You must have read my last post about Prowler, a full featured and open source tool that automates auditing and hardening guidance of an AWS account. It performs 52 checks based on CIS Amazon Web Services Foundations Benchmark 1.1. If you are looking for a smaller set of checks, then you have another option – Zeus.
What is Zeus?
Zeus is an open source Bash script that helps you audit and harden AWS EC2, S3, CloudTrail, CloudWatch and KMS according to best hardening practices. It checks security settings according to the profiles that you create and recommends changes based on the CIS AWS Security Benchmark. It also uses AWS-CLI and works on *NIX and Mac OSX platforms. The smaller subset of checks over Prowler are limited to 11 Identity and Access Management, 8 logging and 1 networking checks, with more being added almost every day!
The checks done by Zeus are:
Identity and Access Management:
- Avoid the use of the “root” account
- Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- Ensure credentials unused for 90 days or greater are disabled
- Ensure access keys are rotated every 90 days or less
- Ensure IAM password policy requires at least one uppercase letter
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires minimum length of 14 or greater
- Ensure no root account access key exists
- Ensure MFA is enabled for the “root” account
- Ensure CloudTrail is enabled in all regions
- Ensure CloudTrail log file validation is enabled
- Ensure the S3 bucket CloudTrail logs to is not publicly accessible
- Ensure CloudTrail trails are integrated with CloudWatch Logs
- Ensure AWS Config is enabled in all regions
- Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- Ensure rotation for customer created CMKs is enabled
- Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
This open source script can be installed using the following command line:
git clone https://github.com/DenizParlak/Zeus.git && cd Zeus && chmod +x zeus.sh && ./zeus.sh
Prior to running, the tool checks if the pre-requisites are fulfilled. If not, they are installed. In case you want to check out more details about this tool, then check out the GIT repository for Zeus v1.0 here.