Automating your AWS cloud security with Bridgecrew

Whether you’re an AWS expert or just getting by with the bare essentials, you’re probably aware of how robust the AWS cloud ecosystem is. With its countless cloud-native services and solutions, it’s no surprise that AWS is the leader in the $45B cloud market.

AWS provides its customers with immense flexibility, performance, and cost-savings benefits, but it does come with some responsibility. As outlined in the cloud shared responsibility model, that responsibility is distributed between AWS and the customer. AWS takes responsibility for the security of the cloud and its customers take on the data inside and the operations and configuration of AWS resources.

To help make that burden of responsibility easier for its customers, AWS has gone above and beyond to provide its customers with guardrails as they build and deploy infrastructure. In addition to their extensive suite of security solutions like AWS Security Hub, part of their commitment to security can be understood through their hundreds-strong network of security partners.

We at Bridgecrew are honored to be part of the APN community as AWS Security Competency status and AWS DevOps Competency status partners, and as providers in AWS Marketplace. Read more in our press release here.

Building upon the existing suite of security resources, our goal is to provide comprehensive visibility into AWS infrastructure security posture and actionable remediations when errors are identified.

In this post, we’ll walk through getting started with Bridgecrew for AWS, identifying security and compliance issues, and implementing fixes.

Connecting Bridgecrew to your AWS account

With Bridgecrew connected to your AWS account, you can easily start addressing security and compliance issues in existing and new resources. Our native AWS integration uses CloudFormation as a standardized mechanism to deploy a read-only IAM role in your account. This role performs read-only API calls to assess the state of your configurations.

To connect an AWS account, head to the Integrations tab in the Bridgecrew platform, select AWS Read Only, Add Account, and Launch Stack.

You will then be prompted to create a CloudFormation template pre-populated with Bridgecrew connection details.

Select the checkbox next to “I acknowledge…” to permit the creation of IAM resources and select Create Stack.

That’s all it takes to start addressing configuration errors within your AWS resources! 🧙‍♀️

If you’re provisioning resources with CloudFormation templates or another configuration framework, you can also utilize Bridgecrew to address misconfigurations in infrastructure-as-code. Read about getting started with CloudFormation here.

Identifying security and compliance errors

Once you’ve connected your AWS account, Bridgecrew will periodically scan your AWS resources and services and evaluate them against security best practices and compliance controls. With over 80% coverage of CIS Standards, Bridgecrew comes fully-equipped with hundreds of pre-defined policies. Infrastructure policies fall into several categories like IAM, Networking, Monitoring, and Secrets, and can correspond with compliance frameworks.

To review identified errors, head to the Incidents tab where you can filter errors by category, severity, and benchmark.

Bridgecrew supports all the popular compliance benchmarks, including PCI-DSS 3.2, SOC2, HIPAA, NIST 800-53, and more.

When investigating an error, select the policy in the list on the left and the affected AWS resources will be shown on the right.

In the screenshot above, you can see that there are three resources that are failing the selected policy, Ensure all data stored in the S3 bucket is securely encrypted at rest.

To see a more detailed description of the policy and the rationale behind it, select Guidelines.

Bridgecrew makes it easy to get complete visibility into your cloud resources and to help you understand how strong your cloud security posture is.

But we go a step further.

Remediating issues with automated playbooks

To help security teams address cloud risks faster without creating more work for engineering teams, Bridgecrew also provides automated remediations.

In order to start remediating misconfigurations, you’ll have to deploy the AWS Remediation Stack which allows you to fix errors by modifying the configuration of your AWS environment. It uses a common messaging-based architecture to locally invoke a Lambda function. This diagram illustrates the flow:

To deploy the stack, head back to Integrations and select AWS Remediation Stack. This will create a new CloudFormation template with the necessary Bridgecrew details pre-populated. This template will create SQS and Lambda resources required to perform the remediation when needed.

Once again, select the checkboxes next to “I acknowledge…” to permit the creation of IAM resources and grant access to CAPABILITY_AUTO_EXPAND.

Heading back to our failing resources from earlier, we see that when we select one or more, we now have the ability to fix issues, in addition to creating an issue or suppressing them. Selecting Fix will prompt us to implement an automated fix into our AWS account.

Alternatively, you can select the code icon to download the code and run the CLI command locally using an AWS access key.

Either way, Bridgecrew provides the code you need to actually implement fixes instead of creating more work in the form of Jira tickets. If you want to go that route, however, Bridgecrew supports that too!

Bonus: Shift cloud security left with Bridgecrew for CloudFormation

If you’re using CloudFormation to provision and manage your AWS architecture, it’s important to apply security controls there as well. With Bridgecrew you can address security errors and govern your infrastructure in both run-time and build-time. Scanning your CloudFormation templates across the same AWS policies is as easy as integrating your infrastructure repository or scanning a local directory using Bridgecrew CLI.

· · ·

If this basic overview of Bridgecrew for AWS illustrates one thing, it’s how easy it can be to start improving your cloud security posture. To get started with Bridgecrew for AWS, sign up for an account and get started for free.