About the Client
Our customer is the world market leader in roof and convertible roof systems as well as parking heaters and is among the world’s largest 100 suppliers to the automotive industry. Furthermore, the company concentrates on the growth market electro mobility with heating systems, charging solutions and battery systems.
Business Challenges Faced by the Client
Data protection in the cloud has been a major challenge due to the shared responsibility model and automation of public cloud infrastructure. Hence, to ensure consistent compliance controls across their infrastructure, they required new methodology. The following are some of the key areas where they required continuous security.
- Ensure all the AWS resources are tagged according to the organization’s naming standards
- Ensure all AWS users have passwords matching the organization’s password policy
- Log all the user actions on the AWS account
- Ensure all the instances in the AWS account are launched using the approved AMIs and instance types
- Identify all the unattached AWS resources such as Volumes, Elastic IPs, etc
- Enable Multi Factor Authentication (MFA) for the users
- Restrict public access to S3 buckets in the AWS account
- Ensure SSH traffic is allowed only from the known IP addresses
- Identify all the DB instances without backup and maintenance windows
After a deep analysis on clients’ requirements, SecureKloud recommended AWS Config to achieve continuous compliance across their infrastructure. AWS Config provides a detailed view of the resources associated with the AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time. SecureKloud helped the client in configuring the following AWS Config Rules in their environment to meet continuous compliance and security needs.
- Untagged EC2 resources – Checks whether the resources have at least one tag attached to it
- IAM password policy enabled – Checks whether the account password policy for IAM users meets the specified requirements
- Cloud Trail enabled – Checks whether AWS CloudTrail is enabled in the AWS account
- Approved AMIs by Ids – Checks whether running instances are using specified AMIs
- Unattached Volumes – Checks whether EBS volumes are attached to EC2 instances
- Unattached EIPs – Checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or in-use ENIs
- Unattached ENIs – Checks whether all ENIs created within the VPC are attached to EC2 instances
- MFA for IAM Users – Checks whether the IAM users in the AWS account require multi-factor authentication for console sign-in
- EC2 instances within a VPC – Checks whether the EC2 instances belong to a virtual private cloud (VPC)
- S3 Bucket Public Read/Write restricted – Checks that all the S3 buckets in the AWS account do not allow public read/write access
- Disallow unrestricted incoming SSH traffic – Checks whether security groups that are in use disallow unrestricted incoming SSH traffic
- DB instance Backup enabled – Checks whether RDS DB instances have backups enabled.
- Instances launched with approved Instance types – Checks whether all the EC2 instances in the AWS account are of the approved instance types
- Instance Type Restriction – Framed an IAM policy that restricts all the users except admin from launching any high configuration type instances
- IAM User Policy Check – Checks that none of the IAM users have policies attached .The above factors were used to ensure continuous security and compliance in the AWS environment. To provide security at server level SecureKloud resorted to OS hardening of the Web as well as DB servers.
- SSH Default Port Change – As a part of OS hardening SSH default port was changed from 22 to 3000
- Lockdown Cronjobs – Except Root user all other users were denied permission from executing cron jobs using the “/etc/cron.deny” file
- Turning on SE Linux – SE Linux is an access control security mechanism provided at the kernel level
- Turn Off IPv6 – Since we are not currently dealing with any kind of IPv6 traffic we shall disable it by configuring the network file present in the location “/etc/sysconfig/network”
- Enable IP tables – IP tables are a linux firewall used to secure the server from unauthorized access
- Installing psacct & acct – These tools are used for monitoring user activities and processes on a system
- /boot as Read only – Changed the “/boot” directory to Read-only mode, to prevent unauthorized access to important boot files. By default, it was in Read-Write mode
- Continuous Monitoring:
With AWS Config, our customer could continuously monitor and record configuration changes of their AWS resources over a given period
- Continuous Assessment:
AWS Config allowed them to achieve continuous auditing and assessment of overall compliance of their AWS resource configurations with the organizational policies and guidelines
World Market Leader in Automotive Industry