Configure AWS with Azure Security Center
How do you protect your multi hybrid clouds environment? Do you know if your Azure VM is exposed to the internet? or if the AWS root account is behind the right protection? There’s a lot of misconfiguration in the cloud environment and a real problem identifying an attack in real-time.
There are words that say, “you cannot protect what you don’t know you have,” and when it comes to the cloud, you’re probably don’t know many things!
This blog-post will go over AWS top security issues and configure the integration between AWS and Azure Security Center.
Top Security Issues on AWS
Security issues and misconfiguration are everywhere… and like every system, application, and cloud, the AWS cloud has many security issues and misconfiguration. Once you’re building some or new components on AWS, you must know that you need to secure this component.
Companies often struggle to understand how they can protect and secure their data, their customers, and their very existence before moving to or expanding on AWS or other clouds.
AWS has security issues. There are top security issues that you must know, and the excellent news that Azure Security Center can identify and provide useful information to handle each security issue.
- Avoid using AWS root account user access keys as it gives full access to all resources.
- MFA authentication is enabled for the root account to provide two-factor authentication
- Assign individual IAM users with necessary permissions to enable login
- Ensure User Accounts also have MFA authentication
- IAM Access Keys must be rotated at periodic intervals
- Ensure a strong password policy for users
- Assign permissions to users based on User Groups instead of individual IAM users
- Provide access to a resource through IAM Roles
- If required, conditions can be defined for Policies under which access is granted to a resource.
- Get rid of unnecessary IAM credentials, those with are inactive or unused.
- Use IAM Roles to grant access to applications on EC2 Instances.
- Grant the least access while creating IAM Policies needed to perform the necessary actions.
- Attach IAM Policies to Groups or Roles on every creation
- Configure S3 lifecycle management through rule-based actions and use versioning to store and retrieve multiple versions of an object in a bucket, to deal with accidental deletions
- Ensure S3 access logging is enabled
- Ensure S3 buckets are not publicly accessible
- Avoid user’s permissions to enable Amazon S3 to allow public access.
- Make use of object-level or bucket-level permissions in addition to IAM Policies to grant access to resources.
- Enable MFA Delete to prevent accidental deletion of buckets
- Consider encryption of stored data for server-side and client-side encryption.
- Regularly audit and monitor S3 buckets using CloudWatch metrics.
- Enable encryption of inbound and outbound data traffic through SSL endpoints
EC2 and VPC
- Ensure data and disk volumes in EBS are encrypted with AES-256, the industry-standard algorithm.
- Restrict access to instances from limited IP ranges using Security Groups
- Monitor and optimize default security groups, as they allow unrestricted access for inbound and outbound traffic
- Ensure restricted inbound access to SSH, FTP, SMTP, MySQL, PostgreSQL, MongoDB, MSSQL, CIFS, etc
- Use IAM roles to grant access to EC2 instead of access keys for temporary requirements.
- Enable and activate your VPC flow logs to record inbound and outbound traffic in your VPC for better monitoring and early diagnosis
- Make sure that no VPC endpoints are exposed by checking the principal value in the policy.
- If you’re using IAM user access keys for long-term permissions, ensure that you don’t embed the keys directly into code, generate different keys for different applications, rotate your access keys, use MFA authentication and decommission unused key pairs.
- Delete unused Virtual Private Gateways and VPC Internet Gateways
- Limit the range of open ports on EC2 security groups to prevent exposure to vulnerabilities
- Ensure ELBs have a valid security group attached to it
- Ensure no ACLs allow unrestricted inbound or outbound access
- Please make sure both CloudTrail itself and CloudTrail logging are enabled for all regions.
- Ensure CloudTrail is activated across all regions and for global services like IAM, STS, etc
- It is recommended to log into a centralized S3 bucket.
- Ensure CloudTrail log file integrity validation is enabled
- Ensure CloudTrail log files are encrypted
- Ensure RDS security groups do not allow unrestricted access
- Ensure encryption of the RDS instances and snapshots, using AES-256 level encryption
- Ensure RDS database instances and snapshots are not publicly accessible.
- Enable the auto minor upgrade feature for RDS
- Configure AWS Secrets Manager to rotate the secrets for Amazon RDS automatically.
- Monitor control to RDS using AWS KMS and Customer-Managed Keys
- Protect data in transit to RDS through SSL endpoints
- Enable require SSL for Redshift clusters to minimize risk for encryption of data in transit for Redshift
- Ensure Redshift encryption with KMS Customer-Managed Keys
- Ensure that the Redshift clusters are not publicly accessible
- Make sure Redshift user activity logging is enabled.
- Enable Redshift Cluster encryption
- It is recommended that Redshift clusters are launched within a VPC for better control.
Now that you’re familiar at a high level, what are the top security issues on AWS? Let’s go to Azure Security Center and know if you’ve got security issues on your AWS accounts.
Azure Security Center for AWS
There is miss information about how you can handle security issues and which security tools you can work with to identify and protect in today’s Multi Hybrid Cloud. The main pillars of cloud security are CSPM.
Azure Security Center features cover the two broad pillars of cloud security: CSPM, CWPP, CNSP.
Cloud security posture management (CSPM) – Security Center is available for free to all Azure users.
The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more. Use these CSPM features to strengthen your hybrid cloud posture and track compliance with built-in policies.
Cloud workload Protection Platform (CWPP) – Security Center’s integrated cloud workload protection platform (CWPP), Azure Security Center, brings advanced, intelligent protection of your Azure and hybrid resources and workloads.
Enabling Azure Security Center brings a range of additional security features as described on this page. In addition to the built-in policies, you can add custom policies and initiatives when you’ve enabled any Azure Security Center plan. You can add regulatory standards – such as NIST and Azure CIS – as well as the Azure Security Benchmark for a truly customized view of your compliance.
With cloud workloads commonly crossing multiple cloud platforms, cloud security services must do the same, and Azure Security Center protects Azure, AWS, and GCP workloads.
Onboarding your AWS account into Azure Security Center, integrates AWS Security Hub and Azure Security Center. Azure Security Center thus provides visibility and protection across both of these cloud environments to provide:
- Policy management
- Vulnerability management
- Automatic agent provisioning
- Detection of security misconfigurations
- Embedded Endpoint Detection and Response (EDR)
- Regulatory compliance assessments of your AWS resources
- Incorporation of your AWS resources into Security Center’s secure score calculations
- A single view showing Security Center recommendations and AWS Security Hub findings
How to Connect AWS to Azure Security Center
The integration between Azure Security Center and AWS is based on a secure integration with a specific ID, ARN, Account, and Key.
To connect AWS to Azure Security Center, make sure to prepare some requirements on Azure Security Center and AWS based on the following requirements and actions:
- Azure Security Center
- Azure Service Principal (Azure ARC)
- AWS Config
- AWS Security Hub
- AWS SSM
Connect AWS to Azure Security Center
The AWS and Azure Security Center configurations are divided into two main settings, The Azure Security Center and the AWS side.
The AWS Config is a service that enables you to assess, audit, and evaluate AWS resources settings. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
To configure AWS Config, open the AWS Config console and enable it from the getting started guide. Once it’s configured, you will view the settings and make sure that it’s turned on.
AWS Security Hub provides a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. It reduces the effort to collect and prioritize security findings across accounts, from AWS services, and AWS partner tools.
To configure AWS Security Hub go to AWS Security Hub console and the welcome screen. Choose Enable AWS Security Hub and make sure that all settings are enabled on the Security standards option.
TIP: The best practice to configure AWS Security Hub is with IAM policy
Then go back to Azure Security Center and go to Cloud connectors and add the AWS account with the following settings and collect the Account ID and External ID for later use.
The next step is to configure IAM Role, and like every AWS access, it’s recommended to configure dedicated user, role, and policy. To configure the IAM role for Azure Security Center, perform the AWS Management Console’s actions.
Go to IAM and create an IAM Role based on the following settings:
Then go back to Azure and from PowerShell run the following commands to complete Azure Arc prerequisites.
Set-AzContext -SubscriptionId [subscription you want to onboard]
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration
Then go back to AWS connector and add the AWS ARN with the following settings that you created before
Once you finish with the configuration, your AWS cloud connector will be valid.
Once you completed the integration between Azure Security Center and AWS, you can go to the Azure Security console and work with the findings, remediation, and identify the misconfiguration and other security issues you’ve got on you AWS.
A blog-post about How to identify security issues and protect from various attacks with AWS and Azure Security Center will be available soon