Amazon Web Services (AWS) is a cloud hosting platform that offers cloud computing and infrastructure services.
Secureframe scans various AWS resources and configurations to ensure compliance and automatically gather evidence.
Connecting the Integration
To integrate AWS with Secureframe, navigate to Integrations and search for “AWS” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form.
Secureframe integrates with both Organization & Account. To connect an Account, an Organization must also be connected.
Additional AWS settings can be found via Integrations>AWS>Settings where you may add and remove specific regions.
Connecting at different levels of the hierarchy (Organization & Account)
AWS allows users to manage connections at various levels in the hierarchy e.g. Organization, Organization Units and Member Accounts. Secureframe allows you to integrate with the Organization level as well as the member account (child) connection in order to:
- Make it easier to pull in and set up multiple account connections under an organization at once, allowing you to save time
- Provide a cleaner experience in organizing and managing the different levels of the hierarchy enabled in your AWS account
- Make it easier to identify accounts by automatically discovering accounts associated to your organization
- Make it easier to exclude the accounts that you do not want to sync with Secureframe
Manage connections/sync
You can now easily manage your account (child) connections directly from the Integrations page.
- To sync all accounts under a connection click the sync button
- In order to sync or manage only specific accounts under a connection, click the # of connections
- You can now view and manage the settings, rename the connection, reconnect and archive an account (child) account directly from this screen
- You can also view and change included regions and accounts if you click into the AWS integration settings (cogwheel icon).
Migrating existing connections in Secureframe to Parent/Child connections
If you already have multiple AWS accounts set up as separate connections in Secureframe and you want to take advantage of managing your connections through the parent/child connection, follow these steps:
- Archive any individual existing account connections you have that you are expecting to be pulled in by the organization (management account) connection. Note: if you have any account connections that you’re not expecting to be brought in by the organization connection, you do not need to archive those account connections in Secureframe.
-
- Click the kebab menu on individual account connections.
- Click Archive.
-
- Once your connections have been archived, click on available connections, search for “AWS” and click “Add connection” or “Connect” under AWS.
- Follow the steps outlined in the connection form for organization. The “root management” account is the one that has to be integrated with Secureframe. When you click “Create stack” in step 2, the CloudFormation stack will create an AWS Stack in your account. You may then navigate to AWS StackSets and deploy it to all target accounts. You may also choose to skip this step and manually create this role if you do not want to use the Secureframe CloudFormation stack. Please refer to the AWS documentation if doing manually.
- Go to your AWS StackSet and deploy the created SecureframeOrgRoles StackSet, ensure you have automatic deploys enabled so new accounts added to the organization will automatically get the role.
- In step 6 of the connection form, you will be able to view a list of member accounts/child connections and select those you wish to integrate with Secureframe. These can be changed later via the integration settings.
- Click Finish. When completed, you will now be able to see the number of child connections under an organization account (and their details) directly in the main integrations page.
- When you click on the number of child connections, you will be able to see details of the child connections and be able to:
- Filter through child accounts
- Sync individual child connections or sync all child connections under the organization
- Rename the connection (organization or child)
- Exclude any individual child connections you don’t want integrated with Secureframe
Supported Regions
The AWS regions supported through the Secureframe integration include:
- "us-east-1",
- "us-east-2",
- "us-west-1",
- "us-west-2",
- "eu-west-3",
- "eu-west-2",
- "eu-west-1",
- "eu-north-1",
- "eu-central-1",
- "sa-east-1",
- "ca-central-1",
- "ap-southeast-2",
- "ap-southeast-1",
- "ap-south-1",
- "ap-northeast-3",
- "ap-northeast-2",
- "ap-northeast-1",
# Regions below require opt in see https://docs.aws.amazon.com/general/latest/gr/rande-manage.html
- "af-south-1",
- "ap-east-1",
- "ap-south-2",
- "ap-southeast-3",
- "ap-southeast-4",
- "eu-central-2",
- "eu-south-1",
- "eu-south-2",
- "me-central-1",
- "me-south-1"
Permissions, Fields Pulled, Controls and Automated Tests
- Click the provided link or navigate to the “Integration” page.
- Select the “Available” tab.
- Search for the integration.
- Click “View Details”.
AWS evidence
Secureframe pulls evidence for dozens of types of AWS resources and their configuration as it relates to security and compliance, including:
- EC2 Instances
- S3 Buckets
- IAM Roles and their associated policies AWS Inspector vulnerability reports
Update the Scan Stack for AWS CloudFormation
Secureframe has identified permission updates for AWS that need to be applied in all customer accounts to ensure that scans continue to perform correctly. The template URL specified below contains our most recent iteration of the permissions needed for Secureframe Scans. The file can be opened with most text editors.
Use these instructions to update the AWS Secureframe CloudFormation Stack with the latest template:
- In your AWS account, navigate to the AWS region where the Secureframe Stack was created when the AWS Connection and CloudFormation page were first created. The default is the us-west-2 region.
- Refer to these instructions to update an AWS CloudFormation stack (console).
- Specifyhttps://secureframe-templates.s3-us-west-2.amazonaws.com/secureframe.template for the Amazon S3 URL of the template file.
- Ifus-west-2 is a disabled region, download the template file provided here and upload it directly.
- DO NOT change the existing External ID Parameter and proceed to Step 5.
- This stack manages an IAM Role. Mark the checkbox for “I acknowledge that AWS CloudFormation might create IAM resources with custom names”.
- Click the button to update the stack.
Any permission issues with an individual test should be corrected by syncing the AWS integration after updating these permissions.
Stack Changelog
2023-05-31
These actions have been added to the policy:
- "ecs:GetTaskProtection"- "ses:GetEmailIdentity"- "wafv2:GetLoggingConfiguration"
2023-02-24
The updated role continues to rely on the AWS SecurityAudit managed policy. Because AWS has updated the managed policy, we have removed many actions from the secureframe-additional-permissions policy that were duplicates.
These actions have been added to the policy:
- "elasticfilesystem:DescribeBackupPolicy"- "elastictranscoder:ListPipelines"- "es:ListVpcEndpoint*"- "ses:ListEmailIdentities"- "wafv2:GetWebACLForResource"
Remediating AWS Parent/Child Connection Error
An error may occur when migrating an existing AWS integration in Secureframe to parent/child connections. If you experience this error take the following steps to remediate the issue.
- Go into the AWS Console > CloudFormation > StackSets. You should see a StackSet called SecureframeOrgRoles.
-
Open the stackset and select add stacks to StackSet.
- Select deploy new stacks and deploy to organization.
-
Under “Specify Regions”, select any region
- Click Next, and then Submit
- Go to stack instances under the secureframe org roles stackset and you should see deployments happening to the accounts in the organization. Wait for the stackset to deploy to ALL accounts in the org,
- Resync your existing AWS connection in Secureframe.
Remediating AWS test errors
If you experience the following error:
Here are the recommended steps to remediate this error:
Perform the following steps to setup the metric filter, alarm, SNS topic, and subscription.For each step, you will need to replace the pieces of each command that are in angle brackets, i.e. <piece>, with the appropriate value for your account.
If you get errors about names, you may need to quote your values with single or double quotes.
1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the '<cloudtrail_log_group_name>' taken from audit step 1.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name <cloudtrail_cfg_changes_metric> --metric-transformations metricName=<cloudtrail_cfg_changes_metric>,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'
**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify
aws sns create-topic --name <sns_topic_name>
**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2
aws cloudwatch put-metric-alarm --alarm-name <cloudtrail_cfg_changes_alarm> --metric-name <cloudtrail_cfg_changes_metric> --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>
AWS Errors
AWS Common Error Messages Help Article
Frequently Asked Questions (FAQ)
We have a few S3 buckets that do not have block public access enabled because those buckets are intentionally publicly accessible. How should we handle this test?
- Yes, the best course here is to ignore those failing tests and provide a reason explaining why they are publicly accessible.
Related to
Comments
0 comments
Article is closed for comments.