Running AWS Foundational Security Best Practices with CloudQuery Policies
Back in mid-2020 AWS Security Hub released a new security standard called AWS Foundational Security Best Practices. This new standard sets security controls to detect when an AWS account or deployed resources don’t match up to the best practices set out by the AWS security experts. The complete standard can be found in the AWS Security Hub documentation.
As with any security guidelines, factors such as AWS environments, requirements, and capacity of your security team, will impact how you implement those guidelines.
The new AWS Foundational Security Best Practices CloudQuery policy gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL.
Please follow the Getting Started documentation on how to install cloudquery, and
fetch your AWS configuration into a PostgreSQL database.
After fetching your AWS configuration into a PostgreSQL database, you can use SQL to check your cloud deployment for compliance!
For example, you can check for certificates that are going to expire soon and need to be renewed.
#https://github.com/cloudquery-policies/aws/blob/main/queries/acm/certificates_should_be_renewed.sql SELECT arn FROM aws_acm_certificates WHERE not_after < NOW() AT TIME ZONE 'UTC' + INTERVAL '30' DAY;
You can also use the
cloudquery command to run the entire AWS Foundational Security Best Practices policy pack. The policy is split into sections as sub-policies, so you can run either the entire policy, a sub-policy, or even one specific check.
# execute the AWS foundational-security-best-practices policy pack cloudquery policy run aws//foundational_security # execute the ACM section in AWS Foundational Security policy cloudquery policy run aws//foundational_security/acm # execute the S3 related section in AWS Foundational Security policy cloudquery policy run aws//foundational_security/s3 # describe all available policies and sub-policies available for AWS on cloudquery cloudquery policy describe aws # execute the entire AWS policy pack, including other benchmarks. cloudquery policy run aws
You can also output the results into a JSON and pass them to downstream processing for automated monitoring and alerting.
cloudquery policy run aws//foundational_security --output-dir=results
Do you have a policy that you want to codify, or that you’ve been running with python or bash scripts? You are welcome to try codifying it with CloudQuery Policies (See our github and docs for how to develop one). Feel free to visit our discord or GitHub to get help - we’ll also be happy to share your policy on CloudQuery Hub.