Walkthrough on how to automate, validate and monitor AWS IAM Security best practices with CloudQuery
The AWS CIS benchmarks are a set of well-known configuration best-practices that helps companies improve their AWS security posture and comply with various compliance framework like (SOC2, etc...).
The guide is in PDF format, some instructions require going through the UI and others require running long set of commands. Doing this manually is a tedious and error prone work not talking about doing this continuously.
There are some open-source tools like prowler that runs all those commands in one large shell script. The dis-advantage with this kind of approach is that it is hard to customized and for example exclude resource that you know they are not compliant to get a clean report.
This blog will show you how to run AWS CIS benchmark with CloudQuery using out-of-the-box SQL statements that you can customized to your environment.
CloudQuery is an open-source framework that transforms your cloud infrastructure into SQL or Graph database for easy monitoring, governance and security. It's written in Go so it's just a single Binary!
You can download the precompiled binary from releases, or using CLI:
For mac you can use homebrew:
brew install cloudquery/tap/cloudquery # After initial install you can upgrade the version via: brew upgrade cloudquery
CloudQuery currently supports two types of databases: Relational - SQLite, MySQL, PostgreSQL, SQL Server and graph - Neo4j. In this post we will use the default SQLite which is great for local development and testing (see here on how to use others).
CloudQuery uses AWS SDK under-the-hood so authentication works the same way. To sum up you can use the following environment variables or files:
- AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY - ~/.aws/credentials created via aws configure - AWS_PROFILE
To fetch the data you first need to specify which resources you want to fetch. We will use the default that spceifies all the resources that are currently supported (you can customize it and comment out things you don't want).
To generate the default
cloudquery gen config aws which will output a
config.yml ready to use in the current directory.
Now the money time! run
cloudquery fetch . This will fetch all specified resources in all regions and in all accessible accounts (or specific accounts if specified).
We've created CloudQuery policy pack That runs all CIS checks with SQL statements so you know SQL you can easily customized it to your needs.
You can either download the above file or generate it via
cloudquery gen policy aws_cis.
cloudquery query to see results!
Here is a snippet of the report:
You can also specify
--output if you want also to store the results in JSON format so you can forward it to some logging system.
In the next blog we will show how to set-up CloudQuery in a lambda function to run periodically so you can continuously monitor your rules.