How to perform a security audit of your AWS account in AWS CloudShell

AWS CloudShell makes it easy to spin up a terminal right in your AWS account. Since CloudShell is just like any other terminal, you have the ability to bootstrap other tools without the need to spin up an instance.

In my last post I showed how to install Steampipe and use it to instantly query your AWS APIs using SQL right in AWS CloudShell. For example here's a query that uses the Steampipe AWS plugin to query which AWS IAM users have MFA enabled:

select
  title,
  create_date,
  mfa_enabled
from
  aws_iam_user

+-----------------+---------------------+-------------+
| title           | create_date         | mfa_enabled |
+-----------------+---------------------+-------------+
| pam_beesly      | 2005-03-24 21:30:00 | false       |
| creed_bratton   | 2005-03-24 21:30:00 | true        |
| stanley_hudson  | 2005-03-24 21:30:00 | false       |
| michael_scott   | 2005-03-24 21:30:00 | false       |
| dwight_schrute  | 2005-03-24 21:30:00 | true        |
+-----------------+---------------------+-------------+

You can simply query your environment for these type of security configuration questions using SQL. There's thousands of examples you can leverage to get you started, and a wealth of possibilities to uncover details about your AWS configurations.

Running Security and Compliance Checks

While you can explore your AWS configurations running queries, Steampipe also provides modules which are collections of related dashboards, benchmarks, queries, and controls. Steampipe mods and mod resources are defined in HCL wrapping your SQL queries to create a benchmark. There are many published mod examples to get you started with thousands of controls readily available for security, compliance, tagging, and cost controls. Published modules can be found on the Steampipe Hub, and custom mods may be shared with others from any public git repository.

For example, the AWS Compliance Mod layers benchmarks and controls covering 13 compliance standards including CIS, HIPAA, NIST, PCI, FedRAMP, SOC 2 and more. Each benchmark includes a set of pass/fail controls. Each control tests for a compliance recommendation such as "EC2 instances" should be managed by AWS Systems Manager" and reports OK or Alarm.

Here's how to run the NIST 800-53 benchmark:
If you've already completed steps 1 - 3, skip to step 4:

1. Install Steampipe

sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/turbot/steampipe/main/install.sh)"

2. Install the AWS plugin

steampipe plugin install aws

3. Install the AWS Compliance Mod

git clone https://github.com/turbot/steampipe-mod-aws-compliance
cd steampipe-mod-aws-compliance

4. Run the NIST 800-53 benchmark:

steampipe check benchmark.nist_800_53_rev_4

There are over 370 controls in that benchmark, so the command produces many screenfuls of output, here's the last one:

Export and Review the Findings

The summary is helpful, but you may want to digest the full report in varying formats. You can export to CSV, Markdown, HTML. Example of an HTML format:

steampipe check benchmark.nist_800_53_rev_4 --export=output.html

Using Files -> Download File in AWS CloudShell's Actions menu, you can download your output file steampipe-mod-aws-compliance/output.html and work with it locally.

Here's what the HTML report looks like:

AWS Compliance Quick Start

We put together a quick start script to bootstrap the flow above and prompt the user to select from the 13 available compliance benchmarks.

To get started with the quick start, spin up a new CloudShell and install Steampipe:

sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/turbot/steampipe/main/install.sh)"

Then bring down the Steampipe AWS Compliance Quick Start script to install the AWS Plugin, AWS Compliance Mod, and receive the selection prompt asking which benchmark to run:

/bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/turbot/steampipe-samples/main/all/aws-compliance-quickstart/quickstart.sh)"

See it in action:

You can always run the last command again and it will skip the setup steps and prompt you for another compliance benchmark to run. Note: This last script was just a fun sample, generally you should stick to the official AWS Compliance Mod Controls to evaluate the controls, definitions and up to date information on available benchmarks.

Final Thoughts

I really enjoy using AWS CloudShell for these type of quick win use cases within an AWS account. It's remarkably easy to install your CLI tools like Steampipe, with no configuration required and instant gratification! Let me know how you use AWS CloudShell with your favorite CLI tools in the comments below.