Elastic Security

Icon

Security for the Cloud

August 4, 2011 • 17:37 3

Monitoring Tool: Amazon EC2 plugins for Nagios

SecludIT has published two plugins for monitoring Amazon EC2 with the Nagios Open Source monitoring solution. These plugins are available on Nagios Exchange under the Apache2 License . Both Nagios plugins are written in Ruby on top of the Amazon EC2 Ruby Gem library and use HTTP Query API calls to Amazon API endpoints.

Nagios Plugins for Amazon EC2

Nagios Open Source monitoring solution consists of various Nagios projects as follows:

  • Nagios Core: the open source monitoring engine and multiple APIs for extending core functionality
  • Nagios Plugins: efficient, standalone extensions that provide low-level intelligence for monitoring everything with Nagios Core

Contrarily to traditional IT infrastructures, Cloud Computing stacks (such as Amazon EC2) allow server monitoring through their programming interfaces (APIs), meaning that:

  • you do not need to install and maintain agents on the servers (for example, no need for SNMP agents installation and configuration)
  • you do not need to configure and protect a privileged access to the servers (for example, no remote SSH tunnels)

The plugins we provide illustrate these advantages. Without agents, you can:

  • know the status of your servers (running, stopped, starting, stopping)
  • get metrics of your servers (CPU, Network traffic and disk usage)

Check Amazon EC2 Instance status plugin

The Check AWS EC2 Instance Status plugin allows to retrieve the status of Amazon EC2 Instances. This is a Nagios active check that takes the Amazon API endpoint and an Amazon EC2 Instance ID as input parameters, connects to the Amazon API endpoint through HTTP Query API calls and retrieve the status of an Amazon EC2 Instance.

Get Amazon CloudWatch metrics plugin

The Get Amazon CloudWatch metrics plugins allows to retrieve metrics from Amazon CloudWatch. This is a Nagios active check that takes the Amazon API endpoint, an Amazon EC2 Instance ID and the CloudWatch metric as input parameters, connects to the Amazon API endpoint through HTTP Query API calls and retrieve the value of the metric for the Amazon EC2 Instance.

Security

As these two Nagios Plugins requires Amazon Credentials (Access Key ID and Secret Access Key) to connect to Amazon APIs endpoints we must ensure that the Amazon Credentials are encrypted (that is, not stored in clear on the disk) and permissions for the encryption key and the encrypted credentials must be restricted to the user or daemon running the plugins. Moreover, our plugins only require a read-only access to the Amazon APIs endpoints, therefore we highly recommend the use of AWS Identity and Access Management (IAM) to generate read-only Amazon Credentials. We have written a blogpost on how to generate read-only Amazon EC2 Credentials.

Amazon EC2 security monitoring using SecludIT’s Elastic Detector

SecludIT uses Nagios on Elastic Detector, a Security and Monitoring Tool for Amazon EC2. The two Nagios Plugins (that we gave to the community) are used in Elastic Detector to get the status and metrics of Amazon EC2 instances. This information is one of the inputs to our detection engine, and is complemented by other security related information such as Amazon EC2 Security Groups analysis and open ports. Therefore, Elastic Detector is agentless and detects Amazon EC2 security related events.

Feel free to try out our Nagios plugins and Elastic Detector and let us know what do you think.

/fred

Filed under: AWS, Cloud Computing, Elastic Security, Secure Cloud, , , , , , ,

July 13, 2011 • 17:28 0

Tendances cloud virtual conference

Yet another french presentation to promote the whitepaper of “Tendances cloud”. And great questions from the more than 90 participants. Thanks to the other contributors and the organizers Salesforce.com and PowerOn.
Please stay tuned for the recording of the conference (in french).
 

Filed under: Cloud Computing, CSA, Elastic Security, IaaS, Presentations, , , ,

July 13, 2011 • 17:12 0

Trust and cloud security conference

Last week I was happy to be part of the conference on Trust and Security for cloud computing, organized by the Pole SCS.  I enjoyed the very good presentations and interesting ideas for collaborative projects. Keep up with the good work Pole SCS. Here are my slides.

Filed under: Cloud Computing, CSA, Discussions, Elastic Security, IaaS, Presentations, , , , , ,

July 8, 2011 • 12:05 0

CloudyScripts: Ruby code for command line Security Audit via SSH

As requested by our users, we have just added a sample code for creating ruby script on top of cloudyscripts gems that can be found on RubyGems or on RubyForge.

The first script allows to run a Security Audit via SSH using a command line. In addition, we extended the scope of usage: the Security Audit can be run against a running instance (in addition to AMIs), thus allowing:

  • to test running instances, therefore no need to wait for a new instance to start
  • to make a Security Audit of a production server with full control of the Security Audit process

For any information on how to retrieve the source code of this openSource project that is published under Apache v2.0 Licence, please go to cloudyscripts SCM on RubyForge

We would like to thank Jonas Zaddach (Master Computer Science Student at Eurecom) who wrote the “Security Audit via SSH” part of the cloudyscripts library during his internship at SecludIT.

/fred

Filed under: AWS, Cloud Computing, Secure Cloud, , , , , , , , , ,

July 8, 2011 • 12:04 0

New CloudyScript: Security Audit via SSH

We are glad to announce a new CloudyScript Security Audit via SSH which makes a Security Audit of an Amazon EC2 AMI. It requires a privileged user that can perform sudo.

Security Auditing is very important in cloud computing infrastructures where virtual machine images (AMI in the case of Amazon) could be shared among users. In order to avoid backdoors or vulnerable machines in your own Amazon EC2 infrastructure, you MUST evaluate the public AMI you are using. Security Audit via SSH CloudyScripts automates that task.

Here is a sample output of an SSH Audit:

Moreover, we designed it as a library of security audits, that for now contains audits for SSH and Apache2 servers, but we will continue to extend it with other security audits

/fred

NB: This Security Audit does not check your IP restrictions for accessing the SSH server. In order to check that your SSH server is not publicly exposed you could use Public Port Checker CloudyScript.

Filed under: AWS, Cloud Computing, Secure Cloud, , , , , , , , ,

July 7, 2011 • 08:16 1

Symposia Journal

The latest edition of the Symposia Journal is out, a magazine with community driven high quality articles around Cloud Computing (partly in German). We contributed to the latest edition with an article about the top threats of cloud computing in the IaaS space and how to tackle them. Have fun reading!

Filed under: Cloud Computing, Discussions,

July 5, 2011 • 10:01 1

The Risk of Unused Public Ports

Services with public access must be kept only to public services. Public services are the most exposed to external attacks and should be minimized. Furthermore, public access requires a running public service in order to prevent an attacker or insider (with no access to the security groups firewall) from deploying a rogue publicly available service within your infrastructure.

We therefore wrote a script as part of the CloudyScripts project that detects open public ports that run no service for all instances in your EC2 infrastructure. Note: the same feature is also part of Elastic Detector and described in more detail here.

Filed under: AWS, ,

July 1, 2011 • 10:24 0

New CloudyScript: Detect Port Ranges

Amazon EC2 uses the notion of Security Groups to let users define inbound firewall rules (called permissions) that are dynamically applied to all server instances that are part of the group. This concept is easy and very powerful at the same time, since permissions must be configured once only and are then applied like a template to all future server instances – contrarily to traditional firewalls, where rules are defined for every server.  At the other hand, wrong configurations have a higher impact since all server instances of a misconfigured group are affected.

Thus, the configuration of security groups and attribution to launched instances should be done very carefully. One very frequent misconfiguration is to open complete port-ranges for public IP addresses. It may also happen that third party EC2 tools use the API to create security groups with open port ranges to facilitate their own access and thereby exposing your infrastructure.

Open port ranges allow attackers to scan all ports that are actually used, retrieve information about the services running on a particular machine, and focus on attacking particularly critical ports like port 22 for SSH. We added a script to our CloudyScripts library that allows you to identify all security groups with open port ranges in a given EC2 region. You can find the script here. An additional contribution to make the cloud more secure. Your feedback is always welcomed!

Filed under: AWS, ,

June 23, 2011 • 11:37 0

Tendances cloud

Sorry to the non-french readers, but I’m often asked for french papers about cloud computing and security. We are proud to be contributors to a french white paper on cloud computing, so here is the link:

http://www.tendances-cloud.com/

Bonne lecture

Filed under: Cloud Computing, Elastic Security, IaaS, News, SaaS, Secure Cloud, , , , , , , , ,

June 16, 2011 • 09:02 0

How to increase security and visibility of Amazon EC2 instances?

Amazon EC2 administrators have to deal with daily problems such as:

  • Ensuring security of new instances,
  • Detecting performance and capacity problems,
  • Keeping track of the modifications on the infrastructure.

We would like to provide you some insights in our solution to address those problems and to facilitate the life of cloud-administrators by detecting security related issues and events: Elastic Detector. What makes this product unique is that it is fully automated and agentless. You can see how Elastic Detector works on this short video:


Filed under: AWS, Cloud Computing, Elastic Security, IaaS, Internals, Secure Cloud, Solutions, , , , , , , , , ,

Twitter Updates

Follow

Get every new post delivered to your Inbox.