Security controls absence - Monitoring
Need
Implementation of robust monitoring and alerting mechanisms
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
The above code is a simple Terraform script that provisions an EC2 instance in the AWS cloud. The provider block is used to configure the named provider, in this case, AWS. The resource block defines one resource of type "aws_instance".
However, this script has a major security oversight - it does not implement any form of monitoring or alerting. This means that if any critical changes occur in the system, such as access and modification of resources or roles creation, there will be no notifications or alerts sent to inform the relevant parties.
In a real-world scenario, this lack of monitoring can lead to unauthorized access or changes going unnoticed, potentially leading to data leaks, system instability, or other serious issues.
To resolve this vulnerability, it's recommended to implement AWS CloudWatch or other similar monitoring tools, and configure alerting based on specific events or conditions.
Steps
- Implement a monitoring solution to track critical changes in the system
- Configure alerts or notifications for access and modification of resources
- Set up monitoring for role creation and modification
- Ensure that the monitoring solution covers all relevant system resources and services
- Regularly review and update the monitoring configuration to adapt to changes in the system
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_cloudwatch_metric_alarm" "cpu_utilization" {
alarm_name = "cpu_utilization"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "2"
metric_name = "CPUUtilization"
namespace = "AWS/EC2"
period = "60"
statistic = "Average"
threshold = "80"
alarm_description = "This metric checks cpu utilization"
alarm_actions = [aws_sns_topic.cpu_alerts.arn]
dimensions = {
InstanceId = aws_instance.web.id
}
}
resource "aws_sns_topic" "cpu_alerts" {
name = "cpu-alerts"
}
resource "aws_sns_topic_subscription" "cpu_alerts_email" {
topic_arn = aws_sns_topic.cpu_alerts.arn
protocol = "email"
endpoint = "[email protected]"
}
The above code is a fixed version of the original vulnerable code. It includes the implementation of AWS CloudWatch and SNS (Simple Notification Service) to monitor and send alerts for critical changes in the system.
The aws_cloudwatch_metric_alarm resource is used to create a CloudWatch alarm that triggers when the CPU utilization of the instance exceeds 80% for two consecutive periods of 60 seconds. The alarm_actions attribute is set to the ARN of an SNS topic, which means that when the alarm state changes, a message will be sent to this SNS topic.
The aws_sns_topic resource is used to create an SNS topic named "cpu-alerts". This is where the alarm messages will be sent.
The aws_sns_topic_subscription resource is used to subscribe an email endpoint to the SNS topic. This means that when a message is published to the topic, an email will be sent to the specified email address.
This solution ensures that alerts are sent in response to critical changes in the system, such as high CPU utilization. It can be extended to cover other types of resources and metrics as needed. Regular reviews and updates of the monitoring configuration are recommended to adapt to changes in the system.