Introduction

Recently, a Trojan attacked your company’s systems through an unpatched vulnerability within Windows. The patch for this was released over a year ago, but was not installed. The CEO was not happy when she learned that the situation could have been prevented by the installation of a small patch. As a result, she has tasked you to design a system, using AWS tools, to ensure that no security vulnerability will go unpatched. In addition, she has tasked you to prepare a report on any other security vulnerabilities you can find within the company.

Situation

Your organization currently runs their website on two Linux machines, but also has numerous Windows machines, database servers, and several application servers. You have never had any form of patching policy, so most of your servers are very far behind in patches. No-one has ever considered any other form of security against external or internal threats.

You currently use an onsite active directory for every form of user access. Numerous people use shared accounts (“generic1”, “generic2”, and “generic3”) to log in, a result of a legacy situation from years ago. You know this is not secure, but will need to articulate it for your CEO to understand. In addition, your AWS environment does not use the active directory; people in the directory have set up their own logins.

Finally, your environment has a great deal of Personally identifiable information, such as credit card information and sensitive voter information. Nobody at the company knows where all of the data is stored.

Technical Write-Up

Prepare a short (5 to 7 page) report describing at least three Amazon tools that will assist in these problems. Describe the tools you have selected as well as how they might help solve these problems. Give some recommendations as to policy changes that will help ensure the security of company data. Be sure to keep your report at a fairly high level, giving technical details where required, but always remembering that your audience is the CEO of the company.

—-

Overview

This document describes the setup as well as the plan to deal with major security related threats with the listed systems hosted in AWS.

This includes:

• Two Linux Web Servers

• Numerous Windows machines

• Numerous Database Servers

• Several Application Servers

Patching is especially of concern; as well identifying and managing user information that is sensitive due to privacy implantation, and best practices for authentication and account management are desired to be implemented.

Purpose

This document provide a high level view of the possible tools to help solve these problems as well as providing recommendations on policy changes that will help ensure the security of company data.

Main areas of concern

Patching against vulnerabilities

Both Linux and Windows systems require patching for vulnerabilities and this has never been configured before. This results in systems that can be exploited with known vulnerabilities compromising systems and digital assets. Database and Application Servers are known to reside on either Windows or Linux.

Account and Authentication Best Practices

Accounts are being created in an ad-hoc manner and not leveraging the identities in the Corporate Directory (Active Directory). Further accounts are being shared. This leads to a situation where is can not really be known who is performing what actions on the systems, and where it may be easy for an unauthorized person to can access to systems. Since this is not really identifiable, it may not even be possible to determine who performed actions after the fact. The company becomes blindly vulnerable to attack on the systems.

Privacy Implications

There is a considerable amount of personally identifiable information that can likely be considered private user information. It isn’t known where this data resides in the solutions currently.

Best Practices

AWS System Manager Patch Management

AWS System Manager has the ability to provide patching to both Windows and Linux systems:

Minhas, S. (2018, November 12). Patching your Windows EC2 instances using AWS Systems Manager Patch Manager: Amazon Web Services. Retrieved from https://aws.amazon.com/blogs/mt/patching-your-windows-ec2-instances-using-aws-systems-manager-patch-manager/

“Patch Manager automates the process of patching Windows and Linux managed instances. Use this feature of AWS Systems Manager to scan your instances for missing patches or scan and install missing patches. You can install patches individually or to large groups of instances by using Amazon EC2 tags.”

AWS Systems Manager Patch Manager. (n.d.). Retrieved from https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html

“AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), CentOS, Amazon Linux, and Amazon Linux 2. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.”

AWS System Manager works by monitoring individual systems using an agent on the system to communicate with, and can be configured with specific IAM credentials and roles. Maintenance Windows, Patch Baselines, and Patch Groups are defined to assist with the automation of patching. During the Maintanance window if patches are needed they can be automatically deployed.

How Patches Are Installed. (n.d.). Retrieved from https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works-installation.html

“When a patching operation is performed on a Windows instance, the instance requests a snapshot of the appropriate patch baseline from Systems Manager. This snapshot contains the list of all updates available in the patch baseline that have been approved for deployment. This list of updates is sent to the Windows Update API, which determines which of the updates are applicable to the instance and installs them as needed. If any updates are installed, the instance is rebooted afterwards, as many times as necessary to complete all necessary patching.”

Linux patching follows a similar flow which is detailed in the same link above. Approval Rules define which patches should be applied via “yum”.

MFA, AWS Directory Services, and IAM for Access Control

The following list of actions are defined by Amazon to ensure good access control:

IAM Best Practices. (n.d.). Retrieved from https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

• Lock Away Your AWS Account Root User Access Keys

• Create Individual IAM Users

• Use Groups to Assign Permissions to IAM Users

• Grant Least Privilege

• Get Started Using Permissions with AWS Managed Policies

• Use Customer Managed Policies Instead of Inline Policies

• Use Access Levels to Review IAM Permissions

• Configure a Strong Password Policy for Your Users

• Enable MFA for Privileged Users

• Use Roles for Applications That Run on Amazon EC2 Instances

• Use Roles to Delegate Permissions

• Do Not Share Access Keys

• Rotate Credentials Regularly

• Remove Unnecessary Credentials

• Use Policy Conditions for Extra Security

• Monitor Activity in Your AWS Account

From these the most immediate practices and technologies that can be implemented are to ensure that users are uniquely identified and that their activities are traceable to approved individuals. Adoption of Multi Factored Authentication for privileged accounts will assist in the assurance that critical actions are traceable to approved individuals by ensuring that users authenticate with at least a second factor that is uniquely held by that individual. Processes should be put in place to determine when accounts and privileges are assigned. Tying access control and authentication to the Corporate Directory allows for HR processes granting corporate accounts to be leveraged for system accounts; and also helps in the trace-ability of the users as their authentication into corporate credentials can also be leveraged.

AWS Directory Services allows for the integration of corporate Active Directory with AWS IAM accounts, roles and privileges to enable this

IAM Authentication and Access Control for AWS Directory Service. (n.d.). Retrieved from https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_auth_access.html

Access to AWS Directory Service requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an AWS Directory Service directory. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and AWS Directory Service to help secure your resources by controlling who can access them:

• Authentication

• Access Control

With this in place, a focus can be made on the authorization, policies, groups and roles; as well as account lifecycle for credential removals to remove any further issues.

AWS Identity and Access Management (IAM) Best Practices. (2019, April 01). Retrieved from https://cloudcheckr.com/cloud-security/top-5-iam-best-practices/

1. Enable multi-factor authentication (MFA) for privileged users

2. Use Policy Conditions for Extra Security

3. Remove Unnecessary Credentials

4. Use AWS-Defined Policies to Assign Permissions Whenever Possible

5. Use Groups to Assign Permissions to IAM Users

AWS Macie for Private Information Detection

AWS Macie is an AI service for analysing stored data, which can be used to determine and trace sensitive and private information:

Features: Amazon Macie: Amazon Web Services (AWS). (n.d.). Retrieved from https://aws.amazon.com/macie/details/

“Amazon Macie uses machine learning to better understand where your sensitive information is located and how it’s typically accessed, including user authentication, locations, and times of access. Today, Amazon Macie is available to protect data stored in Amazon S3, with support for additional AWS data stores coming later this year. Amazon Macie first creates a baseline and then actively monitors for anomalies that indicate risks and/or suspicious behavior, such as large quantities of source code being downloaded, credentials being stored in an unsecured manner, or sensitive data that is configured to be externally accessible. With the Amazon Macie console, your most important information is front and center with detailed alerts and recommendations for how to resolve issues. Amazon Macie also gives you the ability to easily define and customize automated remediation actions, such as resetting access control lists or triggering password reset policies.”

Next steps should to to organize and protect information that has been determined to be private once the locations are known.