Ensuring CIS Compliance in AWS

the problem

How do we validate our cloud security compliance? How do we know that we didn’t just roll out a change to our infrastructure with terraform that changed our security profile?

We’ve got our ‘infrastructure as code’ codified and checked in to gitlab. We’ve got our CI/CD pipeline rolling out our AWS infrastructure as merge requests happen so it would make sense that we’d also then test the security of the changes that we just deployed.

prowler

Prowler is, as the docs state:

Prowler is a tool that provides automate auditing and hardening guidance of an AWS account.
It is based on AWS-CLI commands. It follows guidelines present in the CIS Amazon
Web Services Foundations Benchmark at:
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

basically, it’s the AWS CIS Foundations Benchmark in python. When you run it, it looks at your AWS account and checks to see whether you’ve done things like:

  • enable MFA on the root account
  • set a complex password policy with expiration
  • set up cloud watch to watch for specific security events
  • etc.

All we have to do is to run prowler every time we make a change to our AWS infrastructure and/or on a schedule and we’ll have taken a huge step toward automating our audit process. Using Gitlab CI, this is a fairly simple task.

running prowler in CI

Naturally, we’re already managing our AWS infrastructure ‘as code’ using terraform and using Gitlab CI to test and apply our terraform code changes. If not please see our previous article on how to Manage AWS with Gitlab and Terraform. There’s a Dockerfile in the Prowler repo that is capable of making a docker image that will run prowler. My .gitlab-ci.yml to add it to my ‘infrastructure’ CI pipeline looks like this:

---
stages:
  - plan
  - apply
  - audit

cache:
  paths:
    - .terraform
  key: "$CI_BUILD_REPO"

plan:
  image:
    name: hashicorp/terraform:0.11.3
    entrypoint: ["/bin/sh", "-c"]
  stage: plan
  script:
    - terraform init -backend=true -get=true -input=false
    - terraform plan -input=false -out=planfile
  when: always
  artifacts:
    paths:
      - planfile

apply:
  image:
    name: hashicorp/terraform:0.11.3
    entrypoint: ["/bin/sh", "-c"]
  allow_failure: true
  stage: apply
  script:
    - terraform init -backend=true -get=true -input=false
    - terraform apply -auto-approve
  dependencies:
   - plan

prowler:cis:1:
  image:
    name: aethereal/prowler:latest
  stage: audit
  script:
    - prowler -r ${AWS_DEFAULT_REGION} -f ${AWS_DEFAULT_REGION} -c check1
  dependencies:
   - apply

prowler:cis:2:
  image:
    name: aethereal/prowler:latest
  stage: audit
  script:
    - prowler -r ${AWS_DEFAULT_REGION} -f ${AWS_DEFAULT_REGION} -c check2
  dependencies:
   - apply

prowler:cis:3:
  image:
    name: aethereal/prowler:latest
  stage: audit
  script:
    - prowler -r ${AWS_DEFAULT_REGION} -f ${AWS_DEFAULT_REGION} -c check3
  dependencies:
   - apply

prowler:cis:4:
  image:
    name: aethereal/prowler:latest
  stage: audit
  script:
    - prowler -r ${AWS_DEFAULT_REGION} -f ${AWS_DEFAULT_REGION} -c check4
  dependencies:
    - apply

The *plan* and *apply* stages in the pipeline will plan and apply our infrastructure change. Each log uses the hashicorp terraform image, respectively. The *audit* stage then runs the prowler docker image to run different phases of the CIS audit.

the results

Here’s the resulting CI pipeline… prowler fail

as you can see, prowler has run through the first four sections of the CIS hardening guidelines and has determined some areas that are in need of improvement.

Let’s take a look at *prowler:cis:4* prowler fail

Prowler has detected that we have a few users who need to rotate their access tokens. I’ll have to go have a chat with them. ;)

conclusion

By combining a few off the shelf, free and open source products we are able to create an automated cloud infrastructure management and audit pipeline.

Phone

(612) 840-6253

Address

750 Margaret Street
Saint Paul, MN 55106
United States of America