Security Questions To Ask Your Cloud Engineering Team (Cheatsheet)
Table of Contents
- Identity, Authentication, and Least Privilege
- Infrastructure As Code (IaC)
- Security Operations
- Network Security
- Conclusion: It’s All About Layers
Introduction
Engineering and Product Leaders are often confident that their engineers follow security best practices when putting together their cloud environment. They often tell me things like, “we have a team of 80 engineers,” or, “we have a team of experienced engineers that know what they’re doing.” From my perspective, this is great news. I’m glad to see expert engineers working on complex problems. But does this give me the confidence that all the security checks are in place at the organization?
Nope.
For me, it’s always about trust but verify. I’m happy to trust that you have all your ducks in a row, but the proof is in the pudding. Additionally, when a senior leader tells me something like this, I can hardly trust that there aren’t any security improvements to be made. Even advanced AWS shops like CapitalOne that have released countless tools have had their issues.
There are several ways you can look for security improvements, such as asking your team questions. Here are some questions to ask your engineering and security team the next time you want some assurance on cloud security. Remember: trust but verify. Have your engineers ensure the statements they are saying are valid.
Identity, Authentication, and Least Privilege
There are several questions you can consider, especially considering how permissions and AWS roles are set up.
Here are some examples:
- Are there any excessive permissions in AWS currently, such as:
- ec2:*
- sc3:*
- iam:*
- iam:PassRole
- Do you have SSO enabled for AWS Console access? If not, when do you plan on doing so?
- If SSO is enabled:
- Are IAM users in AWS for service accounts only?
- Who has access to the root account?
- Does the root account have MFA enabled?
- Can you move towards a model where users don’t have static IAM keys?
- Are your EC2 instances using role-based authentication?
- Do any of your 3rd-party SaaS applications support role-based authentication?
Cloud Security Audit Tools
There are several open-source auditing tools that you can use to accelerate this process or obtain a deeper insight into your security.
Here is a tool to look into:
- ScoutSuite – an open-source multi-cloud security-auditing tool designed by security consultants/auditors that enables security posture assessment of cloud environments.
Infrastructure As Code (IaC)
Infrastructure as Code efficiently and consistently deploys infrastructure to the cloud using machine-readable code.
Several questions to consider when examining the security of your IaC code include:
- Is everything in AWS reflected in our IaC code?
- What checks/controls do you have in place to prevent IaC drift?
- Is your IaC deployment automated using CD?
- Do you have security checks in place on our IaC?
- Do you have pre-commit checks?
- Where are your state files stored?
- Are files encrypted using KMS?
- Do you have a way to prevent multiple users from pushing IaC code at the same time?
IaC Security Tools
There are several open-source auditing tools that you can use to accelerate this process or obtain a deeper insight into your security.
Here is a tool to look into:
- Checkov – an open-source static code analysis tool for infrastructure-as-code that scans cloud infrastructure provisioned using platforms such as Terraform to detects security and compliance misconfigurations.
Security Operations
Security operations give you day-to-day visibility into your infrastructure. Mistakes happen, and you want to have a mechanism to detect such mistakes and correct them as soon as possible.
Here are some questions to consider:
- Do you have a way to determine whether someone logged into root?
- Is Cloudtrail enabled and stored somewhere safely?
- Are there measures in place to prevent Cloudtrail logs from being deleted?
- Are your logs stored somewhere for a period of time?
- Do you have a way of detecting malicious activity in your VPCs or hosts?
AWS Native Security Operations Services
There are several platforms to help you throughout this process.
Here are several of them:
- CloudTrail – a service that provides governance, compliance, operational auditing, risk auditing, and event history to your AWS account to simplify security analysis, resource change tracking, and troubleshooting, and detect unusual activity in your AWS accounts
- Guardduty – a threat detection service that monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3
- AWS Config – a service that continuously monitors and records your AWS resource configurations, allowing you to automate assessing, auditing, and evaluating the configurations of your AWS resources
Network Security
Classic, but tried and true. We have seen databases listening on the internet with ports wide open. They say it takes about 80 seconds for a machine to begin being scanned once it’s placed on the internet!
Here are some questions to consider:
- Do you have any mechanisms preventing full VPC-VPC access?
- Do any hosts have 0.0.0.0/0 security groups open on them?
- Are any hosts listening on ports other than 443 on the internet?
- Are credentials being encrypted while in transit?
Data Security
Having great data security is essential to protecting data from getting into the hands of unauthorized users.
Here are some questions to consider:
- Are credentials being encrypted at rest?
- Is our customer data in a multi-tenant architecture?
- Do we encrypt our customer data at rest?
- Are we using KMS keys?
Conclusion
Now, you have a whole bunch of questions to ask your engineering and security team. I hope this guide has been helpful. If your team answered and verified positively to all the questions here, you are awesome and someone should write a book on you!
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.
