Overview
Using this feature you can run CIS benchmark tests (v1.2.0) and PCI, HIPAA, GDPR audit for your AWS cloud subscription. This includes CIS level 1 and level 2 checks for AWS as specified here: https://www.cisecurity.org/benchmark/amazon_web_services/
Pre-requisites
Prowler is an open source tool that allows you to run CIS benchmarks for AWS. This tool is free and can be downloaded from https://github.com/toniblyx/prowler. Install any dependencies required by prowler tool. The cloud ready images for twigs (for Docker, AWS) have these tools and dependencies pre-installed on them.
Steps involved
- Open a new shell / terminal.
- Make sure you have Prowler downloaded
- Note the location of prowler executable which is available in the downloaded copy of prowler. You can set environment variable “PROWLER_HOME” which points to Prowler download directory, instead of specifying “–prowler_home” argument on command-line.
- You can run the command below:
twigs aws_cis --aws_access_key AWS_ACCESS_KEY --aws_secret_key AWS_SECRET_KEY --assetid UNIQUE_ASSET_ID --assetname NAME_LABEL_FOR_ASSET --prowler_home HOME_DIRECTORY_FOR_PROWLER
- Asset id is not optional. Use a unique identifier for your AWS cloud instance as an asset e.g. AWS subscription id.
- After discovery is complete, you can login into ThreatWorx Console to view the newly discovered AWS instance as an asset as well as results of the CIS benchmark tests.
- You can run the AWS audit checks similarly:
twigs aws_audit --aws_access_key AWS_ACCESS_KEY --aws_secret_key AWS_SECRET_KEY --assetid UNIQUE_ASSET_ID --assetname NAME_LABEL_FOR_ASSET --prowler_home HOME_DIRECTORY_FOR_PROWLER
- Twigs will automatically mark/resolve any fixed issues that were discovered as part of a previous run.
Examples
twigs aws_cis --aws_access_key
“AKIA...DRW
“ --aws_secret_key "EfFed...Ugex" --assetid prod_aws --assetname
“Production AWS subscription
“ --prowler_home ~/prowler_repo
Run CIS benchmark tests for your AWS subscription.