Profile Applicability:
Level 1
Description:
Regularly reviewing security configurations ensures that any changes in AWS services, compliance requirements, or security best practices are addressed promptly. Security reviews should focus on database configurations, IAM roles, and security groups to mitigate any risk of misconfigurations or non-compliance.
Rationale:
Security configurations evolve over time as new vulnerabilities are discovered and new best practices are established. Regular reviews ensure that security controls remain effective, configurations are optimized, and risks are minimized. This is crucial for maintaining a strong security posture and adhering to industry standards.
Impact:
Failing to review security configurations can lead to outdated or misconfigured security settings that expose resources to unnecessary risk. Regular reviews ensure that vulnerabilities are caught early and that security policies are aligned with current best practices.
Default Value:
By default, AWS does not provide an automated mechanism for reviewing security configurations. Regular reviews need to be scheduled and managed manually or with third-party tools.
Pre-requisites:
An AWS account with administrative access.
Knowledge of AWS services such as IAM, VPC, RDS, and security tools.
A scheduled review process (quarterly, bi-annually).
Test Plan:
Using AWS Console:
Navigate to the IAM Dashboard and review all roles, policies, and access controls.
In RDS, inspect the security groups and configurations for Aurora or other databases.
Verify that security logging and monitoring tools (e.g., CloudWatch, CloudTrail) are set up and functioning correctly.
Ensure VPC security settings are reviewed, including NACLs, security groups, and subnet configurations.
Using AWS CLI:
List IAM roles and policies:
aws iam list-roles aws iam list-policies
Check RDS security group settings:
aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, VpcSecurityGroups:VpcSecurityGroups}"Verify CloudTrail configuration for security auditing:
aws cloudtrail describe-trails
Check VPC security group configurations:
aws ec2 describe-security-groups
Implementation Plan
Using AWS Console:
Set up a recurring security review schedule for all security groups, IAM policies, and database configurations (e.g., quarterly).
Create a security audit checklist that includes reviewing IAM roles, reviewing database access permissions, ensuring encryption configurations, and verifying security logging tools.
Use AWS Config to monitor and track changes to security settings automatically, ensuring compliance.
Utilize AWS Security Hub to get automated insights into your security posture.
Using AWS CLI:
Use AWS Config to set up configuration rules for monitoring security settings:
aws configservice put-config-rule --config-rule <rule-name> --source <source>
Schedule periodic reviews using AWS Lambda or AWS Step Functions to trigger configuration assessments and security audits.
Implement AWS Security Hub to get findings related to non-compliant resources:
aws securityhub describe-findings
Backout Plan
Using AWS Console:
Disable or remove any scheduled security reviews that were set up.
Restore previous security configurations by using backups or configurations stored in AWS Config or CloudFormation templates.
Turn off AWS Config and Security Hub if they were set up for continuous monitoring and auditing.
Using AWS CLI:
Disable AWS Config rule:
aws configservice delete-config-rule --config-rule-name <rule-name>
Remove scheduled Lambda or Step Functions executions:
aws lambda delete-function --function-name <function-name>
Deactivate Security Hub:
aws securityhub disable-security-hub
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html