How to Perform AWS Security Scanning and Configuration Monitoring?

AWS (Amazon Web Services) provide a robust cloud platform to host your application, infrastructure but security is something you got to take care of yourself.

There are many incidents where attacker hacks the AWS account and abuse it for their purpose or just for fun.

I came across this post on Quora, where the user's AWS account was hacked and received a $50,000 bill!

Single sensitive information leakage can cost you heavily and damage your reputation. So how do you ensure you've taken all the necessary steps to protect the AWS account?

One way you can do is to follow industry security guidelines manually, which is time-consuming and prone to human error. Or you can use the following SaaS (Software-as-a-service) to automatically audit your AWS platform for the security loophole and misconfiguration.

Note: Below vulnerability scanner are specifically for AWS Cloud and not for website or web applications.

Let's explore what options we have…

Update: using Google Cloud Platform (GCP)? Check out GCP security scanner.

AWS Config

AWS Config is an effective tool for assessing, evaluating, recording, auditing configurations of the resources in your AWS environment. It simplifies security analysis, compliance auditing, operational troubleshooting, and change management.

key features include

Intruder

Intruder is a modern vulnerability scanner, designed from day one to work seamlessly with the three major cloud providers, AWS, GCP, and Azure. It is enterprise-ready and offers a government & bank-level security scanning engine without complexity.

Intruder makes cloud security a breeze by allowing you to easily monitor your cloud systems, discover new assets, and automatically synchronize your scan targets. It continuously observes what you expose to the Internet and sends notifications about important changes, such as when open ports and services change, which, if unnoticed, could lead to a security breach.

Unlike some cloud-only vulnerability scanners though, Intruder is able to seamlessly monitor your traditional edge networks, web applications, and internal environments too, for an all-in-one effortless vulnerability management experience.

Its robust security checks include identifying:

Intruder proactively scans your systems for new vulnerabilities, keeping you protected against the very latest threats. This kind of proactive action is essential for busy teams that don’t have time for manual research.

You can give Intruder a try for 30 days for free.

Astra Pentest

Astra Pentest is the best-in-the-industry cloud security suite that combines a vulnerability scanner with automated and manual penetration testing to ensure optimum level of security of AWS infrastructure against any vulnerability exploits.

It is designed to comprehensively test for security weaknesses in your AWS with over 3000 test cases and ensures all the requirements for regulatory compliance are met.

Key Features of Astra Pentest:

Uncover vulnerabilities before hackers with our intelligent scanner and manage your entire security from a CXO and developer-friendly dashboard. Select a plan as per your needs.

Cloud Custodian

Cloud Custodian is a flexible open-source rules engine for managing the AWS cloud resources and accounts to ensure security and policy compliance. This allows you to manage and optimize security, costs, and governance of your AWS cloud environment.

Cloud Custodian key features

Prowler

Prowler is an AWS account's security configuration assessment, auditing, and hardening tool that also checks compliance with the CIS AWS Foundations security standards. Further, the tool performs over 100 additional checks, including HIPAA, GRDR, forensics readiness, trust boundaries, and more.

The Prowler command-line tool covers several identity and access management practices, logging, monitoring, and other security assessment activities on Amazon accounts such as the Redshift, CloudFront, ElasticCache, Elasticsearch, API Gateway, and others.

Highlights

Cloudmapper

Cloudmapper is an open-source tool that enables you to analyze and build an interactive visualization of assets, services, and other components in your AWS environment.

Generally, the tool allows developers to check and understand the type of environments they have built. It does this by collecting the data from your AWS accounts and then converts it into a browser-accessible format.

Typically, the Cloudmapper outputs the analysis in the form of network diagrams for the AWS cloud environments. The visual presentation enables you to understand your accounts, how they relate to cloud resources as well as establish if there are misconfiguration or other issues.

This allows you to

Cloud Reports

Cloud reports from Tensult is a node.js based open source tool for collecting and analyzing a wide range of information from various cloud components. The tool compares the findings against the best practices.

It then generates reports, which are usually in HTML, CSV, JSON, or PDF, to show the different AWS services running along with the best practices you should follow. This also contains issues it has identified as well as their impact on your services.

The HTML reports are usually accessible via a web browser, while those in JSON, CSV, and PDF are stored on a folder. Each of these has a timestamp for easy identification and access when running multiple scans.

AWStealth

AWStealth is a security that tool teams use to discover the most privileged entities in the AWS cloud environment. The scan results show the users with excessive, risky, or sensitive permissions. And this enables the security teams to identify the most privileged accounts that they need to properly secure from potential attacks and exploits.

Typical AWS entities with sensitive privileges that should be on the radar include the straight-forward admins as well as the risky shadow admins.

The AWStealth thus enables the security teams to prevent threats arising from the shadow admins and other privileged account vulnerabilities.

Salesforce Policy sentry

Policy sentry is an AWS IAM privilege management tool. It has an IAM least privilege policy generator, an audit mechanism, and an analysis database. The tool compiles database tables according to the AIM documentation about the resources, actions, and condition keys. It then uses this data to create IAM least-privilege policies.

Highlights

Komiser

Komiser is a comprehensive inspection and analysis tool that helps you to monitor and control expenses for your AWS cloud platform. The open-source cost optimization tool can inspect the cloud platform and check for a wide range of configuration and cost issues. This discovers any hidden costs and provides you with recommendations to help you save and remain within budget.

Key features

Alien Vault

Alien Vault USM (Unified Security Management), one of the market leaders in SIEM (Security Information and Event Management) solution for AWS.

USM is a single security monitoring platform to provide visibility of what's happening so you can take full control of AWS cloud and manage risk.

Some of the essential inbuilt features are:

Alien Vault provides actionable threat intelligence, which is powered by OTX (Open threat intelligence). It works with Amazon shared responsibility model. With the help of AWS-native sensors, you can detect whenever suspicious instance provisioned, new user, get created, security group modified, etc.

CloudSploit

CloudSploit is capable of detecting hundreds of threats in the AWS account by automated security scanning and configuration monitoring.

You can use CloudSploit in every AWS region, and it's not just provide scanning results but also the recommendation to fix the issues.

CloudSploit offers API, which is useful if you are looking to integrate security scanning in your application. A good thing is you don't need to install any agent on your server to be monitored.

You can get it started in FREE for unlimited on-demand scans. And if you are looking for an automated scan, risk finding emails, real-time event streams, etc. then you got to pay for it.

Skyhigh

Skyhigh, provide comprehensive security monitoring, auditing, compliance, and remediation for AWS infrastructure.

Some of the essential features of Skyhigh are:

It supports a forensic investigation and automatically includes threats resolution data into self-learning for improved detection accuracy.

Qualys

Qualys, one of the industry leaders in vulnerability scanner platform for website, network provide total visibility of AWS cloud to secure and compile from internal and external policies.

Qualys provides a cloud agent that can be installed either on EC2 or at the source into AMI for automated asset discovery, classification, monitoring, and vulnerability remediation.

ScoutSuite

ScoutSuite is a python based open-source tool to view the security posture of the AWS environment. It fetches CloudTrail, S3, AMI, EC2, etc. data and reports it in HTML format.

Risk items are categorized automatically and denoted in danger and warning with red and yellow color, respectively.

Alert Logic

Improve your AWS security posture with Alert Logic Cloud Insight. Alert Logic is capable of inspecting full-stack infrastructure, including network, open-source, enterprise software against more than 90000 known vulnerabilities.

Some of the essential Alert Logic key capabilities are:

AWS Trusted Advisor

The list won't be complete without mentioning AWS Trusted Advisor, a real-time guide to improve security, reduce cost by following AWS best practices.

Conclusion

AWS provides security on core infrastructure, but what you deploy, configure is your responsibility. I hope above listed AWS security scanning solution helps you to keep your AWS cloud environment secure & cost-effective.