This hands-on exercise shows you how to audit your AWS resources to make sure your setup complies with basic security best practices. On top of AWS Trusted Advisor, you'll also work with security groups, Multi-factor Authentication (MFA), and AWS Identity and Access Management (IAM).
By the end of this lab, you will:
AWS Trusted Advisor provides best practices in five categories:
You can use over 60 AWS Trusted Advisor checks to monitor and improve the deployment of heaps of AWS services. Think EC2, Elastic Load Balancing (ELB), Elastic Block Store (EBS), S3, EC2 Auto Scaling, IAM, RDS, Route 53, and other services. You can also see the overall status of your AWS resources and even savings estimations on Trusted Advisor's Recommendations page.
To see AWS Trusted Advisor at work, let's give it something to advise us about. In this task, you will create several security groups. The security settings you'll set up will go against security best practices! This will help us see how AWS Trusted Advisor picks up security issues.
1. To create a security group, navigate to Amazon EC2.
2. Once you're in the EC2 console, on the left side, choose Security Groups.
3. Choose Create security group.
4. Configure the security group settings:
5. Security group name: NextWork Security Group
6. Description: NextWork web server security group.
7. VPC: choose the default VPC.
8. Inbound rules:
9. Choose Create security group. Configure the security group settings:
10. Inbound rules:
11. Create one last security group:
12. Inbound rules:
Now let's use AWS Trusted Advisor to audit the security of your AWS account.
1. Navigate to the AWS Trusted Advisor console.
The Trusted Advisor Recommendations page displays a Checks summary and a list of Recommended Actions based on pre-defined checks on the AWS account. Each recommended action will be indicated by one of three icons:
2. If you can't see any of these icons or the page just shows a question mark, click on Refresh all checks at the top-right of the page. Wait a few seconds for Recommended Actions to appear. Continue waiting and refreshing if you see 0 checks in red.
3. Expand by clicking the arrow on each AWS Trusted Advisor check and explore the details. Any items that are not green will provide a Recommended Action.
Note: While it's not relevant to this exercise, Trusted Advisor will recommend that you enable MFA in your root account if you don't have that in your account yet.
Great! You analysed the basic checks performed by the Trusted Advisor.
In this task, you will identify and resolve a security setting that was set incorrectly for a security group.
1. In the left-hand navigation panel in Trusted Advisor, choose Security under the Recommendations menu.
2. Under Checks, expand Security Groups - Specific Ports Unrestricted.
3. In the Security Groups table at the bottom of this section, identify the Security Group(s) that are marked as Red in the Status column.
4. Find the item that contains TCP in the Protocol column and 21 in the From Port column. If you can't see it, try refreshing all checks again.
5. Choose the NextWork Security Group link to open the Security Groups page.
6. Select the checkbox next to your security group.
7. Choose the Inbound rules tab.
8. Choose Edit inbound rules, then:
9. For the rule for port 21, select Delete to the right of the rule.
10. Select Save rules.
Awesome! You have used Trusted Advisor's findings to detect and fix security groups that has unnecessary unrestricted ports.
In this task, you will tighten the access on a security group to only allow inbound traffic from a specific Amazon EC2 instance.
1. Head back to the Trusted Advisor console page.
2. In the navigation pane to the left, choose Security under the Recommendations menu.
3. Under Checks, expand Security Groups - Specific Ports Unrestricted.
4. If you refresh the check, you'll see that Nextwork Security Group is no flagged red.
5. Identify the TCP/port 3306 security group, which is also flagged by the Trusted Advisor. This group is allowing unrestricted access to an Amazon RDS MySQL database (port 3306/tcp).
6. Choose MySQL Security Group to open the Security Groups page.
7. Choose the Inbound rules tab.
8. Choose Edit inbound rules, then:
9. Remove the rule for port 3306 by choosing Delete to the right of the rule.
10. Choose Add rule, and then:
11. For Type, choose MySQL/Aurora. Notice the Protocol and Port range fields are populated with TCP 3306 automatically.
12. For Source, choose Custom. In the search field, enter sgand then choose the Web Security Group.
13. This rule now permits access to the RDS database only from members of the Web Security Group. Computers on the Internet can no longer contact the database server.
14. Choose Save rules.
15. Return back to the Trusted Advisor page and choose Recommendations from the navigation pane to the left of the page.
16. At the top-right of the page, choose Refresh all checks to force Trusted Advisor to re-evaluate all the checks. This might take some time. While you're waiting, you can also have a look at any other security issues that Trusted Advisor has raised for your account.
As always, lets remove anything we don't need! While security groups don't rack up charges, it's best practise to delete them to reduce any clutter in your account.
We'll leave this final step to ya - you must be quite familiar with deleting resources by now! But if you're stuck, let the NextWork community know - we're here to tackle these moments together. 💪🏽
Congratulations! You have successfully:
High five! 🖐️💥 Want to know more about security? Best Practices for Security, Identity, & Compliance is a valuable reference guide to learning security best practices in AWS.