Skip to content

⛅ CloudOps Automation and 💹 FinOps FOCUS™ 📣

🎯 The CloudOps Playbooks and Runbooks simplify Cloud Infrastructure Management and Streamline Hybrid-Cloud Operations. 🥇
  • CloudOps Playbooks and Runbooks ...

[CloudOps Runbooks] Security Baseline Assessment

📖 Overview

The CloudOps Runbooks Security Baseline Assessment is a comprehensive tool designed to evaluate the security of AWS environments in accordance with basic security advisories. It provides a structured way to assess your account and workload configurations against AWS Security best practices and the AWS Startup Security Baseline (SSB). This tool supports Python (via Pip or Docker) and AWS Lambda deployments, offering flexibility for local testing, CI/CD integration, and scalable cloud execution.

By automating 15+ critical AWS account security and workload security checks, this solution empowers startups, enterprises, and DevOps teams to validate their cloud security posture, generate actionable reports, and align with AWS Well-Architected principles.

In the Test Report, we provide numerous techniques for successfully responding to security threats on AWS with minimal resources. This script is appropriate for usage by early-stage businesses that cannot afford to invest much in security. 

✨ Features:

Core Capabilities
  1. Account and Workload Security Checks: - Validates IAM configurations, S3 bucket policies, VPC security groups, and CloudTrail settings.
  2. Report Generation: - Generates multi-language HTML reports (English, Japanese, Korean, Vietnamese).
  3. Actionable Insights: - Provides remediation steps for failed checks, mapped to AWS documentation.
  4. Flexible Deployment: - Usable as a Python library (pip), containerized application (Docker), or AWS Lambda function.
  5. Read-Only Permissions: - Ensures compliance with AWS's least privilege principle for non-intrusive diagnostics.
# Category Checklist ID Checklist Description Remediation/Action Items Relevant URL
01 Governance alternate_contacts Set account-level contacts prevents you from losing access to your account. Set management account alternate contacts for billing, security, and operations notifications. Accurate account information (ACCT.01)
02 Root Account Controls root_usage Restrict use of the root user Check the last access date of the root account. Disable root account for your everyday tasks, even administrative ones, except billing and alternate contacts. Protect the Root User (ACCT.02)
03 Root Account Controls root_access_key Detect access keys generated for the root account. Delete any access keys associated with the root account. Create an administrative user so that you don't use the root user for everyday tasks. Remove Root Access Keys (ACCT.03)
04 IAM Security direct_attached_policy Check directly attached IAM policies for users. Use IAM groups and roles instead of directly attaching policies to users. Assign permissions (ACCT.04)
05 Root Account Controls root_mfa Check if MFA is enabled for the root account. Enable MFA on the root account. With MFA set up, a malicious actor will face another challenge to access your account even if they manage to get your root email and password. Require multi-factor authentication to log in (ACCT.05)
05 IAM Security iam_user_mfa Ensure MFA is enabled for all IAM users. Enable MFA for all IAM users. IAM User MFA (ACCT.05)
06 IAM Security iam_password_policy Verify IAM password policy settings. Ensure password length, expiration, and complexity policies are in place. Enforce a password policy (ACCT.06)
07 CloudTrail Configurations trail_enabled Ensure CloudTrail is enabled for the account. Deliver CloudTrail logs to a protected S3 bucket for governance and auditing purposes. Enable CloudTrail (ACCT.07)
07 CloudTrail Configurations multi_region_trail Verify multi-region CloudTrail is enabled. Enable multi-region logging for centralized governance and auditing. Turn Multi-Region CloudTrail On (ACCT.07)
08 S3 Public Access Settings account_level_bucket_public_access Check public access block settings at the account level. Enable account-level S3 bucket public access block to prevent accidental exposure. Prevent public access to private S3 buckets (ACCT.08)
08 S3 Public Access Settings bucket_public_access Check public access settings for individual buckets. Configure bucket policies to block public access and enable encryption by default. Prevent Public Access to Private S3 Buckets (ACCT.08)
10 Monitoring and Alarms cloudwatch_alarm_configuration Check CloudWatch Alarms for critical events. Configure alarms for CPU utilization, unauthorized API activity, and other critical metrics. Setup a billing alarm and an alarm for root account use (ACCT.10)
10 Regional Operations multi_region_instance_usage Identify EC2 instance usage across regions. Use centralized reporting for multi-region EC2 usage to optimize costs and governance. EC2 Multi-Region Usage Insights
11 GuardDuty and Monitoring guardduty_enabled Enable and respond to GuardDuty notifications Check if GuardDuty is enabled to identify unusual or threat detection. Enable GuardDuty Notifications (ACCT.11)
12 Governance trusted_advisor Monitor for and resolve high-risk issues by using Trusted Advisor Enable Trusted Advisor for cost optimization and security recommendations. Enable Trusted Advisor (ACCT.12)

This modular structure ensures maintainability and supports seamless integration into pipelines or ad hoc testing.

├── security-baseline
│   ├── checklist                                      ## Security check modules
│   │   ├── account_access_controls
│   │   │   ├── root_access_key.py
│   │   │   ├── root_mfa.py
│   │   │   ├── root_usage.py
│   │   ├── cloudtrail_configurations
│   │   │   ├── trail_enabled.py
│   │   │   ├── multi_region_trail.py
│   │   ├── s3_public_access_settings
│   │   │   ├── account_level_bucket_public_access.py
│   │   │   ├── bucket_public_access.py                ## Validates S3 bucket policies
│   │   ├── guardduty_and_monitoring
│   │   │   ├── guardduty_enabled.py
│   │   │   ├── cloudwatch_alarm_configuration.py
│   │   ├── iam_security
│   │   │   ├── iam_password_policy.py                 ## Checks IAM password policy
│   │   │   ├── iam_user_mfa.py
│   │   │   ├── direct_attached_policy.py
│   │   ├── governance
│   │   │   ├── trusted_advisor.py
│   │   │   ├── alternate_contacts.py
│   │   ├── regional_operations
│   │   │   ├── multi_region_instance_usage.py
│   ├── lib/                        ## Core utilities and constants
│   │   ├── common.py               ## Shared helper functions
│   │   ├── enums.py                ## Enumerations for reporting
│   │   ├── language.py             ## Multi-language support
│   │   └── permission_list.py      ## IAM permissions for checks
│   ├── config.json                 ## Configurable parameters for checks
│   ├── permission.json             ## IAM policy for execution
│   ├── report_generator.py         ## HTML report generator
│   ├── run_script.py               ## Main execution script
│   └── report_template_en.html     ## Report templates EN, JP, KR, VN

Creating IAM Resources for Security Baseline Runbooks

Follow these steps to create IAM resources (policy, group, role, and user) with permissions for running Security Baseline runbooks.

1. Create a Security Baseline Policy security-baseline-policy

Define the permissions for the Security Baseline runbooks in a policy.

  • 1.1. Navigate to the IAM Console.
  • 1.2. Select Policies in the left-hand menu and click Create Policy.
  • 1.3. Switch to the JSON tab and paste the following permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SecurityBaselinePermission",
            "Effect": "Allow",
            "Action": [
                "account:GetAlternateContact",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetCredentialReport",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "sts:GetCallerIdentity",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrail",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "guardduty:GetDetector",
                "guardduty:ListDetectors",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "support:DescribeTrustedAdvisorChecks"
            ],
            "Resource": "*"
        }
    ]
}
  • 1.4. Click Next to review the policy. Name the policy security-baseline-policy and save it.

2. Create a Security Baseline Group

  • 2.1. In the IAM Console, select User Groups and click Create Group.
  • 2.2. Name the group security-baseline-group.
  • 2.3. Attach the security-baseline-policy created earlier.
  • 2.4. Click Create Group.

3. Create a Security Baseline Role

  • 3.1. In the IAM Console, select Roles and click Create Role.
  • 3.2. Select AWS Service as the trusted entity and choose Lambda (or another service where the script will run).
  • 3.3. Attach the security-baseline-policy to the role.
  • 3.4. Name the role security-baseline-role and click Create Role.

4. Create a Security Baseline User

  • 4.1. In the IAM Console, select Users and click Add Users.
  • 4.2. Name the user security-baseline-user.
  • 4.3. Don't select Provide user access to the AWS Management Console - optional; e.g using Programmatic Access for access type.
  • 4.4. On the Set Permissions page, add the user to the security-baseline-group.
  • 4.5. Complete the creation process.

5. Set Up AWS Credentials for CLI

After creating the user, generate access keys for the user:

  • 5.1. Select the Security credentials tab on the security-baseline-user details page.
  • 5.2. Click Create access key to generate credentials.
  • 5.3. Setup your AWS credentials by editing the ~/.aws/credentials file or Configure the credentials file for the AWS CLI as follows:
aws configure --profile security-baseline
  • 5.4. Enter the access key ID, secret access key, default region, and output format.

6. [Optional] Use AWS CloudShell

For testing in AWS CloudShell: - Attach the AWSCloudShellFullAccess policy to the security-baseline-group.

🚀 Deployment and Usage

The tool offers multiple deployment options tailored for different use cases, such as local testing, CI/CD pipelines, and cloud-native executions.

TBD: Watch Video Guide

Option 1: Run Locally with Python

  1. Clone the Repository:

    git clone https://github.com/nnthanh101/cloudops.git

  2. Prerequisites: $ task -d ~ install

    echo "Verify the development environment: Python Virtual Environment ..."
task -d ~ check-tools
task -d ~ check-aws
echo "Install Dependencies using uv ..."
task -d ~ install

  3. Run the Script:

    PROFILE_NAME=security-baseline

python src/runbooks/security-baseline/run_script.py --profile $PROFILE_NAME --language EN

# python run_script.py --profile $PROFILE_NAME --language EN
    • If you configured AWS CLI with a specific profile: PROFILE_NAME=security-baseline
    • Supported languages: English (EN), Korean (KR), Japanese (JP), Vietnamese (VN).

  4. View Results:

Sample Report

Sample Report

Sample Report

Sample Report

Option 2: Run with Docker

  1. Build the Docker Image:

    docker build -t security-baseline-tester .

  2. Run the Container:

    docker run --rm -it -v ~/.aws:/root/.aws:ro security-baseline-tester --profile PROFILE_NAME --language EN
Option 3: AWS Lambda Deployment

  1. Prepare the Lambda Function: - Package the security-baseline directory into a ZIP file. - Ensure dependencies are included by using tools like pipenv or venv.

  2. Deploy to AWS Lambda: - Create a Lambda function in the AWS Management Console or using AWS CLI. - Attach the permission.json IAM policy to the function's execution role.

  3. Invoke the Function: - Use AWS CLI or a scheduled event trigger (e.g., CloudWatch Events).

🛡️ Security Checks Included

The following checks are aligned with the AWS Startup Security Baseline (SSB):

  1. Account-Level Security: - Root account MFA enabled - No root access keys - Alternate contacts configured

  2. IAM Best Practices: - Password policies enforced - MFA for IAM users - Attached policies preferred over inline policies

  3. Monitoring and Logging: - CloudTrail enabled across all regions - GuardDuty activated - CloudWatch alarms configured for critical events

  4. S3 Bucket Policies: - Public access block enabled - Encryption enforced for bucket objects

  5. VPC and Network Security: - Validates security group configurations - Multi-region usage of resources (e.g., EC2 instances, S3 buckets)

📊 Reports and Insights

  • Format: HTML reports generated in the results/ directory.
  • Languages: Supported in English, Korean, and Japanese.
  • Insights:
  • Passed, failed, and skipped checks with detailed descriptions.
  • Direct remediation steps with links to AWS documentation.

Sample Report:

Check ID Description Result Remediation Steps
01 Root account MFA enabled ✅ Pass N/A
02 CloudTrail enabled ❌ Fail Enable CloudTrail
03 S3 bucket public access ✅ Pass N/A

📋 Prerequisites

IAM Permissions

Attach the policy defined in permission.json to the IAM user or role executing the script. This policy ensures read-only access, except for specific actions like iam:GenerateCredentialReport.

AWS CLI Configuration

  • Set up credentials in the ~/.aws/credentials file or use AWS CloudShell.

🔮 Future Enhancements

  1. Multi-Account Scans: - Expand to support AWS Organizations for enterprise-wide checks.
  2. AI Integration: - Leverage machine learning for automated anomaly detection and remediation suggestions.
  3. Visualization Dashboards: - Integrate with AWS QuickSight or Grafana for real-time security monitoring.

📢 Feedback and Contributions

We value your feedback! Share your ideas or report issues via: - GitHub: CloudOps Runbooks Repository - Email: [email protected]

Let’s work together to make cloud security accessible, effective, and scalable for everyone. 🚀

FAQ: Frequently Asked Questions

1. How can I test additional security items to enhance AWS account security?

To test a broader range of security configurations, consider using AWS Trusted Advisor.
This service regularly analyzes your AWS accounts and helps you implement AWS security best practices aligned with the AWS Well-Architected Framework. By managing your security settings through Trusted Advisor, you can systematically improve the security posture of your AWS environment.

2. Where can I find more information or guidelines to improve AWS security?

AWS provides the AWS Well-Architected Tool, a comprehensive cloud service for evaluating and optimizing your architecture.
This tool includes a Security Pillar, which outlines detailed best practices for securing your AWS workloads. Use these guidelines to design, assess, and enhance your security strategy effectively.

3. Can I scan multiple AWS accounts within the same AWS Organization simultaneously?

No, this script currently supports scanning a single AWS account at a time.
To scan additional AWS accounts in the same organization, you must: - Create a separate IAM user with the required permissions in each account. - Run the script individually for each account.

Note: Organization-level security settings cannot be assessed using this script. Consider AWS services like AWS Organizations for managing policies at scale.

4. Can I use this script without an IAM Access Key?

Yes, you can run the script without an IAM Access Key by leveraging IAM roles.
Starting from the 01/Aug/2023, you can configure and use IAM Roles instead of access keys.

Follow these steps: 1. Refer to Overview of using IAM roles to configure a role profile in the AWS CLI. 2. Execute the script with the --profile option as shown below:

python3 run_script.py --profile PROFILE_NAME --language EN

This approach enhances security by reducing the dependency on long-term access keys.