aws-s3-best-practices-baseline

InSpec profile to validate the secure configuration of your AWS s3 bucket via inspec. The validation is based genreally off the AWS guidance found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html

Getting Started

For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.

The latest versions and installation options are available at the InSpec site.

Requirements

In order to run the profile, you must install the following on the system you will be running inspec from so that the aws resources are able to connect and use the aws api to validate your S3 buckets. Lastly, the IAM account used to run this profile against the AWS environment needs to be attached through a group or role with at least AWS IAM ReadOnlyAccess Managed Policy.

• AWS CLI installed and configured
• InSpec in your path
• AWS IAM ReadOnlyAccess Managed Policy

Configuring your AWS CLI

By default the InSpec AWS transport will use the default aws cli profile found in ~/.aws/ and the SECRET and ACCESS keys defined there.

The right system environment variables can be set with your AWS region and credentials and session token to use the AWS CLI and InSpec resources in a non-default AWS environment. InSpec supports the following standard AWS variables:

$ export AWS_ACCESS_KEY_ID=key-id
$ export AWS_SECRET_ACCESS_KEY=access-key
$ export AWS_SESSION_TOKEN=session_token
$ export AWS_REGION=us-west-1

Notes on MFA.

In any AWS MFA enabled environment - you need to use derived credentials to use the CLI. Your default AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will not satisfy the MFA Policies in AWS environments.

The AWS documentation is here: https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html

The AWS profile documentation is here: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

A useful bash script for automating this is here: https://gist.github.com/dinvlad/d1bc0a45419abc277eb86f2d1ce70625

To generate credentials using an AWS Profile you will need to use the following AWS CLI commands.

aws sts get-session-token --serial-number arn:aws:iam::<$YOUR-MFA-SERIAL> --token-code <$YOUR-CURRENT-MFA-TOKEN> --profile=<$YOUR-AWS-PROFILE>

Then export the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN that was generated by the above command.

Tailoring to Your Environment

The following inputs can be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the InSpec Profile Documentation.

s3_name: '<name of s3 bucket>'
s3_public: <bool>
s3_versioning: <bool>
s3_default_encryption: <bool>
s3_access_logging: <bool>

Running This Baseline from Github

# How to run
inspec exec https://github.com/Staggerlee011/s3-bp-benchmark/archive/master.tar.gz --t aws://<region>/<aws_credential_profile> --input-file=<inputs.yml> --reporter=cli json:s3-output.json

Different Run Options

Full exec options

Using Heimdall for Viewing the JSON Results

The JSON results output file can be loaded into heimdall-lite for a user-interactive, graphical view of the InSpec results.

The JSON InSpec results file may also be loaded into a full heimdall server, allowing for additional functionality such as to store and compare multiple profile runs.

Authors

• Staggerlee011

Special Thanks

• MITRE SAF Team https://saf.mitre.org

Contributing and Getting Help

To report a bug or feature request, please open an issue.