100 Days of DevOps — Day 42-Audit your AWS Environment
5 min readMar 24, 2019
Welcome to Day 42 of 100 Days of DevOps, Focus for today is Audit your AWS Environment.
On Day 40 I discussed AWS config which is used to meet your compliance need, today let discuss how you can Audit your AWS environment using tools like
- AWS Trusted Advisor
- Scout2
What is AWS Trusted Advisor
AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
Go to Trusted Advisor → https://console.aws.amazon.com/trustedadvisor
Green: No issue or concern found
Yellow: Investigation is recommended
Red: Critical action recommended- If you further expand the Trusted Advisor page and explore the details, anything which is not in red will list the criteria for details and recommended actions
- Open the security group, which is highlighted in red
- Change the Port 21 to only listen to your company IP range
- Refresh the security advisor and as you can see port 21 is no longer appear
NOTE: You can only refresh the status every 5 min, so if the refresh button is greyed out please wait for 5 min.
This is the simple example of how you can use Trusted Advisor to fix security issues.
Similarly, you can look for other security recommendation and fixed it
Scout2
One other tool I will highly recommend everyone to use is Scout2 as it gives you much more detailed information for auditing purpose.
- Installation is pretty straightforward
pip install awsscout2- Export your keys
export AWS_ACCESS_KEY_ID=" "
export AWS_SECRET_ACCESS_KEY=" "- Run it
# Scout2Fetching IAM config...groups policies roles users credential_report password_policy3/3 48/48 40/40 2/2 1/1 1/1Fetching Route53Domains config...domains1/1Fetching SES config...regions identities3/3 0/0Fetching RDS config...regions parameter_groups instances snapshots security_groups subnet_groups14/14 2/2 0/0 0/0 14/14 1/1Fetching CloudTrail config...regions trails14/14 57/57Fetching ELB config...regions elbs14/14 0/0Fetching EFS config...regions file_systems6/6 0/0Fetching ELBV2 config...regions lbs ssl_policies14/14 1/1 7/7Fetching CloudWatch config...regions alarms14/14 2/2Fetching Lambda config...regions functions14/14 3/3Fetching RedShift config...regions parameter_groups clusters security_groups14/14 0/0 0/0 0/0Fetching S3 config...bucketsFailed to get encryption configuration for cloudwatch-to-s3-logs: 'S3' object has no attribute 'get_bucket_encryption'1/11Failed to get encryption configuration for mytests3bucketforcloudtrail: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for s3-event-notification-topic-mydemo-bucket: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for my-tf-test-bucket-terraform-12345676: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for s3-cloudtrail-bucket-with-terraform-code: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for config-bucket-349934551430: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for mys3bucket-withkms-serverside-encryption: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for mytestcloudtrailbucketforevent: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for mys3kmsbuckettestforencryption: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for testingcloudtraillogfilevalidationbucket: 'S3' object has no attribute 'get_bucket_encryption'Failed to get encryption configuration for mytestkmsbuckettest: 'S3' object has no attribute 'get_bucket_encryption'11/11Fetching CloudFormation config...regions stacks14/14 1/1Fetching SQS config...regions queues14/14 0/0Fetching EC2 config...regions instances snapshots network_interfaces volumes security_groups14/14 4/4 38/38 11/11 7/7 30/30Fetching VPC config...regions subnets route_tables vpn_gateways vpcs customer_gateways network_acls vpn_connections flow_logs peering_connections14/14 48/48 18/18 0/0 16/16 0/0 16/16 0/0 2/2 0/0Fetching EMR config...regions clusters14/14 0/0Fetching Direct Connect config...regions connections14/14 0/0Fetching ElastiCache config...regions clusters security_groups14/14 0/0 0/0Fetching Route53 config...hosted_zones2/2Fetching SNS config...regions topics subscriptions14/14 5/5 4/4Processing CloudTrail config...Matching EC2 instances and IAM roles...'subnets'Path: ['services', u'vpc', u'regions', u'us-west-2', u'flow_logs']Key = flow_logsValue = fl-03eca4e646e3ce517Path = []Saving data to scout2-report/inc-awsconfig/aws_config.jsSaving config...File 'scout2-report/inc-awsconfig/aws_config.js' already exists. Do you want to overwrite it (y/n)? ySaving data to scout2-report/inc-awsconfig/exceptions.jsSaving config...File 'scout2-report/inc-awsconfig/exceptions.js' already exists. Do you want to overwrite it (y/n)? yCreating scout2-report/report.html ...File 'scout2-report/report.html' already exists. Do you want to overwrite it (y/n)? yOpening the HTML report...
- In the end, you will get the nice UI interface
- For eg: If I click on EC2 and further drill down, similar to Trusted Advisor(you will see Green, Orange and Red)
- If you further drill down it will give you the detailed information
NOTE: As per the GitHub link Scout2 project is now migrated to ScoutSuite
Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.
- Twitter: @100daysofdevops OR @lakhera2015
- Facebook: https://www.facebook.com/groups/795382630808645/
- Medium: https://medium.com/@devopslearning
- Slack: https://devops-myworld.slack.com/messages/CF41EFG49/
- GitHub Link:https://github.com/100daysofdevops
Reference
