AWS CSPM

Overview

Using this feature you can run CIS benchmark tests (v1.2.0) and PCI, HIPAA, GDPR audit for your AWS cloud subscription. This includes CIS level 1 and level 2 checks for AWS as specified here: https://www.cisecurity.org/benchmark/amazon_web_services/

Pre-requisites

Prowler is an open source tool that allows you to run CIS benchmarks for AWS. This tool is free and can be downloaded from https://github.com/toniblyx/prowler. Install any dependencies required by prowler tool. The cloud ready images for twigs (for Docker, AWS) have these tools and dependencies pre-installed on them.

Steps involved

  • Open a new shell / terminal.
  • Make sure you have Prowler downloaded
  • Note the location of prowler executable which is available in the downloaded copy of prowler. You can set environment variable “PROWLER_HOME” which points to Prowler download directory, instead of specifying “–prowler_home” argument on command-line.
  • You can run the command below:

twigs aws_cis  --aws_access_key AWS_ACCESS_KEY --aws_secret_key AWS_SECRET_KEY --assetid UNIQUE_ASSET_ID --assetname NAME_LABEL_FOR_ASSET --prowler_home HOME_DIRECTORY_FOR_PROWLER

  • Asset id is not optional. Use a unique identifier for your AWS cloud instance as an asset e.g. AWS subscription id.
  • After discovery is complete, you can login into ThreatWorx Console to view the newly discovered AWS instance as an asset as well as results of the CIS benchmark tests.
  • You can run the AWS audit checks similarly:
    • twigs aws_audit --aws_access_key AWS_ACCESS_KEY --aws_secret_key AWS_SECRET_KEY --assetid UNIQUE_ASSET_ID --assetname NAME_LABEL_FOR_ASSET --prowler_home HOME_DIRECTORY_FOR_PROWLER
  • Twigs will automatically mark/resolve any fixed issues that were discovered as part of a previous run.

Examples

twigs aws_cis  --aws_access_key AKIA...DRW --aws_secret_key "EfFed...Ugex" --assetid prod_aws --assetname Production AWS subscription --prowler_home ~/prowler_repo

Run CIS benchmark tests for your AWS subscription.