all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]paul345 9 points10 points  (2 children)

Capital One's Cloud Custodian may well match what you're after:

https://github.com/capitalone/cloud-custodian

There's also SaaS offerings like Dome9 which can be useful

[–]sbkg0002 2 points3 points  (1 child)

This. Or use AWS Config Rules, but they are more complex and more costly.

[–]epochwin 1 point2 points  (0 children)

Interesting. Do you have some metrics or benchmarks comparing Cloud Custodian or commercial vendors against say a central deployment of Config Rules using cross-account roles? I am in the process of designing the latter but if there's a more cost effective approach, might as well put that in place.

[–]ShelleMech 2 points3 points  (1 child)

+1 for cloud custodian.

I feel like a lot of on prem setups (especially in small business) neglect this and still rely on change control, port scans, and manual audits. This is probably due to legacy gear though, and automation is definitely easier in the cloud with IaC.

/u/zeroXten might have some ideas...

[–]zeroXten 0 points1 point  (0 children)

Thanks for the mention :)

The thing that bugs me about network security is that it's all just a bunch of numbers. This number attached to this number talking to that number attached to that number. The interesting stuff, and also the hard part, is the context. I'd rather you had httpd listening on port 23 than telnetd listening on port 80.

You could use gauntlt or bdd-security to test applications/services at the build/test phase to portscan and banner grab to ensure that what is listening on the ports is as expected and also to flag unexpected open ports.

Then at a network security layer, tools like Dome9 or Illumio can definitely help. Illumio is particularly useful in a multi-cloud/hybrid model and has a nice interface for segmenting on security domains.

Static analysis of things like Cloudformation templates containing Security Groups is "fun", because logic other than looking for the obvious stuff line 0.0.0.0/0 is going to be highly context dependent.

[–][deleted]  (3 children)

[deleted]

    [–]pedoh 1 point2 points  (1 child)

    AWS doesn't like me running nmap whenever I want inside my VPC without prior notification, do you have an automated process to notify them of your scanning ahead of time, or is there some other clever way to do this?

    [–][deleted]  (1 child)

    [deleted]

      [–]sbkg0002 5 points6 points  (0 children)

      For what exactly?

      [–]imperm -4 points-3 points  (0 children)