AWS
Security
Running AWS Foundational Security Best Practices with CloudQuery Policies
Back in mid-2020 AWS Security Hub released a new security standard called AWS Foundational Security Best Practices. This new standard sets security controls to detect when an AWS account or deployed resources don’t match up to the best practices set out by the AWS security experts. The complete standard can be found in the AWS Security Hub documentation.
As with any security guidelines, factors such as AWS environments, requirements, and capacity of your security team, will impact how you implement those guidelines.
The new AWS Foundational Security Best Practices CloudQuery policy gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL.
The CloudQuery AWS Foundational Security Policy covers 200+ checks - you can review them on GitHub or review them in the GitHub.
Prerequisites #
Please follow the quickstart guide to install CloudQuery, and
fetch
your AWS configuration into a PostgreSQL database.Running #
After fetching your AWS configuration into a PostgreSQL database, you can use SQL to check your cloud deployment for compliance!
For example, you can check for certificates that are going to expire soon and need to be renewed.
#https://github.com/cloudquery-policies/aws/blob/main/queries/acm/certificates_should_be_renewed.sql
SELECT arn
FROM aws_acm_certificates
WHERE not_after < NOW() AT TIME ZONE 'UTC' + INTERVAL '30' DAY;
You can also use the
cloudquery
command to run the entire AWS Foundational Security Best Practices policy pack. The policy is split into sections as sub-policies, so you can run either the entire policy, a sub-policy, or even one specific check.# execute the AWS foundational-security-best-practices policy pack
cloudquery policy run aws//foundational_security
# execute the ACM section in AWS Foundational Security policy
cloudquery policy run aws//foundational_security/acm
# execute the S3 related section in AWS Foundational Security policy
cloudquery policy run aws//foundational_security/s3
# describe all available policies and sub-policies available for AWS on cloudquery
cloudquery policy describe aws
# execute the entire AWS policy pack, including other benchmarks.
cloudquery policy run aws
You can also output the results into a JSON and pass them to downstream processing for automated monitoring and alerting.
cloudquery policy run aws//foundational_security --output-dir=results
Build your own and share #
Do you have a policy that you want to codify, or that you’ve been running with python or bash scripts? You are welcome to try codifying it with CloudQuery Policies (See our GitHub and docs for how to develop one). Feel free to drop on our Community or GitHub to get any help, and we will share your policy on CloudQuery Hub.
Written by Mike Elsmore
Mike Elsmore is a software developer, technologist, public speaker, and community builder based in the UK. His passion is developer outreach and education.