.
  • Monitors S3 ACL’s and bucket policies since last check and alerts when buckets are publicly accessible. Here is a good read on 100’s AWS S3 buckets left open exposing private data https://www.helpnetsecurity.com/2013/03/27/thousands-of-amazon-s3-buckets-left-open-exposing-private-data/

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your DevOps.
  • Generates a report of all active IAM users with active access keys.
  • Lists all active IAM active keys which are not rotated in the last 90 days.
  • Lists all inactive access keys which can be used to clean up.
  • Lists all the active keys which were not used in the last 90 days.

Lists IAM User who have AWS Console access, however with no MFA enabled. A good read on the AWS Console breach http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/

  • Alerts when an IAM Role has full Admin privileges.
  • Finally Security Monkey also acts as a source control for all your IAM policies attached to the users/roles.

Elastic Load Balancing(ELB) automatically distributes incoming application traffic across multiple Amazon EC2 instances. It enables you to achieve fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to route application traffic.

  • Alerts when an ELB is internet facing
  • Alerts when ELB logging is not enabled.
  • Alerts when deprecated ciphers are enabled on an ELB.
  • Provides a list of the weak ciphers if enabled on the ELB policy.

SES(Simple email service) uses the notion of verified email addresses and domains to determine who can send mail through the service. Security Monkey
  • Monitors SES identities to make sure only valid company email address are configured as verified.
  • Monitors for all SES objects that are not verified and can be cleaned up.

Amazon Simple Queue Service (SQS) is a fast, reliable, scalable, fully managed message queuing service. AWS SQS was the first AWS service to be released, yes it is quite old and is still great if you are playing with distributed processing..
  • Alerts when an SQS queue has a policy granting access to everyone or open to world.
  • Notifies when there is change to the SQS policy.
  • Historical Information : Security Monkey is like the source control for SQS resource policies. To know the state of an SQS policy from a month ago, you can go back and perform a diff of the current state.

Compliance and auditing is a recurring process which you want to automate as much as you can. Here are a few uses cases from PCI-DSS 3.2 and where security monkey comes handy,

Daily audit reports generated by Security Monkey


Setting up Security Monkey

Step 1 : Launch an EC2 Instance

Step 2 : Create two Roles SecurityMonkey and SecurityMonkeyInstanceProfile. https://github.com/Netflix/security_monkey/blob/develop/scripts/secmonkey_role_setup.py

Step 3 : Install SecurityMonkey as

sudo docker run -e “mail=awsalerter@gmail.com” -e “host=ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com” -i -t -p 443:443 -p 5000:5000 “nagwww/securitymonkey:v1” /usr/local/src/securitymonkey.sh

More info,