Corrective Controls for Public Resources (SSM Documents, EBS Snapshots)

I hope to come back and expand on this and give code examples for the resolution, but for the time being…

Let’s start with the recent discovery from Check Point:

Preventative controls are typically preferred for enforcing security and configuration compliance. This can be achieved in AWS through IAM policies, resource policies, and service control policies, among more traditional controls.

Where preventative measures are not possible due to a required level of granularity in the use case, corrective controls provide another layer of the security solution.

SSM Documents, like EBS snapshots, can be made public. Because the API calls of interest have legitimate operational use cases, completely blocking these actions with preventative controls is not an option. In both cases there are API calls which can trigger evaluation of the event and make a decision to respond.

Within the SSM service, the action is used to set the permissions for both sharing with specific accounts and making the document public. This action can be seen in CloudTrail and to run a Lambda function to evaluate and take corrective action if needed. Below is a portion of the event for :

"requestParameters": {
"name”: "<documentname>",
"permissionType": "Share",
"accountIdsToAdd": [
"all"
],
"accountIdsToRemove": []
},

The EventBridge rule should look for all events. The target function should evaluate and the all value.

Within the EC2 service, EBS snapshots can be set to Public or shared with specific accounts. Just like with SSM above, completely blocking the action, which is required to set the sharing settings, is not an option as a preventative control. The event contains the following:

"requestParameters": {
"snapshotId": "snap-abc123def456ghi",
"createVolumePermission": {
"add": {
"items": [
{
"group": "all"
}
]
}
}
"attributeType": "CREATE_VOLUME_PERMISSION"
}

As previously described, upon evaluation of all events, within the response function will allow granular corrective steps for this potential misconfiguration.

Misconfigurations from human error continue to plague companies of all sizes. Whenever preventative controls are unable to be used as guardrails, automation of corrective controls are essential to remain secure while allowing innovation.

Modernizing companies’ AWS security and governance programs at scale.

Modernizing companies’ AWS security and governance programs at scale.