aws-s3-best-practices-baseline
InSpec profile to validate the secure configuration of your AWS s3 bucket via inspec. The validation is based genreally off the AWS guidance found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
Getting Started
For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.
The latest versions and installation options are available at the InSpec site.
Requirements
In order to run the profile, you must install the following on the system you will be running inspec from so that the aws resources are able to connect and use the aws api
to validate your S3 buckets. Lastly, the IAM account used to run this profile against the AWS environment needs to be attached through a group or role with at least AWS IAM ReadOnlyAccess
Managed Policy.
- AWS CLI installed and configured
- InSpec in your path
- AWS IAM
ReadOnlyAccess
Managed Policy
Configuring your AWS CLI
By default the InSpec AWS transport will use the default aws cli profile found in ~/.aws/
and the SECRET
and ACCESS
keys defined there.
The right system environment variables can be set with your AWS region and credentials and session token to use the AWS CLI and InSpec resources in a non-default AWS environment. InSpec supports the following standard AWS variables:
$ export AWS_ACCESS_KEY_ID=key-id
$ export AWS_SECRET_ACCESS_KEY=access-key
$ export AWS_SESSION_TOKEN=session_token
$ export AWS_REGION=us-west-1
Notes on MFA.
In any AWS MFA enabled environment - you need to use derived credentials to use the CLI. Your default AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
will not satisfy the MFA Policies in AWS environments.
The AWS documentation is here: https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html
The AWS profile documentation is here: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html
A useful bash script for automating this is here: https://gist.github.com/dinvlad/d1bc0a45419abc277eb86f2d1ce70625
To generate credentials using an AWS Profile you will need to use the following AWS CLI commands.
aws sts get-session-token --serial-number arn:aws:iam::<$YOUR-MFA-SERIAL> --token-code <$YOUR-CURRENT-MFA-TOKEN> --profile=<$YOUR-AWS-PROFILE>
Then export the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN that was generated by the above command.
Tailoring to Your Environment
The following inputs can be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the InSpec Profile Documentation.
s3_name: '<name of s3 bucket>'
s3_public: <bool>
s3_versioning: <bool>
s3_default_encryption: <bool>
s3_access_logging: <bool>
Running This Baseline from Github
# How to run
inspec exec https://github.com/Staggerlee011/s3-bp-benchmark/archive/master.tar.gz --t aws://<region>/<aws_credential_profile> --input-file=<inputs.yml> --reporter=cli json:s3-output.json
Different Run Options
Using Heimdall for Viewing the JSON Results
The JSON results output file can be loaded into heimdall-lite for a user-interactive, graphical view of the InSpec results.
The JSON InSpec results file may also be loaded into a full heimdall server, allowing for additional functionality such as to store and compare multiple profile runs.
Authors
- Staggerlee011
Special Thanks
- MITRE SAF Team https://saf.mitre.org
Contributing and Getting Help
To report a bug or feature request, please open an issue.