Time to complete: 25 minutes
Learning Objectives:
Voyager Security team has provided the controls and technical requirements to ensure that their developers follow least privileges when it comes to manage their VPC network components. The developer team is using the IAM Role DevOps which is now permissive enough to allow them to place a traffic mirror listener in the account without the security team knowing. Even if this traffic is internal, it is considered highly restricted. Your goal as a Cloud Architect will be to configure the right IAM permissions to prevent traffic mirror action and a detective mechanism to alert.
NIST Requirement
Control ID | Control Description |
---|---|
AC-4(21) | Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
AC-3 | Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Customer Requirement
Control ID | Control Description |
---|---|
Voyager-ctrl-net-05 | Developers must be restricted to make changes on VPC resources that could expose the network to unauthorized resources. |
AWS resources review and conclusions
By reviewing the following available resources, you will come to conclude what needs to be done to meet Voyager’s control requirements. See below the conclusions.
Resource type | Resource name | Conclusion |
---|---|---|
AWS service IAM actions | Amazon VPC actions | You can use AWS Systems Manager Patch Manager to automate the process of installing security-related updates for both the operating system and applications. |
AWS service user guide | AWS Config / Managed rules | There isn’t a managed AWS config rule available to detect traffic mirror so we need to build a custom check. |
AWS Service user guide | AWS Config / Creating AWS Config custom Lambda rules | You can develop custom rules and add them to AWS Config with AWS Lambda functions. You associate each custom rule with an Lambda function, which contains the logic that evaluates whether your AWS resources comply with the rule. |
"ec2:CreateTrafficMirrorSession"
"ec2:CreateTrafficMirrorTarget"
Can be simplified into one element using a wildcard like this:
"ec2:CreateTrafficMirror*"
Now that you have reduced the DevOpsRole privileges, it’s time to create a mechanism to detect if a traffic mirror is enabled. To do it you are going to create a new custom AWS Config rule. We have prepared a CloudFormation template that validates if TrafficMirror Sessions or Targets are in place. This cloudFormation template creates a Config rule that together with a Lambda function and the necessary permissions detects when a Traffic Mirror is in place. (This is an example of how custom controls can be implemented to suit your needs)
Download this CloudFormation template to your disk.
Open the AWS CloudFormation console and click create a new stack.
To test this rule, go to VPC console
On the left under Traffic Mirroring, select Mirror targets.
On the top right, click on Create a new Traffic Mirror target. (Keep in mind that initially we have reduced the privileges of the DevOps role but not yours).
Congratulations! You have completed the last exercise.