aws security - an engineer’s introduction to aws security auditing using cis and the cli
TRANSCRIPT
![Page 2: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/2.jpg)
Caveat:
I’m an Engineer, not a developer.
I script, I don’t code, this won’t be pretty...
![Page 3: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/3.jpg)
Goals of this presentation
▷ Introduction
▷Quick overview of CIS
▷Quick overview of security and AWS
▷Pass on some lessons learned
▷Provide some CLI examples
▷Save you some time and pain
▷Recommendations based on these
![Page 4: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/4.jpg)
So why write your own tool?
Besides CLI Naming inconsistencies…
![Page 5: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/5.jpg)
Besides being a good way to
learn AWS Security…
▷ I didn’t want to have to go to the web
interface or a document every time I wanted
to do a security review
▷AWS has Trusted Advisor, but charges for
more than basic checks
▷Although the CLI has quite good help, the
naming and use of tags and switches is
frustratingly inconsistent
▷No source (including me) is perfect, more
than one source of verification is good
![Page 6: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/6.jpg)
I already had a Security
Auditing tool of my own… [1]
▷Supported a number of UNIX OS,
including Amazon Linux
▷Used the CIS Benchmarks already
▷Was free (apart from my time) and
required minimal additional software
▷Had a number of people using it, so
would get some additional testing
▷ I could add additional tests as I
discovered new security
recommendations and tips[1] https://github.com/lateralblast/lunar
![Page 7: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/7.jpg)
Security BenchmarksWhy choose the CIS Benchmark?
![Page 8: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/8.jpg)
It’s good to have a common
point of reference as a start…
▷Used by a lot of people and places as a
basis for their own security processes
▷Has a long track record
▷Well trusted, and has industry support
▷Mentioned on AWS Security Blog [1]
▷Semi regularly updated
▷Has explanation and implementation
notes as well as the standard checkbox
▷Has GUI and CLI remediation steps[1] https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/
![Page 9: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/9.jpg)
But it’s only a start…
▷ It’s not perfect (e.g. typos in remediation)
▷Not everything is going to be applicable to
your organisation / application
▷You’ll have your own processes on top of it
▷Sometimes lags with updates
▷ It’s always good to have more than one
source of verification, especially for security
▷ It’s a paper document, needs to be
automated to reduce work and human error
![Page 10: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/10.jpg)
Security FundamentalsAn Engineers attempt to explain security…
![Page 11: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/11.jpg)
Traditional:
Security in layers
Network, Application, OS, Users, etc.
Least access / privilege by default
Restrict access to privileged
accounts
Monitor usage of privileged accounts
Use Multifactor Authentication
Enable password complexity
Enable password / credential rotation
Create roles and add users to them
Enable and manage logging
Generate alerts
Encrypt at rest and in transit
What is old is new again…
AWS:
Security in layers
Network, Application, OS, Users, etc.
Least access / privilege by default
Restrict access to “root” account
Monitor use of IAM
Use Multifactor Authentication
Enable password complexity
Enable password / credential rotation
Create roles and add users to them
Enable and manage logging
Generate alerts
Encrypt at rest and in transit
![Page 12: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/12.jpg)
AWS CLI Security AuditingAn Engineers attempt to audit via the CLI…
![Page 13: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/13.jpg)
What does this involve?
▷An overview of key areas:
▷ IAM (Users, Groups, Roles, Policies, MFA)
▷Monitoring (Logging, Metrics, Alerting)
▷Encryption (at rest and in flight)
▷Networking (VPCs and Security Groups)
▷Some CLI examples of how to get and set
security parameters where appropriate
![Page 14: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/14.jpg)
AWS CLI Security AuditingIAM (Users, Groups, Roles, Policies, MFA)
![Page 15: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/15.jpg)
Avoid use of the “root” account
▷Attach IAM policies to groups and roles and
use them to delegate responsibility to
management accounts [1]
▷Minimise use of “root” account to those
functions that require it e.g. requesting a
penetration test of creating a CloudFront
private key
[1] http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
![Page 16: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/16.jpg)
IAM Account Security (MFAs etc.)
▷Ensure MFA is enabled for “root” account
▷Ensure MFA is enabled for other IAM
users
▷Consider hardware MFA for ”root” account
▷Use MFA devices where applicable and
lock the device away in the case of the
root user
▷Delegate management of MFA devices [1]
▷Hardware, Virtual and SMS based MFA [2][1] https://aws.amazon.com/blogs/security/how-to-delegate-management-of-multi-factor-authentication-to-aws-iam-users/
[2] http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
![Page 17: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/17.jpg)
Checking MFAs
$ aws iam generate-credential-report
{
"State": "STARTED",
"Description": "No report exists. Starting a new report generation task”
}
$ aws iam get-credential-report --query 'Content' --output text |base64 –D \
|cut -d, f1,4,8
user,password_enabled,mfa_active
<root_account>,not_supported,true
spindler,false,false
$ aws iam list-virtual-mfa-devices –-query “VirtualMFADevices”
[
{
"SerialNumber": "arn:aws:iam::123456789012:mfa/ExampleMFADevice”
}
]
$ aws iam get-account-summary | grep "AccountMFAEnabled”
"AccountMFAEnabled": 1,
![Page 18: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/18.jpg)
Managing Credentials
▷Manage Access and Secret keys used for
programmatic access via SDK and HTTP [1]
▷Ensure credentials unused for 90 days or
greater are removed
▷Ensure keys are rotated every 90 days or
less
▷Done manually, or better programmatically
▷Only create keys for users that need them,
and do not have keys for “root” account [2][1] http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
[2] http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
![Page 19: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/19.jpg)
Checking Credentials
$ aws iam generate-credential-report
{
"State": "STARTED",
"Description": "No report exists. Starting a new report generation task”
}
$ aws iam get-credential-report --query 'Content' --output text |base64 –D \
|cut -d, -f1,4,9,11,14,16 |grep -v '<root_account>’
user,password_enabled,access_key_1_active,access_key_1_last_used_date, \
access_key_2_active,access_key_2_last_used_date
spindler,false,true,2017-01-22T00:11:00+00:00,false,N/A
$ aws iam list-access-keys --user-name spindler --query \
"AccessKeyMetadata[].{AccessKeyId:AccessKeyId, Status:Status}” \
[
{
"Status": "Active",
"AccessKeyId": "AKIAISKTDTHXSGFO5ZFQ”
}
]
$ aws iam delete-access-key --access-key AKIAISKTDTHXSGFO5ZFQ –-user-name spindler
![Page 20: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/20.jpg)
IAM Password Policies
▷At least one uppercase letter
▷At least one lowercase letter
▷At least one symbol
▷At least one number
▷Minimum length of 14
▷Prevent password reuse
▷Expires within 90 days
![Page 21: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/21.jpg)
Getting and Setting Password Policies
$ aws iam get-account-password-policy
{
"PasswordPolicy": {
"AllowUsersToChangePassword": true,
"RequireLowercaseCharacters": true,
"RequireUppercaseCharacters": true,
"MinimumPasswordLength": 14,
"RequireNumbers": true,
"RequireSymbols": true,
"ExpirePasswords": true
}
}
$ aws iam update-account-password-policy --require-uppercase-characters
$ aws iam update-account-password-policy --require-lowercase-characters
$ aws iam update-account-password-policy --require-symbols
$ aws iam update-account-password-policy --require-numbers
$ aws iam update-account-password-policy --minimum-password-length 14
$ aws iam update-account-password-policy --password-reuse-prevention 24
$ aws iam update-account-password-policy --max-password-age 90
![Page 22: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/22.jpg)
IAM Policies
▷ Ensure IAM policies are attached only to
groups or roles [1] [2]
▷Ensure IAM Master and Manager roles are
active (like RBAC, use with EC2 and
Lambda)
▷Ensure IAM instance roles are used for AWS
resource access for instances [3][4]
▷Ensure there are no policies that allow full
“*:*” administrative privileges[1] http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
[2] http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
[3] http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
[4] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon- ec2.html
![Page 23: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/23.jpg)
IAM Policies
$ aws iam list-users --query 'Users[*].UserName' --output text
$ aws iam list-attached-user-policies --user-name <iam_user>
$ aws iam list-user-policies --user-name <iam_user>
$ aws iam list-policies --output text |awk '{print $2","$5}' \
|grep -v "arn:aws:iam::aws:policy”
arn:aws:iam::XXXXXXXXXXXX:policy/cloudformationcreatestack,v2
arn:aws:iam::XXXXXXXXXXXX:policy/IAM-Manager,v1
$ aws iam get-policy-version --policy-arn <arn> --version <version> \
--query "PolicyVersion.Document.Statement[?Effect == 'Allow' && \
contains(Resource, '*') && contains (Action, '*')]”
$ aws iam list-entities-for-policy --policy-arn <arn>
$ aws iam detach-role-policy --role-name <role> --policy-arn <arn>
![Page 24: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/24.jpg)
Interfacing with AWS Support
▷Consider enabling security questions for
AWS support calls
▷Maintain security and current contact details
▷Ensure a support role has been created to
manage incidents with AWS support
▷Support does not allow you to allow or deny
access to individual actions so assign
allowing access to all cases, so assign
appropriately
![Page 25: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/25.jpg)
Interfacing with AWS Support
$ aws iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess']”
[
{
"PolicyName": "AWSSupportAccess",
"CreateDate": "2015-02-06T18:41:11Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "ANPAJSNKQX2OW67GF4S7E",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::aws:policy/AWSSupportAccess",
"UpdateDate": "2015-02-06T18:41:11Z”
}
]
![Page 26: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/26.jpg)
AWS CLI Security AuditingLogging (and some Log Management)
![Page 27: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/27.jpg)
Logging
▷Ensure CloudTrail is enabled in all regions
▷Ensure CloudTrail log file validation is
enabled
▷Ensure the S3 bucket CloudTrail logs to is
not publicly accessible
▷Ensure CloudTrail trails are integrated with
CloudWatch Logs
▷Ensure VPC flow logging is enabled in all
VPCs [1][1] http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
![Page 28: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/28.jpg)
Logging
$ aws cloudtrail describe-trails --query "trailList[].IsMultiRegionTrail" --output text
True
$ aws cloudtrail create-trail --name <trail_name> --bucket-name \
<s3_bucket_for_cloudtrail> --is-multi-region-trail
$ aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail
$ aws cloudtrail describe-trails --query "trailList[].LogFileValidationEnabled” --output text
True
$ aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
$ aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text
$ aws s3api get-bucket-acl --bucket <bucket_name> |grep URI |grep AllUsers
$ aws cloudtrail describe-trails --query "trailList[].CloudWatchLogsLogGroupArn" --output text
$ aws cloudtrail get-trail-status --name <trail_name>
$ aws ec2 describe-flow-logs --query FlowLogs[].FlowLogId --output text
$ aws ec2 describe-flow-logs --query FlowLogs[].ResourceId --output text
$ aws ec2 describe-flow-logs --filter "Name=resource-id,Values=<vpc>" |grep FlowLogStatus
![Page 29: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/29.jpg)
Log and Key Management
▷Ensure S3 bucket access logging is enabled
on the CloudTrail S3 bucket
▷Adjust log retention according to
requirements [1]
▷Ensure AWS Config is enabled in all regions
▷Consider encrypting CloudTrail logs at rest
using KMS and ensure keys are rotated [2]
[1] http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html
[2] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
![Page 30: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/30.jpg)
Log and Key Management
$ aws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail>
$ aws configservice describe-configuration-recorders
$ aws cloudtrail describe-trails |grep KmsKeyId
$ aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> \
aws kms put-key-policy --key-id <cloudtrail_kms_key> \
--policy <cloudtrail_kms_key_policy>
$ aws kms list-keys
$ aws kms get-key-rotation-status --key-id <kms_key_id>
![Page 31: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/31.jpg)
AWS CLI Security AuditingIAM Monitoring (Logging, Metrics, Alerting)
![Page 32: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/32.jpg)
IAM Monitoring
▷Unauthorized API calls
▷Management Console sign-in without MFA
▷Usage of "root" account
▷ IAM policy changes
▷AWS Management Console authentication
failures
▷Set thresholds accordingly [1]
[1] http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html
![Page 33: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/33.jpg)
IAM Monitoring – Unauthorised API Calls
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }”
$ aws cloudwatch describe-alarms –-query \
'MetricAlarms[?MetricName==`<unauthorized_api_calls_metric>`]'
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <unauthorized_api_calls_metric> --metric-transformations \
metricName=<unauthorized_api_calls_metric>,metricNamespace='Audit',\
metricVal ue=1 --filter-pattern '{ ($.errorCode = "*UnauthorizedOperation") \
|| ($.errorCode = "AccessDenied*") }'
$ aws sns create-topic --name <sns_topic_name>
$ aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> \
-- notification-endpoint <sns_subscription_endpoints>
$ aws cloudwatch put-metric-alarm --alarm-name <unauthorized_api_calls_alarm> \
--metric-name <unauthorized_api_calls_metric> --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 34: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/34.jpg)
IAM Monitoring – Login Without MFA
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed
!= "Yes") }”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<no_mfa_console_signin_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <no_mfa_console_signin_metric> --metric-transformations \
metricName=<no_mfa_console_signin_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ ($.eventName = "ConsoleLogin") && \
($.additionalEventData.MFAUsed != "Yes") }’
$ aws sns create-topic --name <sns_topic_name>
$ aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> \
-- notification-endpoint <sns_subscription_endpoints>
$ aws cloudwatch put-metric-alarm --alarm-name <no_mfa_console_signin_alarm> \
--metric-name <no_mfa_console_signin_metric> --statistic Sum --period 300 --threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 35: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/35.jpg)
IAM Monitoring – “root” Account Usage
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy
NOT EXISTS && $.eventType != \"AwsServiceEvent\" } ”
$ aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName==`<root_usage_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <root_usage_metric> --metric-transformations \
metricName=<root_usage_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS \
&& $.eventType != "AwsServiceEvent" }’
$ aws sns create-topic --name <sns_topic_name>
$ aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> \
-- notification-endpoint <sns_subscription_endpoints>
$ aws cloudwatch put-metric-alarm --alarm-name <root_usage_alarm> \
--metric-name <root_usage_metric> --statistic Sum --period 300 --threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' -- alarm-actions <sns_topic_arn>
![Page 36: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/36.jpg)
IAM Monitoring – IAM Policy Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern":
"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=Delete
UserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=P
utUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=Cr
eatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)|
|($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUs
erPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
$ aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName==`<iam_changes_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <iam_changes_metric> --metric-transformations \
metricName=<iam_changes_metric>,metricNamespace='Audit',metricValue=1
--filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)\
||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)\
||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)\
||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)\
||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)\
||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)\
||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
![Page 37: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/37.jpg)
IAM Monitoring – Authentication Failures
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed
authentication\") }”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<console_signin_failure_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <console_signin_failure_metric> --metric-transformations \
metricName=<console_signin_failure_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ ($.eventName = ConsoleLogin) && \
($.errorMessage = ""Failed authentication"") }’
$ aws sns create-topic --name <sns_topic_name>
$ aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> \
-- notification-endpoint <sns_subscription_endpoints>
$ aws cloudwatch put-metric-alarm --alarm-name <console_signin_failure_alarm> \
--metric-name <console_signin_failure_metric> --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 38: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/38.jpg)
AWS CLI Security AuditingConfig Monitoring (Logging, Metrics, Alerting)
![Page 39: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/39.jpg)
CloudTrail, Config, S3, and Key
Monitoring
▷CloudTrail configuration changes
▷AWS Config configuration changes
▷S3 bucket policy changes
▷Disabling or scheduled deletion of customer
created CMKs
▷Set thresholds accordingly [1]
[1] http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html
![Page 40: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/40.jpg)
Monitoring – CloudTrail Config Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) ||
($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName =
StopLogging) }”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<cloudtrail_cfg_changes_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <cloudtrail_cfg_changes_metric> --metric-transformations \
metricName=<cloudtrail_cfg_changes_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) \
|| ($.eventName = DeleteTrail) || ($.eventName = StartLogging) \
|| ($.eventName = StopLogging) }'
$ aws cloudwatch put-metric-alarm --alarm-name <cloudtrail_cfg_changes_alarm> \
--metric-name <cloudtrail_cfg_changes_metric> --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 41: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/41.jpg)
Monitoring – AWS Config Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{($.eventSource = config.amazonaws.com) &&
(($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)
||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<aws_config_changes_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <aws_config_changes_metric> --metric-transformations \
metricName=<aws_config_changes_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{($.eventSource = config.amazonaws.com) && \
(($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) \
||($.even tName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}’
$ aws cloudwatch put-metric-alarm --alarm-name <aws_config_changes_alarm> \
--metric-name <aws_config_changes_metric> --statistic Sum --period 300 --threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 42: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/42.jpg)
Monitoring – S3 Bucket Policy Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventSource = s3.amazonaws.com) && (($.eventName =
PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) ||
($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) ||
($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName
= DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<s3_bucket_policy_changes_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <s3_bucket_policy_changes_metric> --metric-transformations \
metricName=<s3_bucket_policy_changes_metric>,metricNamespace='Audit',metric Value=1 \
--filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl)\
|| ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) \
|| ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) \
|| ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) \
|| ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }’
$ aws cloudwatch put-metric-alarm --alarm-name <s3_bucket_policy_changes_alarm> \
--metric-name <s3_bucket_policy_changes_metric> --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 43: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/43.jpg)
Monitoring – Customer Created CMKs
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{($.eventSource = kms.amazonaws.com) &&
(($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))} }”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<disable_or_delete_cmk_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <disable_or_delete_cmk_metric> --metric-transformations \
metricName=<disable_or_delete_cmk_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{($.eventSource = kms.amazonaws.com) && \
(($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))}’
$ aws cloudwatch put-metric-alarm --alarm-name <disable_or_delete_cmk_alarm> \
--metric-name <disable_or_delete_cmk_metric> --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
-- namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 44: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/44.jpg)
AWS CLI Security AuditingVPC Monitoring (Logging, Metrics, Alerting)
![Page 45: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/45.jpg)
Security Group and VPC Monitoring
▷Security Group changes
▷NACL changes
▷Network Gateway changes
▷Route changes
▷VPC changes
▷SNS subscribers
▷Set thresholds accordingly [1]
[1] http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html
![Page 46: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/46.jpg)
IAM Monitoring – Security Group Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName =
AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) ||
($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) ||
($.eventName = DeleteSecurityGroup)}”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<security_group_changes_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <security_group_changes_metric> --metric-transformations \
metricName=<security_group_changes_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress)\
|| ($.eventName = AuthorizeSecurityGroupEgress) \
|| ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) \
|| ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}'
$ aws cloudwatch put-metric-alarm --alarm-name <security_group_changes_alarm> \
--metric-name <security_group_changes_metric> --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 47: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/47.jpg)
IAM Monitoring – NACL Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventName = CreateNetworkAcl) || ($.eventName =
CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName =
DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName =
ReplaceNetworkAclAssociation) }”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<nacl_changes_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <nacl_changes_metric> --metric-transformations \
metricName=<nacl_changes_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ ($.eventName = CreateNetworkAcl) \
|| ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) \
|| ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) \
|| ($.eventName = ReplaceNetworkAclAssociation) }’
$ aws cloudwatch put-metric-alarm --alarm-name <nacl_changes_alarm> \
--metric-name <nacl_changes_metric> --statistic Sum --period 300 --threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 48: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/48.jpg)
IAM Monitoring – Gateway Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventName = CreateCustomerGateway) || ($.eventName =
DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName =
CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName =
DetachInternetGateway) }”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<network_gw_changes_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <network_gw_changes_metric> --metric-transformations \
metricName=<network_gw_changes_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ ($.eventName = CreateCustomerGateway)\
|| ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway)\
|| ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway)\
|| ($.eventName = DetachInternetGateway) }’
$ aws cloudwatch put-metric-alarm --alarm-name <network_gw_changes_alarm> \
--metric-name <network_gw_changes_metric> --statistic Sum --period 300 --threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 49: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/49.jpg)
IAM Monitoring – Route Table Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) ||
($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) ||
($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName =
DisassociateRouteTable) }”
$ aws cloudwatch describe-alarms \
--query 'MetricAlarms[?MetricName==`<route_table_changes_metric>`]’
$ aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <route_table_changes_metric> --metric-transformations \
metricName=<route_table_changes_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) \
|| ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) \
|| ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) \
|| ($.eventName = DisassociateRouteTable) }’
$ aws cloudwatch put-metric-alarm --alarm-name <route_table_changes_alarm> \
--metric-name <route_table_changes_metric> --statistic Sum --period 300 --threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 50: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/50.jpg)
IAM Monitoring – VPC Changes
$ aws logs describe-metric-filters --log-group-name <cloudtrail_log_group_name>
"filterPattern": "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) ||
($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) ||
($.eventName = CreateVpcPeeringConnection) || ($.eventName =
DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) ||
($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) ||
($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }”
$ aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName==`<vpc_changes_metric>`]’
$ aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <vpc_changes_metric> --metric-transformations \
metricName=<vpc_changes_metric>,metricNamespace='Audit',metricValue=1 \
--filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) \
|| ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) \
|| ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection)\
|| ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) \
|| ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) \
|| ($.eventName = EnableVpcClassicLink) }’
$ aws cloudwatch put-metric-alarm --alarm-name <vpc_changes_alarm> \
--metric-name <vpc_changes_metric> --statistic Sum --period 300 --threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 \
--namespace 'Audit' --alarm-actions <sns_topic_arn>
![Page 51: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/51.jpg)
Monitoring – SNS subscribers
$ aws sns list-topics
$ aws sns list-subscriptions-by-topic --topic-arn <topic_arn>
![Page 52: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/52.jpg)
AWS CLI Security AuditingNetworking (VPCs and Security Groups)
![Page 53: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/53.jpg)
Networking and Security Groups
▷Ensure SSH is not open to the world
▷Ensure RDP is not open to the world
▷Ensure the default security group of every
VPC restricts all traffic [1]
▷Ensure routing tables for VPC peering are
"least access” [2]
[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
[2] http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering- configurations-partial-access.html
![Page 54: AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS and the CLI](https://reader031.vdocuments.site/reader031/viewer/2022021503/5888b3f51a28ab80248b5dbf/html5/thumbnails/54.jpg)
Networking and Security Groups
$ aws ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=22" "Name=ip-
permission.cidr,Values=0.0.0.0/0"$
$ aws ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=3389" "Name=ip-
permission.cidr,Values=0.0.0.0/0”
$ aws ec2 describe-security-groups --filters Name=group-name,Values='default' \
--query 'SecurityGroups[].{IpPermissions:IpPermissions,GroupId:GroupId}’
$ aws ec2 describe-security-groups --filters Name=group-name,Values='default' \
--query 'SecurityGroups[].{IpPermissionsEgress:IpPermissionsEgress \
,GroupId:GroupId}’
$ aws ec2 describe-route-tables --query \
"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes,\
AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayID |grep pcx-