Elastic Security

Icon

Security for the Cloud

March 29, 2013 • 10:29 0

Amazon Web Services last push towards security and compliance: CloudHSM

We are getting used to the fast pace of innovation and new tools brought by Amazon Web Services (AWS), but this week CloudHSM  announcement  was a surprise. So, you do not trust AWS to store your keys and keeping them outside adds complexity and impacts performance? You want to use AWS but you have critical and confidential data and you need to comply with security standards? The CloudHSM is the answer to these questions.

An Hardware Security Module (HSM) is like a (big) smartcard that is certified and physically protects your keys. When detecting an attack, the first thing the HSM does is to erase the keys in a secure maner.

Nevertheless, the idea of providing HSM as a Service is very innovative, thank you AWS! Nevertheless, this kind of toys do not come cheap and key management (rotation, revocation just to give 2 examples) is always a tricky issue. We look forward to test it and to include the CloudHSM in our reference architectures in AWS!

Filed under: AWS, AWSUG, Cloud Computing, CSA, Elastic Security, IaaS, Privacy, Secure Cloud, Solutions

November 22, 2012 • 11:52 0

AWS Asia Pacific (Sydney) support in CloudyScripts

A few days ago, Amazon announced that they have deployed a new region in Asia Pacific (to Sydney, Australia) on its blog (the full article could be found here)

Even if Amazon documentation did not contain all the required information (such as the Amazon Kernel Image IDs), we were able to retrieve them, thus allowing to fully support this New Region in CloudyScripts.

CloudyScripts gem

A new version has been released with all the AKIs mapping table up to date for this new region.
We managed to retrieve the AKIs list using AWS EC2 API Tools as follow:

[fred@secludit-debian]# /bin/ec2-describe-images -K pkey-XXX.pem -C cert-XXX.pem --region ap-southeast-2 -a | grep pv-grub | awk '{print $2" "$3" "$7}'
aki-3f990e05 amazon/pv-grub-hd00_1.03-i386.gz i386
aki-3d990e07 amazon/pv-grub-hd00_1.03-x86_64.gz x86_64
aki-33990e09 amazon/pv-grub-hd0_1.03-i386.gz i386
aki-31990e0b amazon/pv-grub-hd0_1.03-x86_64.gz x86_64
aki-9b8413a1 309956199498/pv-grub-hd0_1.03-i386-pub i386
aki-998413a3 309956199498/pv-grub-hd0_1.03-x86_64-pub x86_64

NB: Amazon has not yet deployed all its AKIs in this new region. All instance launched on an AMI (copied from another AWS Region) using the following PV-GRUB may not properly boot.

pv-grub-hd0-V1.01-i386
pv-grub-hd0-V1.01-x86_64.gz
pv-grub-hd00-V1.01-i386.gz
pv-grub-hd00-V1.01-x86_64.gz
pv-grub-hd00_1.02-i386.gz
pv-grub-hd00_1.02-x86_64.gz
pv-grub-hd0_1.02-i386.gz
pv-grub-hd0_1.02-x86_64.gz

CloudyScripts WebSite

Our free of use online service has been updated as well to support this new region in each of its scripts.

/fred

Filed under: AWS, Cloud Computing, , , , , ,

May 10, 2012 • 21:20 1

Launch of HP Cloud with OpenStack

We’ve been busy lately with the second version of Elastic Detector, that supports Amazon EC2, Terremark’s vCloud Express and Eucalyptus. Today we’re thrilled to announce support of another leading cloud infrastructure: HP Cloud. Please find the complete announcement here.

We are strong believers in OpenStack and we have participated to the private beta of HP Cloud, in order to be ready from day one. We are happy to start our partnership with HP Cloud, with the goal of bringing added security services to the HP Cloud customers.

Filed under: Cloud Computing, Elastic Security, IaaS, Solutions, , ,

December 15, 2011 • 18:24 0

AWS South America support in CloudyScripts

Yesterday, Amazon announced that they have deployed a new region in South America (to Sao Paulo, Brazil) on its blog (the full article could be found here)

Even if Amazon documentation did not contain all the required information (such as the Amazon Kernel Image IDs), we were able to retrieve them, thus allowing to fully support this New Region in CloudyScripts.

CloudyScripts gem

A new version has been released with all the AKIs mapping table up to date for this new region.
We managed to retrieve the AKIs list using AWS EC2 API Tools as follow:

[fred@secludit-debian]# /bin/ec2-describe-images -K pkey-XXX.pem -C cert-XXX.pem --region sa-east-1 -a | grep pv-grub | awk '{print $2" "$3" "$7}'
aki-863ce39b ec2-public-images-sa-east-1/pv-grub-hd0-V1.01-i386.gz.manifest.xml i386
aki-d63ce3cb ec2-public-images-sa-east-1/pv-grub-hd0-V1.01-x86_64.gz.manifest.xml x86_64
aki-803ce39d ec2-public-images-sa-east-1/pv-grub-hd00-V1.01-i386.gz.manifest.xml i386
aki-d03ce3cd ec2-public-images-sa-east-1/pv-grub-hd00-V1.01-x86_64.gz.manifest.xml x86_64
aki-823ce39f ec2-public-images-sa-east-1/pv-grub-hd00_1.02-i386.gz.manifest.xml i386
aki-d23ce3cf ec2-public-images-sa-east-1/pv-grub-hd00_1.02-x86_64.gz.manifest.xml x86_64
aki-bc3ce3a1 ec2-public-images-sa-east-1/pv-grub-hd0_1.02-i386.gz.manifest.xml i386
aki-cc3ce3d1 ec2-public-images-sa-east-1/pv-grub-hd0_1.02-x86_64.gz.manifest.xml x86_64

CloudyScripts WebSite

Our free of use online service has been updated as well to support this new region in each of its scripts.

As requested by users of CloudyScripts, we also have added support for auditing VPC SecurityGroups.

  • VPC Critical Ports Audit: This script scrutinizes for VPC SecurityGroups of your infrastructure if the SecurityGroups configuration allows public access to ports that are considered such sensitive that accessibility may cause critical damage to your machines – such as ports for administrating machines

/fred

Filed under: AWS, Cloud Computing, , , , , ,

November 22, 2011 • 18:32 0

Elastic Security: Vulnerability Assessment

Elastic Detector, our FREE Vulnerability Assessment tool for Amazon EC2, has been recently updated with NEW features. Of course, the NEW Amazon US-West (Oregon) has been added at the meantime (see the AWS blogpost for more information).

Sometimes, security is considered boring (as shown in one of our previous posts on Open Ports Check), I take this opportunity to give some explanation on the recent Security Features that have been added and to point out two features of Elastic Detector, that are essential for providing a security solution that can cope with the elasticity of cloud infrastructures.

New Security Features of Elastic Detector

  • Blacklist Checks: Check against well-known RBLs if your Elastic IP Address (EIP according to Amazon naming), or the IP address taken from Amazon pool address is blacklisted.
    This allows cloud users to detect configuration errors in a mail server that is used as an Open-Relay or to detect a malicious insider that is using your infrastructure to install a bot-net (part of CloudSecurityAlliance Top Threats).
  • Critical Ports Audit: Check against a tunnable list of sensitive ports that there are no critical ports open to the public.
    This allows cloud users to be protected from dictionary attacks on administrative services such as SSH, Webmin (for Linux instances), or RDP (for Windows instances).
  • Security Zones Auditor: Define Security Zones according to the port that are accessible (using 3 Levels of Security: public, sensitive and critical) and the source IP addresses that have access to those ports (using 3 Levels of Trust: untrusted, fairly-trusted, trusted). Based on that information, Elastic Detector verifies if there is a perfect separation between servers of different trust levels with regard to their Security Zones. For example, in a three tiered architecture (Web server, Application server, Database server), an instance running a Web server should not be able to directly access an instance running the database server as this will potentially expose your data in case of compromise of the web server.

Two Characteristics of Elastic Detector

  • AgentLess: No additional agent or software to install on your instance (AMI according to Amazon convention naming).
    Using APIs, there is no risk of loosing connectivity with an agent (due to a network problem, a misconfiguration, or a human error) and no need to maintained the agents that are deployed. Moreover, the agent is itself a target for attack, so using APIs give us an additional level of isolation.
  • Auto-Check Technology: Any cloud resources (especially instances) are under control during the complete life-cycle, as continuous Security Checks based on customizable templates are automatically put in place as soon as the resource is detected by a real time polling system til the resource is shutdown.

Feel free to comment or ask more details on the security points.
/fred

Filed under: AWS, Cloud Computing, Elastic Security, Secure Cloud, , , , ,

November 17, 2011 • 19:08 0

Amazon US West Oregon Region Support in CloudyScripts

A few days ago Amazon announced that a new AWS Region in Oregon is supported (see AWS blogpost for more information).

Amazon’s documentation for PVGRUB AKI IDs (which can be found here) was not updated at the same time, that’s why fully supporting the NEW US-West Oregon region in CloudyScripts took some additional days (especially for Copy AMI To Different Region scripts).

NB: The importance of being able to map PVGRUB AKIs between different Amazon Regions has been explained in a previous post How-To: Copy an EBS-Backed AMI from one region to another one

CloudyScripts Ruby gem

SecludIT has released a new version of the Ruby library containing the last update on RUBYForge. The gem is also available on RubgyGems.org.

CloudyScripts WebSite

SecludIT has now added support for NEW US West Region in CloudyScripts.

As a reminder, here is some information on one of our most used scripts (more than 5 thousands executions until now):

  • Copy Ami to Different Region: Creates a copy of a given AMI and make it available in another region. Therefore, instances are created in both regions that perform copying (via rsync) of all files from a volume in the original region based on a snapshot created for the original AMI to a clean volume in the target region. After successful copying, a snapshot is performed in the target region and registered as AMI.

CloudyScripts DevPay AMI

SecludIT DevPay AMI has not been yet updated, but it should be available soon. This AMI runs in your own Amazon EC2 infrastructure and is available from our CloudyScripts WebSite.

As usual, any feedback is greatly appreciated, so do not hesitate to contact us or leave a comment.

/fred

Filed under: AWS, Cloud Computing, , , , , ,

August 4, 2011 • 17:39 2

Amazon EC2 Copy AMI and Snapshot: CloudyScripts updated

The SecludIT Team is proud to announce that CloudyScripts collection of tools to manage and automate Clouds Infrastructure Copy AMI and Copy Snapshot for Amazon EC2 have been improved.

Copy AMI from one region to another

After our users’ request in order to support Amazon EC2 Linux AMIs (pre-configured, templated image to get up and running immediately) using the EXT4 filesystem for their root partition and their own kernel through Amazon PV-Grub loader, we decided to add these features to CloudyScripts. While adding support for new kernel, we also add the detection of /dev/xvdX device node while mapping to /dev/sdX block device in Amazon EC2 Console.

New features:

  • Support of EXT4 and XFS linux filesystems
  • Amazon Kernel Image (AKI) mapping between regions

As a results of this, we have fully automated the HowTo we wrote a few time ago on Copy EBS-basked AMI between Amazon EC2 regions.
Using CloudyScripts Copy AMI scripts, you can now move the vast majority of Amazon EC2 Linux AMIs to any Amazon EC2 Region.

Graphical User Interface

CloudyScripts GUI for Amazon EC2 Copy AMI

NB: CloudyScripts does not yet support BTRFS which is, at this time, under heavy development.

Copy Snapshot from one region to another

As a result of the our users choosing AMIs with EXT4 and XFS filesystems, the support of EXT4 and XFS filesystem has been added to the Snapshot Cloudyscript. As well, we added the detection of /dev/xvdX device node while mapping to /dev/sdX block device in Amazon EC2 Console.

New feature:

  • Support of the EXT4 and XFS linux filesystems

Using CloudyScripts Copy Snapshot, you can now move the vast majority of Amazon EC2 Linux Snapshot among any Amazon EC2 Regions.

Graphical User Interface

CloudyScripts GUI for Amazon EC2 Copy Snapshot

NB: I was wondering, what do you think of creating a CloudyScripts for automatically registering an Amazon EC2 Snapshot? Does it seem helpful to you?

Security

In terms of security we strongly recommend to create temporary Amazon EC2 Credentials trough AWS Identity and Access Management (IAM) and to delete them once the task is done. We have explained how to do so, using Amazon command line tools in a precedent article: ReadOnly credentials for Amazon EC2.

Another things that must not be forgotten, is to close the specific SSH (TCP port 22). Except, if you are not using your default Amazon EC2 SecurityGroups, you must restrict administrative access to your Amazon EC2 infrastructure. Read more on Risk of publicly opened port.

References

AWS Blog: Enabling your own Linux Kernels
AWS Documentation: Use your own kernel with Amazon EC2

/fred

Filed under: AWS, Cloud Computing, , , , , , ,

August 4, 2011 • 17:37 5

Monitoring Tool: Amazon EC2 plugins for Nagios

SecludIT has published two plugins for monitoring Amazon EC2 with the Nagios Open Source monitoring solution. These plugins are available on Nagios Exchange under the Apache2 License . Both Nagios plugins are written in Ruby on top of the Amazon EC2 Ruby Gem library and use HTTP Query API calls to Amazon API endpoints.

Nagios Plugins for Amazon EC2

Nagios Open Source monitoring solution consists of various Nagios projects as follows:

  • Nagios Core: the open source monitoring engine and multiple APIs for extending core functionality
  • Nagios Plugins: efficient, standalone extensions that provide low-level intelligence for monitoring everything with Nagios Core

Contrarily to traditional IT infrastructures, Cloud Computing stacks (such as Amazon EC2) allow server monitoring through their programming interfaces (APIs), meaning that:

  • you do not need to install and maintain agents on the servers (for example, no need for SNMP agents installation and configuration)
  • you do not need to configure and protect a privileged access to the servers (for example, no remote SSH tunnels)

The plugins we provide illustrate these advantages. Without agents, you can:

  • know the status of your servers (running, stopped, starting, stopping)
  • get metrics of your servers (CPU, Network traffic and disk usage)

Check Amazon EC2 Instance status plugin

The Check AWS EC2 Instance Status plugin allows to retrieve the status of Amazon EC2 Instances. This is a Nagios active check that takes the Amazon API endpoint and an Amazon EC2 Instance ID as input parameters, connects to the Amazon API endpoint through HTTP Query API calls and retrieve the status of an Amazon EC2 Instance.

Get Amazon CloudWatch metrics plugin

The Get Amazon CloudWatch metrics plugins allows to retrieve metrics from Amazon CloudWatch. This is a Nagios active check that takes the Amazon API endpoint, an Amazon EC2 Instance ID and the CloudWatch metric as input parameters, connects to the Amazon API endpoint through HTTP Query API calls and retrieve the value of the metric for the Amazon EC2 Instance.

Security

As these two Nagios Plugins requires Amazon Credentials (Access Key ID and Secret Access Key) to connect to Amazon APIs endpoints we must ensure that the Amazon Credentials are encrypted (that is, not stored in clear on the disk) and permissions for the encryption key and the encrypted credentials must be restricted to the user or daemon running the plugins. Moreover, our plugins only require a read-only access to the Amazon APIs endpoints, therefore we highly recommend the use of AWS Identity and Access Management (IAM) to generate read-only Amazon Credentials. We have written a blogpost on how to generate read-only Amazon EC2 Credentials.

Amazon EC2 security monitoring using SecludIT’s Elastic Detector

SecludIT uses Nagios on Elastic Detector, a Security and Monitoring Tool for Amazon EC2. The two Nagios Plugins (that we gave to the community) are used in Elastic Detector to get the status and metrics of Amazon EC2 instances. This information is one of the inputs to our detection engine, and is complemented by other security related information such as Amazon EC2 Security Groups analysis and open ports. Therefore, Elastic Detector is agentless and detects Amazon EC2 security related events.

Feel free to try out our Nagios plugins and Elastic Detector and let us know what do you think.

/fred

Filed under: AWS, Cloud Computing, Elastic Security, Secure Cloud, , , , , , ,

July 13, 2011 • 17:28 0

Tendances cloud virtual conference

Yet another french presentation to promote the whitepaper of “Tendances cloud”. And great questions from the more than 90 participants. Thanks to the other contributors and the organizers Salesforce.com and PowerOn.
Please stay tuned for the recording of the conference (in french).
 

Filed under: Cloud Computing, CSA, Elastic Security, IaaS, Presentations, , , ,

July 13, 2011 • 17:12 0

Trust and cloud security conference

Last week I was happy to be part of the conference on Trust and Security for cloud computing, organized by the Pole SCS.  I enjoyed the very good presentations and interesting ideas for collaborative projects. Keep up with the good work Pole SCS. Here are my slides.

Filed under: Cloud Computing, CSA, Discussions, Elastic Security, IaaS, Presentations, , , , , ,

Twitter Updates

Follow

Get every new post delivered to your Inbox.