Security Policies for AWS

by Joe Kinsella

Today we are launching the beta of an exciting new feature at CloudHealth: Security Policies for AWS. This feature is our answer to the many challenges our customers confront with managing security in the fast-paced cloud environment. While our customers receive many advantages from the cloud — agility, consumption-based pricing, global infrastructure, platform services — its fast pace of change and distributed nature can expose organizations to security risk resulting from mistaken or non-compliant changes.

We believe our beta of CloudHealth Security Policies for AWS will provide critical functionality in managing your security. This initial beta includes core features required to better manage security configuration within AWS. These include:

  • Policy-driven security monitoring — We believe a policy-driven approach to monitoring security provides the most scalable, configurable and flexible solution to security management. All our security monitoring (a.k.a. “checks”) will be available via our policy feature.
  • Default best practice policy — We are providing an out of the box default security policy that incorporates best practices based on both AWS and CloudHealth recommendations. The number of policy rules in this initial beta will intentionally be limited, but will substantially expand as the beta continues. This default policy can be modified within constraints to customize for your organization (e.g. turn policy rules on or off, customize the rules), and you can author your own custom security policies.
  • Recommendations — Each of our recommendations includes a summary of the issue, the recommended action, links to supporting documentation, and a list of resources that are violating the policy. Our goal is to provide you everything you need to quickly take action.
  • Recommendation management — Upon viewing a specific recommendation, you can choose to exclude certain resources from specific policy rules. For example, if you have an IAM user that should be excluded from the MFA policy, you can ignore this user and it will be excluded from future monitoring by this policy rule.

Getting Started

To use the feature, just go to Setup > Governance > Policies and edit the new policy called AWS Best Practice Security. In the upper right corner you can enable this policy by switching the status to Enabled and saving the policy. Once enabled, CloudHealth will begin monitoring your AWS resources based on the default policy and will automatically provide you recommendations.

Upon enabling the default policy for the first time, you will need to wait up to an hour before you will be able view the recommendations. After this however, you will receive recommendations daily.

Reviewing Security Recommendations

To view your recommendations, go to Recommendations > Security Recommendations. This will provide a summary of the health of your AWS security. The recommendations will provide the severity of the issue, the policy block being evaluated, and a brief summary of the monitoring results. Please note that we have expanded our severities to include the following: Critical, High, Medium, Low and None. Also as noted previously, the list of available policy rules is intentionally limited for this initial beta to instead focus on the overall experience of managing security through policies.

If we look at the first example below, we can see we have 4 AWS accounts that are violating our Root Account API Access policy. Since the AWS root account has highly escalated privileges, Amazon strongly recommends never using it for direct API access. To get additional information on this recommendation, click on the severity icon to expand it.

The Description provides additional detail on the policy rule, Recommended Actions will provide advice on how you should handle violations of this policy, and Additional Help will provide links to supporting documentation for this policy.

The Affected Resources table provides a list of all resources violating the policy. In this case we can see four AWS accounts that have API access enabled for the root account. You can click on the hyperlinks for any of the details related to the resource to be brought to a resource page that provides additional information. If there are known reasons for a resource violating a policy (e.g. this is a test account with no production infrastructure), you can choose to Exclude the resource (in this case an AWS account) from future checks. Please note that once a resource is excluded, it can currently only be re-included by editing the policy (we will simplify this in a future beta).

To send the recommendations via email to someone in your organization, just click Subscribe and configure the frequency and people you would like to receive the report.

Editing the Default Policy

At the top of the Security Recommendations report you can click Edit Policy to make changes to the policy. The policy AWS Best Practice Security is the first of what we are calling default policies. A default policy is managed by CloudHealth, and will be updated periodically with additional best practices that benefit all our customers. The policy is arranged to have each policy block include a specific rule checks for compliance to a best practice. Each rule will be assigned a recommended severity.

While the AWS Best Practice Security policy is a default policy, you can however make certain changes. These include:

  • Enable / disable — You can turn the default policy on or off. By default our policy is turned off, and thus will not actively monitor your environment.
  • Severity — You can change the severity of a rule to better fit your environment.
  • Include resources — If you excluded resources from your policy (e.g. ignore an Amazon account for the Root Account Access API check), you can re-include this resource in future checks.
  • Configure rule — In some cases a policy rule might need to be configured to better reflect your policy. For example, we provide a default policy rule that will ensure all IAM Server Certificates are not expiring within the next 30 days. If you want to change this policy to 90 days, you can edit the rule and modify its settings.
  • Actions — If you would like to automatically trigger an action upon a policy violation (e.g. disable an IAM user), you can add your own actions here. Future versions of our default policy will include recommended actions.

One of the powerful features of delivering security recommendations through policies is the flexibility it provides. You can use the new security features in your own policies, by simply choosing the resource you want to author the rule on (e.g. IAM User) and writing your own policies.

What is Coming Next

Since this is the start of our Security Policies for AWS beta, you can expect many enhancement coming soon. These will include:

  • Additional policy rules — We have a number of additional rules that cover many critical areas of securing your AWS environment. We will incrementally be releasing these in future betas, and will continue expanding the default policy after general available.
  • Additional features / usability — We will be releasing additional features and user experience improvements based on feedback from our initial beta customers.

After general availability of the feature, you can expect additional default policies and recommendations from CloudHealth, as well as direct integration with Trusted Advisor.

Please let us know what you think of the new beta feature by sending your feedback direct to us at Thanks & look forward to helping you improve your AWS security.

Originally published at