This post talks about how we use different tools to accomplish different tasks in a cloud security context, zooming in on Steampipe as a tool that should make it very easy to prepare for and meet audit requirements.
There are a couple of different things that we think of when we think of cloud security auditing.
One is a pure security activity of checking all of the configuration details on all of the services we are using to make sure they are configured properly.
Another is to support an external audit that somehow proves that we are doing the right thing across our infrastructure.
With SOC 2SOC 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and are commonly used by technology and cloud service providers to demonstrate compliance with industry standards and best practices. and other audits, we are increasingly seeing tools introduced that supposedly help to magically speed up the audit process. As may be obvious already, I’m skeptical.
The idea that AI is going to magically help us with cloud security is laughably naive.
The cool thing about Steampipe, and really what the cloud API’s themselves enable, is that we can do a lot of that inventory and preparation oursives.
Spoiler: the tool can’t help you be secure, you have to do the work.
Some tools are good at finding issues. I would categorize Prowler and ScoutSuite in this group. You run them to identify issues and they help you find problems. They are both open source and very useful. We built a commercial tool like this called JASP - so we know a thing or two about how these tools work and what they are good for and not good for.
JASP makes it basically as simple as possible to get everything running, keep it running consistently and provide reporting over time and alerting around issues.
Steampipe also supports checks against several CISCIS (Center for Internet Security) is a non-profit organization in the cybersecurity industry that provides resources, tools, and best practice guidelines to help organizations improve their cybersecurity posture. CIS benchmarks are widely used to provide guidelines for securing systems and networks. Benchmarks, including AWS, Azure and GCP.
Getting these running is easy for a DevOps person who is already using a CLI with any of these tools. So you can use Steampipe to do your “problem finding.”
There are commercial tools (including from the cloud providers) for finding problems too. Generally,
I feel they are not used very effectively and if you’re looking to find problems in your environment you might as well start with open source options. You need to understand them and the output to fix anything anyway.
On the downside, all of these tools produces huge lists of problems and lack context of the environment, including how the pieces fit together and what really is a security issue.
You can use these tools to prepare for an audit like a SOCService Organization Controls (SOC) are a set of standards developed by the American Institute of Certified Public Accountants (AICPA) to help organizations assess and report on the effectiveness of their internal controls. SOC reports provide assurance to customers and stakeholders that service organizations have appropriate controls in place to protect sensitive data and assets. 2, but it is likely they will have you doing a whole lot of extra work to clean up your report that the auditor won’t ask about and they might miss simple things the auditor really does care about - like are users in the correct IAMIAM (Identity and Access Management) is a set of processes, policies, and technologies that enable organizations to manage and control access to their systems and data. IAM solutions help to ensure that only authorized individuals can access sensitive resources, and that access is granted on a "need-to-know" basis. privileged roles.
Building an inventory of your systems is outside the scope of the tools that find problems. If a system has an issue it will show up in the report but if it doesn’t, it won’t.
So when it comes to doing an audit, if the auditor says they want a list of EC2 instances, that may not be easy to supply. Not to mention the fact that you want to know what you have before you start the audit.
You can use native tools like AWS Config to keep track of what you have. You can use the GUI to do this work too, taking screenshots of the configuation. But this is kind of painful.
Enter Steampipe. With Steampipe, you can basically write queries against your accounts to list resources - including properties you might want to check.
For example, the following will show users without MFA:
select user_id, name, password_last_used, mfa_enabled
from aws_iam_user
I can query databases, EC2 instances, all kinds of things through the steampipe interface which basically produces a SQL interface on top of the AWS APIs.
A more detailed example is being able to query EC2 instances that have unencrypted volumes attached.
select
i.instance_id,
vols -> 'Ebs' ->> 'VolumeId' as vol_id,
vol.encrypted
from
aws_ec2_instance as i
cross join jsonb_array_elements(block_device_mappings) as vols
join aws_ebs_volume as vol on vol.volume_id = vols -> 'Ebs' ->> 'VolumeId'
where
not vol.encrypted;
Cool, right!
Something that is awesome about Steampipe is that it supports a lot of services through plugins for everything from AWS, GCP, Azure, Slack, Zoom, Alibaba, CloudFlare, DigitalOcean, Jira, Kubernetes, Shodan, Zendesk and more. It also has mods that implement checks against the data it can collect.
So I can use a plugin and then build queries to talk to all of these services and have a unified process for doing inventory and auditing. Once I know how to use it, I can really get a process in place quickly.
One of my favorite things about Steampipe is that you can (and we do) wrap the queries in scripts (in our case python) that allow us to run a series of queries and essentially translate audit requests for evidence into scripts that we can tweak and automate on the fly.
Ultimately, I believe that if you’re going to have developers or ops folks anywhere on the spectrum of DevOps managing your infrastructure, these are the types of tools and approaches that empower them to secure your environment and crush your audit.
I don’t know anyone at Turbot or who works on Steampipe, but I’m excited about recommending it for these types of proactive tech security projects.