• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

CloudFormation Benefits for Secure AWS Deployments

May 4, 2017 By Teri Radichel

As discussed in a prior Secplicity blog post, automation can help improve security by reducing the potential for human error. Security automation includes programmatic deployments of infrastructure and applications. But how do you automate cloud deployments? If you are using AWS, CloudFormation is one of your options. CloudFormation has some features that help secure the AWS resource deployment process.

What is CloudFormation?

CloudFormation is an AWS service that allows you to deploy things like virtual machines, networks, databases, storage, users, permissions, custom applications, and security appliances on the AWS cloud platform by writing software instead of clicking buttons. A “CloudFormation Template” is a text file written in a specific format that defines the AWS resources you want to create. The AWS Tool of your choice can execute commands to automatically deploy the resources in your template. For more details, refer to the CloudFormation documentation and the list of CloudFormation resources.  

How Can CloudFormation Help Secure Systems?

AWS users can log into the AWS Console, choose some options, and push buttons to easily create and change resources on AWS. Problems with this approach arise when someone clicks the wrong buttons or types the wrong information (by accident or on purpose). As already explained, human error contributes to many security problems. Preventing and reverting changes that do not match security policies is more complicated for random, uncontrolled processes. Deploying the same resource manually multiple times or in many places will likely result in mistakes due to variations in steps taken. To track down and fix errors, you must dig through logs and piece together information. Hopefully, you have the logs and have secured them. Manually fixing the problem could result in even more human error.

Alternatively, CloudFormation templates allow development, ops, and security teams to write code that deploys AWS resources. A team can test the code in advance to ensure it works correctly. Taking these steps minimizes the chance for human error during deployments to production systems. The code can perform the first deployment, re-deploy, and roll back changes if an error occurs. If a change causes a problem, older versions of the code stored in a source control system can restore systems to a prior state. With proper planning, you can design scripts to rerun gracefully even in the event of an unexpected error, such as a service outage. These scripts can pick up where they left off, correctly completing their tasks despite the original failure.

Managing CloudFormation Permissions

AWS Identity and Access Management (IAM) is a service which allows creation of very fine-grained policies defining who can take what actions in your account. The AWS CloudFormation service has a list of allowed actions. Policies can restrict permissions to take these actions to specific users or systems. Explaining all the details of IAM roles, policies, users and groups is beyond the scope of this blog post, but here is an example of an IAM policy that allows a user or role to create AWS resources using the CloudFormation CreateStack action.

  {
    "Version":"2012-10-17",
      "Statement":[{
        "Effect":"Allow",
        "Action":[
          "cloudformation:CreateStack"  
          "Resource":"*"
        }]
  }

CloudFormation Audit Logs 

CloudFormation offers real-time and post-deployment audit logs of events that occurred during the deployment in the AWS Console. For example, this audit log shows the time and events that occurred during an automated deployment of a Firebox Cloud.

The template tab in the CloudFormation console shows the template that created the stack. If you restrict changes to the account to CloudFormation only, you can use this information to verify what exists in your account.

The CloudFormation resources tab list resources created by the CloudFormation template.

Clicking on a link in the Physical ID column displays details about a resource.

CloudFormation Stack Policies

CloudFormation stack policies can prevent unauthorized updates to CloudFormation stack resources. The following is an example of a stack policy from the AWS stack policy documentation that allows updates to all resources in the stack except a database.

  {
  "Statement" :
    [{
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    },
   {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "LogicalResourceId/ProductionDatabase"
    }]
  }

CloudTrail Logs

CloudTrail Logs track every AWS service action taken on the Amazon cloud platform, including CloudFormation actions.

Clicking on a specific event shows even more information.

Clicking on the “View event” button shows even more details. Ultimately every action taken by an AWS service in your account is the result of an API call, or in other words, a programmatic request to take an action on a software system. Even when you click a button the AWS console makes an API call to carry out the action you requested. These API calls are created via web requests in a specific format understood by the AWS cloud platform. The event detail shows the actual web request code related to logged event.

Log Security

Using a third-party platform with built-in logging and fine-grained access control makes it easier for companies to secure logs. Correctly established permissions can help companies who wish to implement segregation of duties. For example, a company may want to prevent the people or systems taking actions in their account from altering or deleting the logs that track those actions. This may be important if a legal issue requires chain of custody to prove what happened. AWS IAM allows companies to create the permissions structure to enforce these types of security policies. A scalable and secure logging platform will store logs as long and in as much detail as needed.

Disaster Recovery and Failover

Any form of software used to re-deploy systems and networks in the event of disaster recovery or failover is beneficial as explained in a previous post about security automation. One of the benefits of using CloudFormation specifically is tight integration with the AWS platform. CloudFormation understands and deploys resources in the same template in the correct order and in parallel when possible. Parameters allow execution of the same templates in different environments by separating the configuration values that change in each environment from the template code. Pseudo parameters generically reference AWS environment information in order to create templates that work in any AWS account or region.

Embedding Security Checks into Deployment Processes 

One of the real benefits of AWS in general is the ability to take actions based on specific events. That includes CloudFormation events. When a CloudFormation action occurs, this can trigger security checks to occur in your account using AWS services like CloudWatch Events, Amazon Inspector and AWS Config Rules. These tools can prevent and revert changes that do not meet security policies automatically.

Up Front Investment for Future Security

Initially, it might take some time for you to learn the CloudFormation template syntax. It will also take time to set up proper security controls in your account such as IAM policies to limit permissions. However, this upfront investment will pay time and security dividends in future deployments. CloudFormation is very powerful and flexible tool that can help prevent errors, improve logging, and add security to cloud deployments.

The next blog post in this series will show how to use CloudFormation to deploy a WatchGuard Firebox Cloud in your AWS account.  — Teri Radichel (@teriradichel)

 

Share This:

Related

Filed Under: Editorial Articles Tagged With: auditing, aws, cloudformation, deployment, logging, security, security automation, segregation of duties

Comments

  1. Fredrik Andersson says

    July 4, 2017 at 5:55 am

    Hi Teri,

    My question is actually not regarding this specific article. However it is regarding deployment of Firebox in general.
    Do you have any use cases och examples for deployment of i.e. FireboxV on an environment running esxi, nsx och vcloud director?

    Your sincerely

    Fredrik Andersson

    Reply
    • Teri Radichel says

      July 5, 2017 at 3:49 pm

      Hi Fredrik,

      From our product team: ESXI is a supported environment, but there are no Case Studies on our site about deploying XTMv/FireboxV that specifically mention ESXI. Product and engineering are considering what it would take to integrate with NSX.”

      If you had a VM stored in a secure repository you could write automation that works against that particular repository to retrieve the VM (secure file transfer protocol of your choice), start the VM via command line, then once running the same Python code should work for the most part to make CLI calls to the Firebox:

      https://github.com/tradichel/FireboxCloudAutomation/blob/master/code/resources/firebox-lambda/fireboxconfig.py

      The tricky part would be securing the VM and the key in transit and at rest and restricting access to the Firebox as is done in the AWS script.

      Teri

      Reply
      • Teri Radichel says

        July 20, 2017 at 5:05 pm

        This blog post provides additional information for automated creation of firewall rules using Python on in non-AWS environments: https://www.secplicity.org/2017/07/20/create-firewall-rules-python-watchguard-fireware-cli/

        Reply
  2. Fredrik Andersson says

    August 11, 2017 at 6:41 am

    Hi Teri,

    Thanks for your reply. I am most interested what product and engineering are considering in regards to integration with NSX.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use