PCI DSS 10.2.3 : With Security Monkey

sm

Yay! SecurityMonkey now monitors CloudTrail and alerts when disabled

What is PCI DSS 10.2.3

Access to all audit Trails.

“Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel.”

What is CloudTrail

aws-cloudtrail

  • What an access log is to a Web Server, CloudTrail log is to AWS.
  • CloudTrail logs each and every activity performed on AWS and dumps them to an S3 bucket in  json format.
  • For Example, here is how the json looks like, when you create a new user named ‘administrator’ showing you the EventName, SourceIP and other info

    sm4

    CloudTrail Log for creating a new User in json format

SecurityMonkey Monitors CloudTrail and alerts when disabled

securitymonkeyhead

Having AWS CloudTrail logs and actively using them to monitor security-related activities within an AWS environment are two distinctly different concepts.

Before even going the route of analyzing CloudTrail logs you might want to ensure the logs are enabled in the first place and also ensure they are in an enabled state and alert when disabled or deleted intentionally or unintentionally.

How do you monitor the monitor ?

This is where Security Monkey comes into picture to track/alert store historical information about CloudTrail status.

With this new feature SecurityMonkey now tracks/store/audits/alerts the state of CloudTrail.

Next time your PCI Auditor requests you for info on PCI DSS 10.2.3 you can as well point him to the following if you are using SecurityMonkey

ex1

In the event of an issue, here is how the Audit issue looks like( Example : When cloudtrail is disabled or when cloudtrail not enabled for all the AWS regions )

audit

More info

  • If you would like to know more about Security Monkey, please check my previous post @ Secops with SecurityMonkey
  • If you like to contribute to SecurityMonkey, https://nagarun.wordpress.com/2016/12/07/how-to-contribute-to-opensource/
  • PR for Checking CloudTrail status : https://github.com/Netflix/security_monkey/pull/470
  • AWS CloudTrail : https://aws.amazon.com/cloudtrail/faqs/
  • Yay! Thanks @MonkeySecurity and mike grima for the help PR

How to contribute to OpenSource

How to contribute to OpenSource

Say you are interested to contribute to opensource or you want to add some cool features to an open source project, here are a some github tips,

Going to use Netflix OSS – security_monkey to send in a pull request

Step 1 : Navigate to github, https://github.com/Netflix/security_monkey  and create a fork

sm

 

Step 2 : Download or clone the repository to your laptop/desktop for development as

git clone git@github.com:nagwww/security_monkey.git

Step 3 : Create a branch and checkout the branch as

git branch cloudtrail

git checkout cloudtrail

Ensure you are on the correct branch by typing

git branch

Step 4 : Make the necessary changes, add and commit to github as

git commit -a -m "Added cloudtrail status to watcher. Generates an audit issue when cloudtrail is disabled"

Step 5 : Push the changes to origin as

git push origin cloudtrail

Step 6 : Send in a pull request,

sm0.jpg

 

sm2

Day # 3 : AWS: Setup SNS/IoT/Lambda

Posted by Pranav

Step 1 : Create a SNS Topic

Step 2 : Create a subscription : Add the phone number you want to send an SMS

Today3.png

Step 3 : Create a Lambda Function with the following code

 

from __future__ import print_function
import boto3
import json
sns_arn = "arn:aws:sns:us-east-1:XYXYXYXYXXYX:Amma"


def pranav(event,context):
     sns_client = boto3.client('sns')
     output = event['clickType'] 
     if output == "SINGLE" :
          message_to_send = "I took the bus and starting"
     elif bag == "DOUBLE":
          message_to_send = "Ignore my message"
     elif bag == "LONG" :
           message_to_send = " I Might be a bit Late"
     rsp = sns_client.publish(
     TargetArn=sns_arn,
     Message=message_to_send)