![]() ![]() If there are more sources than a configured threshold, the wildcard is considered as acceptable. To check if this rule should really be a wildcard rule, we analyze the from field in the results. Our query for this looks like: select * from flowlogs where secgroup='sg-123' and port=80 and protocol=6 Wildcard ExampleĪnother example for the following wildcard rule: sg-123: allow port 80, TCP, from 0.0.0.0/0 A review by a human should be considered to evaluate if this rule is really needed or should be removed. If this query returns 0 results/rows, we know that there was no traffic belonging to this rule. Our query for this looks like: select * from flowlogs where secgroup='sg-123' and port=25 and protocol=6 and from='192.168.22.19/32' ![]() For every rule in every Security Group, we make a query against our database. With all needed data in our database, we can start analyzing. These JSON files now contain all the information we need, even for terminated instances.Īfter assigning the corresponding Security Groups, our simplified example entry looks like this:Įni-abc123de | 172.168.1.12 | 20641 | 19.22.5.77 | 22 | Analysis After a brief set up, this service periodically takes snapshots of your whole infrastructure configuration and saves them to an S3 bucket. This means we have no data about which Security Groups were assigned to this instance and so we can not enrich this particular Flow Log Record with this information. In highly dynamic environments instead, it is possible that we find interface-ids belonging to instances already terminated. For running instances we simply can retrieve information about the interface-id and to which Security Groups an instance belongs over the AWS APIs and make the connection from Flow Log Record to Security Group. This association can be made by using the interface-id available in every Flow Log Record. To compare this data with the Security Group rules, we need to know which Flow Log record belongs to which Security Group. With this additional data, we could make a much deeper analysis of the traffic occurred.įor later analysis, all records are imported into a database. This is the information we work with.Īn important aspect here is that we have no TCP-Flags or payload data. Now we have to wait a few days or weeks until an appropriate amount of logs has ben generated to work with. As Flow Logs are disabled per default, we first need to enable it. Flow Logs are some kind of log files about every IP packet which enters or leaves a network interface within a VPC with activated Flow Logs. To get information about the traffic in an account we use VPC Flow Logs. If a suggested rule is applied, these changes should be accomplished in the AWS account. These rules should then be presented in a web interface (4) for review and applying (5). With this information, we can generate rule sets following the principle of least privilege, which are written to the database (3). The algorithm performing this task is shown in figure 4.2. By comparing the flows belonging to a security group with the rules from this group, we can check if a rule is too weak or not needed at all. ![]() An analyzation tool then analyzes this data (2). To every flow in the database, we try to assign the corresponding security groups(s). The following figure demonstrates this idea.Īt first, all needed data from AWS APIs (VPC, EC2, CloudWatch, Config) is fetched and imported in a database (1). the traffic which can occur according to the defined rules) with the real traffic occurred in an account. Our main idea is to compare the possible traffic (e.g. ![]() Security Group rules often allow more than they should due to various reasons like inexperience, ignorance or simply obsolete/forgotten rules. We will focus on inbound rules but the concept works similarly for outbound rules. In this post, we will describe a technique to make the existing Security Group rules as strict as possible using data from VPC Flow Logs and AWS Config. This can be a serious risk, especially for security-related resources like Security Groups. #VPC FLOW LOGS HOW TO#As mentioned in the previous post Your AWS Account is a mess? Learn how to fix it!, most AWS accounts are a mess. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |