Purpose (what do we want to accomplish)
Build an AWS Security Lab where we can experiment with implementing CIS security controls. We will focus on two key resources:
a. CIS Controls
b. AWS Security Audit Tools
1. To build AWS based infrastructure that resembles a typical organization.
2. Once built, the infrastructure will be used as a lab to apply various security controls, test their effectiveness and document the process and results.
Importance (what’s the biggest difference this will make)
We can effectively assess security of AWS infrastructure for future clients and provide them practical insights.
Ideal Outcome (what does the completed project look like)
• AWS Infrastructure built
• Security controls applied
• Effectiveness assessed and documented.
Success Criteria (what has to be true when this project is finished)
• AWS infrastructure resembles common components of 3 tier web applications
• Security controls applied to AWS components and AWS admin console (spreadsheet)
• Effectiveness testing is performed: perform attack steps and see if the control can prevent / detect them
• The process and results are clearly documented in Google Drive or Confluence: what worked / what didn’t work, key insights
• Documentation includes identifying what CIS control is applicable to which component
• We have draft summary presentation ready, highlighting the key insights
• Popular available AWS audit tools are evaluated (i.e. what can we automate?)
Best Results, if we do take action
• We move towards becoming AWS security experts
• We will have cloud security clients in the near future.
Worst Results, if we don’t take action
• We will miss out on huge cloud security opportunities.
○ 3 Tier App
○ Components (to be verified):
■ Application Load Balancer
■ EC2 Worker Node(s)
■ Elastic Kubernetes Service (optional) / Docker or regular EC2 VM
■ S3 Bucket
■ Guard Duty
■ Centralized Logging (AWS tool or Elastic Cloud)
■ AWS Administrative Accounts
■ AWS Operations Accounts
○ Identify which CIS controls are relevant to this environment
○ All applicable controls have been implemented,
● Perform effectiveness testing for each control
○ Document steps for above: how-to, lessons learned (what worked, what didn’t), recommendations etc.
○ Use Confluence or Google Drive
I. Implement a 3 tier Java based web application consisting of the following:
• Application Load Balancer
• EC2 Worker Node(s)
• Elastic Kubernetes Service (optional) / Docker or regular EC2 VM
• S3 Bucket
• Guard Duty
• Centralized Logging (AWS tool or Elastic Cloud)
II. Enable basic AWS security controls such as:
● Vulnerability & Config Scanning for VMs and other components
● Other AWS recommended controls
III. Apply CIS sub-controls
● Identify which CIS sub-controls are applicable to this environment. It should cover front-end and backend (access to AWS infra)
● Implement the controls using free or low-cost tools and evaluate their effectiveness
IV. Perform effectiveness testing cycles until done
● Find ways to effectively test your controls
● Perform the tests
● Revise how the control has been implemented if needed