In this post we review how to understand and visualize AWS security groups, and how to use it for identifing security vulnerabilities.
What are AWS Security Groups?
AWS Security Groups acts as a virtual firewall for your instance to control inbound and outbound traffic, it enable users to control traffic to their instances. For example, user can allow computers from only your home network to access your instance using SSH.
What are the challenges in managing Security Groups?
Although Security Groups defined a data flow topology for inbound and outbound traffic, AWS visualization delivered as a table:
In our opinion, this view is lacking three main aspects to make it useful:
- Inbound and outbound relationships between Security Groups
- Inbound and outbound relationships to external IPs and CIDR
- AWS service members of the Security Groups (who are the different elements that are using them).
ITculate, provide all the three using a simple visualization:
Security vulnerabilities Example (Jump Host)
What is a Jump host?
A jump host or jumpbox or bastion is a (special-purpose) computer on a network typically used to manage devices in a separate security zone. The most common example is managing a host in a DMZ from trusted networks or computers. (more info)
ITculate is working under the assumption that any direct access from a bastion host / jump host to a sensitive resource (e.g. a database)
is not intentional as it is against common security practices to create such direct access permanently. Having such
access means that the would be offender have an easier access to reach sensitive data and
extract it (data exfiltration).
The following design show how access to the internal network was created correctly only through the jump host, controlled by the security-group sg-jump-host (yellow security group). However, there is vulnerability in the layout because the security-group sg-qa-rds-test (in Red) permits direct access to the a RDS though an external IP. This is very common when team members perform different tests and fail to remove temporary security groups, and as a result, creating a security vulnerability.
ITculate.io provides a monitoring solution for DevOps environments. ITculate’s solution captures not only raw and custom metrics but also the architecture of the customer’s environment. ITculate’s core technology tracks relationships between and within services. Understanding the relationships allows ITculate to provide a context to the user. It also allows for better visualization and enable much faster troubleshooting. ITculate provides a more intuitive way of data exploration and dramatically improves the user experience of monitoring. Please check us out at ITculate.io to learn more!