What is CIS Benchmark?
A set of configuration guidelines decided by the global community of cybersecurity experts. Also, we can say this acts as a forefront system/pre-emptive measure to safeguard our instances from evolving cyber threats. CIS benchmark is available for a wide variety of products and cloud services. However, here we will be focusing on AWS Instances in this topic exclusively.
What AWS Offers?
AWS does provide “Amazon Inspector” as a built-in service package along with Security Hub to achieve this. This would be chargeable and the recommended way of benchmarking by AWS. More details on this can be found:
https://www.cisecurity.org/partner/amazon-web-services/
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html
Costs-
When it comes to costs, there would be charges for both AWS Config and Security Hub. Also, these costs will vary a lot depending upon the number of resources, resource changes, and regions in use. Below is an example of a deployment.
AWS Config total cost for first 10K changes per resource per account per region- $98
AWS Security Hub total cost for 40K finding ingestions- $1320
However, while digging around, we found a few third-party ways of doing so. Note that, these are free of cost and should only be performed at the user/admin’s risk of data privacy depending on your geographical location.
Prowler-
It is one such third-party tool listed as Security Hub Partner by AWS. We can use it to perform audits for hardening instances. For example, it includes predefined guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks). Additionally, it supports 100 checks related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2, and others. We can run Prowler from our own PC, any EC2, Fargate, Codebuild, CloudShell, or container of ours choice. However, in this topic, we are considering the approach of running it from a Linux EC2 Instance. So, we will require an IAM user with programmatic access to our console. Do keep the Access Key and Secret Access Key handy for use later.
Considering our Linux EC2 Instance is running- below are the commands and descriptions in the sequence to make our instance prowler ready.
Root privilege– sudo -i
System package update- yum update
Install python- yum install python3-pip
Check installed Python version(>3.x.x)- python3 –version
Download CLI- curl “https://s3.amazonaws.com/aws-cli/awscli-bundle.zip” -o “awscli-bundle.zip”
Unzip package- unzip awscli-bundle.zip
Install pakage- sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
Check cli version(>2.1.x)- aws –version
For output in html- pip3 install awscli ansi2html detect-secrets
Install Json Processor- yum install jq
Install git- yum install git
Now that our system is ready for prowler, we will proceed with it’s own config.
Clone prowler package- git clone https://github.com/toniblyx/prowler
Changing directory to prowler- cd prowler
Configuring programmatic access with Access key and Secrete access key- aws configure
Running CIS Level1 audit- ./prowler -g cislevel1
Running CIS Level2 audit- ./prowler -g cislevel2
Let the scans run till it finishes on its own. Usually, it takes around 30 minutes for a mid-tier AWS deployment. Nevertheless, it might take longer depending on the resource count we have in our account. Once the audit finishes, we can export the report to storage using( multiple or anyone file type)- ./prowler -M csv,json,json-asff,html
Source and Credits with further details- https://github.com/toniblyx/prowler
Tips & Tricks– Since October 30th, 2020 (version v2.3RC5), Prowler supports both native and official integration sending findings to AWS Security Hub. What that means is- now other AWS Services like GuardDuty, Inspector, Macie, etc can use those finding data to take further actions. Refer to the “Security Hub integration” section on the source link above for more details.
AWS Fargate and Prowler- https://aws.amazon.com/blogs/security/use-aws-fargate-prowler-send-security-configuration-findings-about-aws-services-security-hub/