Cloud Configuration Governance: AWS Security Group Scanning

Mark Radonic
ServiceNow Employee

on ‎05-16-2022 02:39 AM

Intro:

Cloud Configuration Governance is an application that has been introduced in the Servicenow San Diego Release. It enables organizations define policies and rules applied on specific set of resources whatever the cloud provider in order to manage compliance and security enforcement. The updates sets contained in this article offers new policies to govern the AWS Security Group resources configuration and gives examples on how to use this new application.

Content of the update set:

There are 3 main policies that have been created:

  • AWS VM SecurityGroup Policy:

The policy aims at identifying the VMs that don't have associated Security Group. This is a kind of dummy Policy which purpose is to associate each VM to its corresponding Security Groups. It will serve the next policy that will identify which Security Group is not used by a VM.

A configuration Key has been used for this purpose: "AWS:EC2:VM:SecurityGroup"

A new resource collector has been associated to it.

  • AWS SecurityGroup usage policy:

The policy aims at identifying the Security Groups that are not used by any VM. It uses the results from the previous policy to look for Security Groups that are not referenced by a VM

  • AWS SecurityGroup InboundRule Policy:

The policy aims at identifying Security Groups that have risky network rules among which:

  1. A rule with "all" in protocol and with "all" in IP ranges is considered as forbidden and is critical
  2. A rule with different value than "all" in protocol and with "all'" in IP ranges is considered as risky and is medium severe
  3. A rule with "all" in protocol and which is not associated to the same internal Security Group is at high risk and is highly severe

Prerequisites:

  • Plugin Installation:
  1. Discovery
  2. CMDB CI Class Model
  3. Discovery and Service Mapping Patterns
  4. Cloud Action Library
  5. Cloud Configuration Governance
  • Install a mid Server
  • Complete the existing Credential Alias "AWS Creds Alias" by adding a new IAM credential
  • Precise the Authentication Algorithm to "AWS Authenticator" in the credentials
  • Create a new AWS Service Account with the newly created IAM credential
  • Discover the datacenters

Update sets installation and configuration (see the Step by Step installation guide of the AWS Security Groups Scanning use case):

  • Import the update sets in the following order:
  1. CAL - Security Group action for CCG v2.xml
  2. CCG - Security Group audit v2.xml
  • Preview and commit
  • Check that the policies described above have been imported (the flow designer subflows and actions should have also been imported)
  • if not created, create a first Scan Configuration with the "AWS VM SecurityGroup Policy Set". Schedule and execute it. At the end of the execution verify if there is VMs that don't have Security Groups associated
  • Most importantly, verify if the CM resources have their "AWS:EC2:VM:SecurityGroup" Configuration Key completed
  • If not created, Create now another Scan Configuration with the "AWS SecurityGroup usage Policy Set". Schedule and execute it.
  • You can now identify in the "show audit results" the security groups that are not referenced by a VM
  • If not created, create a last Scan Configuration with the "AWS SecurityGroup Inbound rules Policy Set". Schedule and execute it.
  • You can now identify in the "Show audit results" the Security Groups that have non-compliant network rules

List of objects in the update sets:

 CAL - Security Group action for CCG v1.xml

Action:

  • CAL - AWS List VMs with SecurityGroups:

This action has been copied from "CAL - AWS List VMs" in order to add the Security Groups inventory for each VM

  • CAL - AWS List SecurityGroups:

Action that lists all security Groups attributes into the corresponding Configuration Keys

CCG - Security Group audit v2.xml

Actions:

  • Create EC2 VM SG Metrics From Response:

Action that stores VM Security Group into the Configuration Keys "AWS:EC2:VM:SecurityGroup"

  • Create EC2 SecurityGroup Metrics From Response:

Action that stores Security Groups attributes into the corresponding Configuration Keys

Subflows:

  • CCG - AWS VM SG Data Collector:

The subflow is the resource collector for the VM Configuration Key

  • CCG - AWS SecurityGroup Data Collector:

The Subflow is the resource collector for the Security Groups Configuration Keys

Configuration Keys:

  • AWS:EC2:VM:SecurityGroups (string)
  • AWS:EC2:SecurityGroup:Tags (map)
  • AWS:EC2:SecurityGroup:groupDescription (string)
  • AWS:EC2:SecurityGroup:groupId (string)
  • AWS:EC2:SecurityGroup:groupName (string)
  • AWS:EC2:SecurityGroup:vpcId (string)
  • AWS:EC2:SecurityGroup:InboundRules (json)
  • AWS:EC2:SecurityGroup:ownerId (string)

Policies:

  • AWS VM SecurityGroup Policy
  • AWS SecurityGroup usage Policy
  • AWS SecurityGroup InboundRule Policy

Policy Sets:

  • AWS VM SecurityGroup Policy set
  • AWS SecurityGroup usage Policy Set
  • AWS SecurityGroup Inbound rules Policy Set

Resource Collector:

  • AWS SecurityGroup Data Collector
  • AWS VM SG Data Collector

Resource Type:

  • Security Group

Violation Definitions:

  • AWS SecurityGroup risky InboundRule
  • AWS SecurityGroup high risk InboundRule
  • AWS SecurityGroup is not used
  • AWS SecurityGroup forbidden InboundRule
  • AWS VM SecurityGroup Missing
Preview file
26 KB
Preview file
58 KB
Preview file
38 KB
Step by step installation guide of AWS Security Groups Scanning use case.docx
CAL - Security Group action for CCG v2.xml
CCG - Security group audit v2.xml
Preview file
64 KB
  • 1,172 Views
Version history
Last update:
‎05-16-2022 02:39 AM
Updated by:
ServiceNow Employee