Centralised security information for AWS accounts.
This webapp presents the primary interface for Security HQ.
The watched-account
CloudFormation template will create ConfigRules
that monitor the status of other AWS accounts. This application
presents the data collected by those processes.
It also provides an interface on some markers of a watched AWS account's health from a security point of view.
Security HQ uses information from AWS Trusted Advisor. This might not be as up-to-date as one might wish and may be noticeable for S3 buckets.
security
profile.Note Guardian Engineers can use credentials from Janus. External engineers can use the CloudFormation template to provision an IAM user, and create an access key separately.
Run the setup script:
./script/setup
Run the start script:
./script/start
If you want to debug, you can run
./script/start --debug
You will need to attach you debugger (Remote JVM Debug) to the right port (possibly 1058)
When running Security HQ locally, you can modify the list of AWS accounts to include additional accounts. For example, you may want to add a specific account for debugging purposes. You will need valid AWS credentials for any accounts you wish to include.
To add a new AWS account, go to ~/.gu/security-hq.local.conf
,
add a new object to the AWS_ACCOUNTS
list, like this Deploy Tools account example:
AWS_ACCOUNTS = [
{
name = "Deploy Tools"
id = "deployTools"
roleArn = ""
}
]
The value of id
should be the same as the AWS Profile name, which you can see when you copy your credentials from Janus.
You can add a roleArn
if you want to generate an IAM report, otherwise you don't need it.
See watched-account
template under cloudformation
folder for the security policies needed to run security-hq.
The aws cli can perform some basic template validation.
It requires AWS credentials to run, and can validate a single file like so:
aws cloudformation validate-template --template-body file:///${PWD}/cloudformation/security-test-user.yaml --profile <AWS_PROFILE>
CFN nag is a linting tool for CloudFormation templates that can help catch security issues.
If you have it installed, you can run:
cfn_nag_scan --input-path cloudformation/*
The Credentials Reaper is a feature in Security HQ which automatically disables permanent IAM users with access keys that haven’t been rotated within 90 days for users with a password (human users) or 365 days for users without a password (machine users). It also disables permanent users who have left the Guardian.
The reaper sends email notifications to the AWS account the user is in, before disabling a user. The emails are sent via Anghammarad and uses its AWS Account to email address mappings.
You can also find the dynamo table in the Security AWS Account.
Security HQ holds a Lambda, which checks for security groups that are open to the world, except ELB groups. This data is used for https://security-hq.gutools.co.uk/security-groups
.
It is deployed as a stack set and is defined in cloudformation/watched-account.template.yaml
.
build.sbt
..script/package-lambda
.NOTE: The version is important, because the cloudformation version
parameter is used to locate the correct S3 file. The lambda code will not change unless a new version is deployed, even if the infrastructure changes.