AWS
Security
How to run AWS CIS Benchmark with CloudQuery
HCL policies were deprecated - see up-to-date policy documentation here.
Intro #
The AWS CIS benchmarks are a set of well-known configuration best-practices that helps companies improve their AWS security posture and comply with various compliance framework like (SOC2, etc.).
The guide is in PDF, some instructions require going through the UI and others require running long set of commands. Doing this manually is a tedious and error prone work not talking about doing this continuously.
There are some open-source tools like prowler that runs all those commands in one large shell script. The dis-advantage with this kind of approach is that it is hard to customized and for example exclude resource that you know they are not compliant to get a clean report.
This blog will show you how to run AWS CIS benchmark with CloudQuery using out-of-the-box SQL statements that you can customize to your environment.
Running CloudQuery #
Downloading #
CloudQuery is an open-source framework that transforms your cloud infrastructure into SQL database for easy monitoring, governance and security. It's written in Go so it's just a single Binary!
You can download the pre-compiled binary from releases, or using CLI:
export OS=darwin # Possible values: linux,windows,darwin
curl -L https://github.com/cloudquery/cloudquery/releases/latest/download/cloudquery_${OS}_amd64 -o cloudquery
chmod a+x cloudquery
For mac you can use
homebrew:brew install cloudquery/tap/cloudquery
# After initial install you can upgrade the version via:
brew upgrade cloudquery
Choosing database #
CloudQuery supports PostgreSQL, ClickHouse, Snowflake, and other databases as destinations. In this post we will use SQLite which is great for local development and testing (see documentation for production databases).
Authenticating with AWS #
CloudQuery uses AWS SDK under-the-hood so authentication works the same way. To sum up you can use the following environment variables or files:
- AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
~/.aws/credentialscreated via AWS configure- AWS_PROFILE
Fetching the data #
To fetch the data you first need to create a configuration file that specifies which resources you want to fetch. Create a
config.yml file that defines your AWS source and desired destination (see the CloudQuery documentation for configuration examples).Now the money time! run
cloudquery sync config.yml. This will fetch all specified resources in all regions and in all accessible accounts (or specific accounts if specified).Running AWS CIS benchmark test #
CloudQuery provides SQL-based policies for AWS CIS compliance. See the CloudQuery Policies documentation for the latest CIS benchmark queries that you can run against your CloudQuery database.
Here is a snippet of the report:
✓ policy "cloudquery-policies-aws" - evaluating - 0s Finished Queries: 85/85
📋 cloudquery-policies-aws Results:
⚠️ Policy finished with warnings
✓ 1.1 AWS CIS 1.1 Avoid the use of 'root' account. Show used in last 30 days (Scored) passed
✓ 1.2 AWS CIS 1.2 Ensure MFA is enabled for all IAM users that have a console password (Scored) passed
✓ 1.3 AWS CIS 1.3 Ensure credentials unused for 90 days or greater are disabled (Scored) passed
✓ 1.4 AWS CIS 1.4 Ensure access keys are rotated every 90 days or less passed
✓ 1.5 AWS CIS 1.5 Ensure IAM password policy requires at least one uppercase letter passed
✓ 1.6 AWS CIS 1.6 Ensure IAM password policy requires at least one lowercase letter passed
..............
Finished policies run...
You can also specify
--output if you want also to store the results in JSON format so you can forward it to some logging system.Running CloudQuery continuously #
In the next blog we will show how to set-up CloudQuery in a lambda function to run periodically so you can continuously monitor your rules.
Ready to get started with CloudQuery? You can try out CloudQuery locally with our quick start guide or explore the CloudQuery Platform for a more scalable solution.
Want help getting started? Join the CloudQuery community to connect with other users and experts, or message our team directly here if you have any questions.
