Cloud Security Posture
๐ฅ Vibe Prompt
"Set up AWS Security Hub, Config rules, and custom posture management."
AWS Security Hub
resource "aws_securityhub_account" "main" {}
resource "aws_securityhub_standards_subscription" "cis" {
standards_arn = "arn:aws:securityhub:us-west-2::standards/cis-aws-foundations-benchmark/v/1.4.0"
}
resource "aws_securityhub_standards_subscription" "pci" {
standards_arn = "arn:aws:securityhub:us-west-2::standards/pci-dss/v/3.2.1"
}
AWS Config Rules
resource "aws_config_config_rule" "s3_public_read" {
name = "s3-bucket-public-read-prohibited"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}
resource "aws_config_config_rule" "encrypted_volumes" {
name = "ec2-ebs-encryption-enabled"
source {
owner = "AWS"
source_identifier = "ENCRYPTED_VOLUMES"
}
}
resource "aws_config_config_rule" "mfa_enabled" {
name = "iam-user-mfa-enabled"
source {
owner = "AWS"
source_identifier = "IAM_USER_MFA_ENABLED"
}
}
Custom Config Rule (Lambda)
def lambda_handler(event, context):
config = boto3.client('config')
invoking_event = json.loads(event['invokingEvent'])
config_item = invoking_event['configurationItem']
resource_type = config_item['resourceType']
resource_id = config_item['resourceId']
configuration = config_item['configuration']
# Check: Security group should not allow SSH from 0.0.0.0/0
if resource_type == 'AWS::EC2::SecurityGroup':
for permission in configuration.get('ipPermissions', []):
if permission.get('fromPort') == 22:
for range in permission.get('ipRanges', []):
if range.get('cidrIp') == '0.0.0.0/0':
# Non-compliant!
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': resource_type,
'ComplianceResourceId': resource_id,
'ComplianceType': 'NON_COMPLIANT',
'Annotation': 'SSH open to world (0.0.0.0/0)'
}],
ResultToken=event['resultToken']
)
return
# Default: compliant
config.put_evaluations(
Evaluations=[{
'ComplianceResourceType': resource_type,
'ComplianceResourceId': resource_id,
'ComplianceType': 'COMPLIANT'
}],
ResultToken=event['resultToken']
)
Security Posture Dashboard
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Security Hub - Overall Score: 78% (GOOD) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ CIS Benchmark: 12/18 passed (66%) โ
โ โโโ [โ
] 1.1 - IAM root user MFA โ
โ โโโ [โ
] 1.3 - Unused IAM credentials โ
โ โโโ [โ] 1.4 - IAM user policy attachment โ
โ โโโ [โ] 2.1 - S3 public access โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top Failures: โ
โ 1. S3 bucket public access (5 buckets) โ
โ 2. Security group overly permissive (3 SGs)โ
โ 3. EBS volumes unencrypted (2 volumes) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Automated Remediation
def remediate_non_compliant(event):
rule_name = event['configRuleName']
resource_id = event['resourceId']
if "S3_PUBLIC" in rule_name:
s3.put_public_access_block(
Bucket=resource_id,
BlockPublicAcls=True,
BlockPublicPolicy=True
)
elif "SSH_OPEN" in rule_name:
ec2.revoke_security_group_ingress(
GroupId=resource_id,
IpPermissions=[{
'IpProtocol': 'tcp',
'FromPort': 22,
'ToPort': 22,
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
}]
)
Cloud Security Course Complete! ๐
- โ
Shared Responsibility
- โ
CloudTrail & GuardDuty
- โ
Secrets & KMS
- โ
Container Security
- โ
Posture Management