AWSome CIS Checker

AWS-CIS-Checker Blog post

AWS is becoming one of the most prevalent cloud solutions in the world and, as a result, reviewing the configuration of AWS infrastructure is emerging as a necessary and regular assurance exercise for most organisations in the current security landscape.

The AWS configuration in itself entails a multitude of instances, containers, users, network groups, ACLs, etc, and therefore, the process of assessing them against best practice standards often becomes tedious and time-consuming.

AWSome CIS Checker ASCII art

AWSome CIS Checker is a tool which was conceptualised to solve these problems by automating the whole process of checking AWS configurations in accordance with one of the most widely used industry best practice guides: the CIS Benchmarks.

Based on Boto3, an AWS SDK for Python, AWSome CIS Checker uses the set of credentials provided on a local AWS Client configuration to verify if the elements of a certain configuration are compliant with CIS Benchmarks (currently v1.3.0). This covers all the basic checks but also allows for a “deeper” inspection of the configuration by investigating more obscure options which could facilitate further attacks vectors.

In addition, and here is where AWSome CIS Checker provides the most value, rather than generating random unmatched CIS checks as output, the tool also provides smart suggestions about issues by grouping them together into a comprehensive list (Storage, Logging, etc.) of security problems within the environment.

AWSome CIS Checker is dependant on some Python3 packages that can be easily installed by executing the following:

pip3 install -r requirements.txt

After all requirements have been satisfied, it supports multiple running options:

AWSome CIS Checker --cis running option output

AWSome CIS Checker --suggest running option output

You can download this new tool at: SECFORCE's Github repository

You may also be interested in...

imagensecforcepost.png
Dec. 14, 2012

Is traditional penetration testing effective at identifying risk?

The challenge for many board members is how to ascertain the validity of what they are being told in relation to the health of their defences. What unknown risks are being carried? There is a high risk of false assurance from internal departments reporting up the chain.

See more
Post Image - Grandstream's HT801 Analog Telephone Adapter.png
Oct. 26, 2021

Exploiting Grandstream HT801 ATA (CVE-2021-37748, CVE-2021-37915)

This article describes two authenticated remote code execution vulnerabilities that we found during a time-bounded security assessment of Grandstream's HT801 Analog Telephone Adapter.

See more