Elastic Security

Icon

Security for the Cloud

December 15, 2011 • 18:24 0

AWS South America support in CloudyScripts

Yesterday, Amazon announced that they have deployed a new region in South America (to Sao Paulo, Brazil) on its blog (the full article could be found here)

Even if Amazon documentation did not contain all the required information (such as the Amazon Kernel Image IDs), we were able to retrieve them, thus allowing to fully support this New Region in CloudyScripts.

CloudyScripts gem

A new version has been released with all the AKIs mapping table up to date for this new region.
We managed to retrieve the AKIs list using AWS EC2 API Tools as follow:

[fred@secludit-debian]# /bin/ec2-describe-images -K pkey-XXX.pem -C cert-XXX.pem --region sa-east-1 -a | grep pv-grub | awk '{print $2" "$3" "$7}'
aki-863ce39b ec2-public-images-sa-east-1/pv-grub-hd0-V1.01-i386.gz.manifest.xml i386
aki-d63ce3cb ec2-public-images-sa-east-1/pv-grub-hd0-V1.01-x86_64.gz.manifest.xml x86_64
aki-803ce39d ec2-public-images-sa-east-1/pv-grub-hd00-V1.01-i386.gz.manifest.xml i386
aki-d03ce3cd ec2-public-images-sa-east-1/pv-grub-hd00-V1.01-x86_64.gz.manifest.xml x86_64
aki-823ce39f ec2-public-images-sa-east-1/pv-grub-hd00_1.02-i386.gz.manifest.xml i386
aki-d23ce3cf ec2-public-images-sa-east-1/pv-grub-hd00_1.02-x86_64.gz.manifest.xml x86_64
aki-bc3ce3a1 ec2-public-images-sa-east-1/pv-grub-hd0_1.02-i386.gz.manifest.xml i386
aki-cc3ce3d1 ec2-public-images-sa-east-1/pv-grub-hd0_1.02-x86_64.gz.manifest.xml x86_64

CloudyScripts WebSite

Our free of use online service has been updated as well to support this new region in each of its scripts.

As requested by users of CloudyScripts, we also have added support for auditing VPC SecurityGroups.

  • VPC Critical Ports Audit: This script scrutinizes for VPC SecurityGroups of your infrastructure if the SecurityGroups configuration allows public access to ports that are considered such sensitive that accessibility may cause critical damage to your machines – such as ports for administrating machines

/fred

Filed under: AWS, Cloud Computing, , , , , ,

November 22, 2011 • 18:32 0

Elastic Security: Vulnerability Assessment

Elastic Detector, our FREE Vulnerability Assessment tool for Amazon EC2, has been recently updated with NEW features. Of course, the NEW Amazon US-West (Oregon) has been added at the meantime (see the AWS blogpost for more information).

Sometimes, security is considered boring (as shown in one of our previous posts on Open Ports Check), I take this opportunity to give some explanation on the recent Security Features that have been added and to point out two features of Elastic Detector, that are essential for providing a security solution that can cope with the elasticity of cloud infrastructures.

New Security Features of Elastic Detector

  • Blacklist Checks: Check against well-known RBLs if your Elastic IP Address (EIP according to Amazon naming), or the IP address taken from Amazon pool address is blacklisted.
    This allows cloud users to detect configuration errors in a mail server that is used as an Open-Relay or to detect a malicious insider that is using your infrastructure to install a bot-net (part of CloudSecurityAlliance Top Threats).
  • Critical Ports Audit: Check against a tunnable list of sensitive ports that there are no critical ports open to the public.
    This allows cloud users to be protected from dictionary attacks on administrative services such as SSH, Webmin (for Linux instances), or RDP (for Windows instances).
  • Security Zones Auditor: Define Security Zones according to the port that are accessible (using 3 Levels of Security: public, sensitive and critical) and the source IP addresses that have access to those ports (using 3 Levels of Trust: untrusted, fairly-trusted, trusted). Based on that information, Elastic Detector verifies if there is a perfect separation between servers of different trust levels with regard to their Security Zones. For example, in a three tiered architecture (Web server, Application server, Database server), an instance running a Web server should not be able to directly access an instance running the database server as this will potentially expose your data in case of compromise of the web server.

Two Characteristics of Elastic Detector

  • AgentLess: No additional agent or software to install on your instance (AMI according to Amazon convention naming).
    Using APIs, there is no risk of loosing connectivity with an agent (due to a network problem, a misconfiguration, or a human error) and no need to maintained the agents that are deployed. Moreover, the agent is itself a target for attack, so using APIs give us an additional level of isolation.
  • Auto-Check Technology: Any cloud resources (especially instances) are under control during the complete life-cycle, as continuous Security Checks based on customizable templates are automatically put in place as soon as the resource is detected by a real time polling system til the resource is shutdown.

Feel free to comment or ask more details on the security points.
/fred

Filed under: AWS, Cloud Computing, Elastic Security, Secure Cloud, , , , ,

November 17, 2011 • 19:08 0

Amazon US West Oregon Region Support in CloudyScripts

A few days ago Amazon announced that a new AWS Region in Oregon is supported (see AWS blogpost for more information).

Amazon’s documentation for PVGRUB AKI IDs (which can be found here) was not updated at the same time, that’s why fully supporting the NEW US-West Oregon region in CloudyScripts took some additional days (especially for Copy AMI To Different Region scripts).

NB: The importance of being able to map PVGRUB AKIs between different Amazon Regions has been explained in a previous post How-To: Copy an EBS-Backed AMI from one region to another one

CloudyScripts Ruby gem

SecludIT has released a new version of the Ruby library containing the last update on RUBYForge. The gem is also available on RubgyGems.org.

CloudyScripts WebSite

SecludIT has now added support for NEW US West Region in CloudyScripts.

As a reminder, here is some information on one of our most used scripts (more than 5 thousands executions until now):

  • Copy Ami to Different Region: Creates a copy of a given AMI and make it available in another region. Therefore, instances are created in both regions that perform copying (via rsync) of all files from a volume in the original region based on a snapshot created for the original AMI to a clean volume in the target region. After successful copying, a snapshot is performed in the target region and registered as AMI.

CloudyScripts DevPay AMI

SecludIT DevPay AMI has not been yet updated, but it should be available soon. This AMI runs in your own Amazon EC2 infrastructure and is available from our CloudyScripts WebSite.

As usual, any feedback is greatly appreciated, so do not hesitate to contact us or leave a comment.

/fred

Filed under: AWS, Cloud Computing, , , , , ,

August 4, 2011 • 17:39 2

Amazon EC2 Copy AMI and Snapshot: CloudyScripts updated

The SecludIT Team is proud to announce that CloudyScripts collection of tools to manage and automate Clouds Infrastructure Copy AMI and Copy Snapshot for Amazon EC2 have been improved.

Copy AMI from one region to another

After our users’ request in order to support Amazon EC2 Linux AMIs (pre-configured, templated image to get up and running immediately) using the EXT4 filesystem for their root partition and their own kernel through Amazon PV-Grub loader, we decided to add these features to CloudyScripts. While adding support for new kernel, we also add the detection of /dev/xvdX device node while mapping to /dev/sdX block device in Amazon EC2 Console.

New features:

  • Support of EXT4 and XFS linux filesystems
  • Amazon Kernel Image (AKI) mapping between regions

As a results of this, we have fully automated the HowTo we wrote a few time ago on Copy EBS-basked AMI between Amazon EC2 regions.
Using CloudyScripts Copy AMI scripts, you can now move the vast majority of Amazon EC2 Linux AMIs to any Amazon EC2 Region.

Graphical User Interface

CloudyScripts GUI for Amazon EC2 Copy AMI

NB: CloudyScripts does not yet support BTRFS which is, at this time, under heavy development.

Copy Snapshot from one region to another

As a result of the our users choosing AMIs with EXT4 and XFS filesystems, the support of EXT4 and XFS filesystem has been added to the Snapshot Cloudyscript. As well, we added the detection of /dev/xvdX device node while mapping to /dev/sdX block device in Amazon EC2 Console.

New feature:

  • Support of the EXT4 and XFS linux filesystems

Using CloudyScripts Copy Snapshot, you can now move the vast majority of Amazon EC2 Linux Snapshot among any Amazon EC2 Regions.

Graphical User Interface

CloudyScripts GUI for Amazon EC2 Copy Snapshot

NB: I was wondering, what do you think of creating a CloudyScripts for automatically registering an Amazon EC2 Snapshot? Does it seem helpful to you?

Security

In terms of security we strongly recommend to create temporary Amazon EC2 Credentials trough AWS Identity and Access Management (IAM) and to delete them once the task is done. We have explained how to do so, using Amazon command line tools in a precedent article: ReadOnly credentials for Amazon EC2.

Another things that must not be forgotten, is to close the specific SSH (TCP port 22). Except, if you are not using your default Amazon EC2 SecurityGroups, you must restrict administrative access to your Amazon EC2 infrastructure. Read more on Risk of publicly opened port.

References

AWS Blog: Enabling your own Linux Kernels
AWS Documentation: Use your own kernel with Amazon EC2

/fred

Filed under: AWS, Cloud Computing, , , , , , ,

August 4, 2011 • 17:37 3

Monitoring Tool: Amazon EC2 plugins for Nagios

SecludIT has published two plugins for monitoring Amazon EC2 with the Nagios Open Source monitoring solution. These plugins are available on Nagios Exchange under the Apache2 License . Both Nagios plugins are written in Ruby on top of the Amazon EC2 Ruby Gem library and use HTTP Query API calls to Amazon API endpoints.

Nagios Plugins for Amazon EC2

Nagios Open Source monitoring solution consists of various Nagios projects as follows:

  • Nagios Core: the open source monitoring engine and multiple APIs for extending core functionality
  • Nagios Plugins: efficient, standalone extensions that provide low-level intelligence for monitoring everything with Nagios Core

Contrarily to traditional IT infrastructures, Cloud Computing stacks (such as Amazon EC2) allow server monitoring through their programming interfaces (APIs), meaning that:

  • you do not need to install and maintain agents on the servers (for example, no need for SNMP agents installation and configuration)
  • you do not need to configure and protect a privileged access to the servers (for example, no remote SSH tunnels)

The plugins we provide illustrate these advantages. Without agents, you can:

  • know the status of your servers (running, stopped, starting, stopping)
  • get metrics of your servers (CPU, Network traffic and disk usage)

Check Amazon EC2 Instance status plugin

The Check AWS EC2 Instance Status plugin allows to retrieve the status of Amazon EC2 Instances. This is a Nagios active check that takes the Amazon API endpoint and an Amazon EC2 Instance ID as input parameters, connects to the Amazon API endpoint through HTTP Query API calls and retrieve the status of an Amazon EC2 Instance.

Get Amazon CloudWatch metrics plugin

The Get Amazon CloudWatch metrics plugins allows to retrieve metrics from Amazon CloudWatch. This is a Nagios active check that takes the Amazon API endpoint, an Amazon EC2 Instance ID and the CloudWatch metric as input parameters, connects to the Amazon API endpoint through HTTP Query API calls and retrieve the value of the metric for the Amazon EC2 Instance.

Security

As these two Nagios Plugins requires Amazon Credentials (Access Key ID and Secret Access Key) to connect to Amazon APIs endpoints we must ensure that the Amazon Credentials are encrypted (that is, not stored in clear on the disk) and permissions for the encryption key and the encrypted credentials must be restricted to the user or daemon running the plugins. Moreover, our plugins only require a read-only access to the Amazon APIs endpoints, therefore we highly recommend the use of AWS Identity and Access Management (IAM) to generate read-only Amazon Credentials. We have written a blogpost on how to generate read-only Amazon EC2 Credentials.

Amazon EC2 security monitoring using SecludIT’s Elastic Detector

SecludIT uses Nagios on Elastic Detector, a Security and Monitoring Tool for Amazon EC2. The two Nagios Plugins (that we gave to the community) are used in Elastic Detector to get the status and metrics of Amazon EC2 instances. This information is one of the inputs to our detection engine, and is complemented by other security related information such as Amazon EC2 Security Groups analysis and open ports. Therefore, Elastic Detector is agentless and detects Amazon EC2 security related events.

Feel free to try out our Nagios plugins and Elastic Detector and let us know what do you think.

/fred

Filed under: AWS, Cloud Computing, Elastic Security, Secure Cloud, , , , , , ,

July 8, 2011 • 12:05 0

CloudyScripts: Ruby code for command line Security Audit via SSH

As requested by our users, we have just added a sample code for creating ruby script on top of cloudyscripts gems that can be found on RubyGems or on RubyForge.

The first script allows to run a Security Audit via SSH using a command line. In addition, we extended the scope of usage: the Security Audit can be run against a running instance (in addition to AMIs), thus allowing:

  • to test running instances, therefore no need to wait for a new instance to start
  • to make a Security Audit of a production server with full control of the Security Audit process

For any information on how to retrieve the source code of this openSource project that is published under Apache v2.0 Licence, please go to cloudyscripts SCM on RubyForge

We would like to thank Jonas Zaddach (Master Computer Science Student at Eurecom) who wrote the “Security Audit via SSH” part of the cloudyscripts library during his internship at SecludIT.

/fred

Filed under: AWS, Cloud Computing, Secure Cloud, , , , , , , , , ,

July 8, 2011 • 12:04 0

New CloudyScript: Security Audit via SSH

We are glad to announce a new CloudyScript Security Audit via SSH which makes a Security Audit of an Amazon EC2 AMI. It requires a privileged user that can perform sudo.

Security Auditing is very important in cloud computing infrastructures where virtual machine images (AMI in the case of Amazon) could be shared among users. In order to avoid backdoors or vulnerable machines in your own Amazon EC2 infrastructure, you MUST evaluate the public AMI you are using. Security Audit via SSH CloudyScripts automates that task.

Here is a sample output of an SSH Audit:

Moreover, we designed it as a library of security audits, that for now contains audits for SSH and Apache2 servers, but we will continue to extend it with other security audits

/fred

NB: This Security Audit does not check your IP restrictions for accessing the SSH server. In order to check that your SSH server is not publicly exposed you could use Public Port Checker CloudyScript.

Filed under: AWS, Cloud Computing, Secure Cloud, , , , , , , , ,

June 23, 2011 • 11:37 0

Tendances cloud

Sorry to the non-french readers, but I’m often asked for french papers about cloud computing and security. We are proud to be contributors to a french white paper on cloud computing, so here is the link:

http://www.tendances-cloud.com/

Bonne lecture

Filed under: Cloud Computing, Elastic Security, IaaS, News, SaaS, Secure Cloud, , , , , , , , ,

June 16, 2011 • 09:02 0

How to increase security and visibility of Amazon EC2 instances?

Amazon EC2 administrators have to deal with daily problems such as:

  • Ensuring security of new instances,
  • Detecting performance and capacity problems,
  • Keeping track of the modifications on the infrastructure.

We would like to provide you some insights in our solution to address those problems and to facilitate the life of cloud-administrators by detecting security related issues and events: Elastic Detector. What makes this product unique is that it is fully automated and agentless. You can see how Elastic Detector works on this short video:


Filed under: AWS, Cloud Computing, Elastic Security, IaaS, Internals, Secure Cloud, Solutions, , , , , , , , , ,

April 19, 2011 • 21:48 0

Amazon Security Groups: VPC vs EC2

Amazon has updated Security Groups for Amazon VPC

Earlier  in April, while adding support for Security Groups within Amazon VPC, Amazon also introduced some major changes such as:

  • outbound filtering
  • fine grained IP protocol tuning
  • ability to apply changes in a one fell swoop

But I found very interesting the fact that we can now change (add/remove) the Security Groups for a running instance. As a customer of AWS, I really love to be able to modify my Security Groups without stopping any instance. I could now start an instance without a deep analysis of what my VPC network will be, and I can adapt it at any time with a minimal impact on the availability of the services my customers are consuming. In my point of view this is a major achievement, because I can adapt my security perimeter on the fly.

I still have some open questions:

In terms of security, I ‘m wondering if the opened/established connection are dropped if I modify my Security Group rule or if I remove it?

Moreover, AWS added NACL (Network Access Control List), which allow now to create DENY firewalling rule. But this seems requiring an internet gateway (VPC specific). This sounds like Amazon was not able to add ACCEPT/DENY options to the Security Group rules even if they added Inbound/Outbound options.

Here is AWS blog-post for more information:  A New Approach to Amazon EC2 Networking

Amazon EC2: public cloud

Unfortunately, I’m not a VPC user, but a EC2 user and it’s a bit frustrating that these brand new features are not available in outside VPC. I’m wondering, if there are any reason why not adding these features to Amazon EC2.

Concerning the Outbound filtering, I can’t see any reason why not adding it for EC2. I would love to hear more about this.

Last, but not least thing that can be discussed is the “one fell swoop” feature. I think this is a step back to true elasticity. Previously, I just had to create a rule and then the rule is automatically and dynamically applied, now I have to build the rule and then apply it just like with a traditional firewall.

/fred

Filed under: AWS, Cloud Computing, , , , , , ,

Twitter Updates

Follow

Get every new post delivered to your Inbox.