Announcing the AWS Foundational Security Best Practices for Snowflake

September 13, 2023

Ron Shemesh
Name
Ron Shemesh
Twitter
ronshemesh
Jason Kao
Name
Jason Kao
Twitter
kaojason

We are excited to announce the launch of CloudQuery’s newest security controls framework: The AWS Foundational Security Best Practices (FSBP) for Snowflake.

With this release, CloudQuery customers can now run the AWS Foundational Security Best Practices controls on their AWS configuration and infrastructure data stored in Snowflake. This release contains over 200 controls with coverage for more than 40 AWS services.

Background

The AWS Foundational Security Best Practices were first launched in 2020 (opens in a new tab) by AWS with an initial set of 31 automated security controls that align with AWS Security Best Practices. Now, there are more than 200 controls (opens in a new tab) with coverage for more than 40 AWS services.

By using CloudQuery, customers can sync infrastructure data from multiple sources to multiple destinations. CloudQuery enables customers to sync infrastructure data from AWS to Snowflake (opens in a new tab), a popular data destination.

AWS Service Coverage

The AWS Foundational Security Best Practices covers over 40 services, including the following AWS Services. For a full list of services and controls, check out AWS’s documentation (opens in a new tab) or our policies page (opens in a new tab).

Infrastructure and Management:

  • AWS Account
  • CloudFormation
  • EC2 Systems Manager

Security:

  • AWS KMS
  • Secrets Manager
  • Identity and Access Management (IAM)
  • AWS WAF
  • CloudFront
  • CloudTrail

Compute

  • AWS Lambda
  • AWS EC2 Controls
  • Amazon ECS and EKS controls
  • Auto Scaling
  • Elastic Load Balancing

Data and Storage:

  • AWS S3
  • Amazon RDS
  • SageMaker
  • Athena

Example Queries

[IAM.1] IAM policies should not allow full "*" administrative privileges

with bad_statements as (
SELECT
    p.id
FROM
    aws_iam_policies p
    , lateral flatten(input => p.POLICY_VERSION_LIST) as f
    , lateral flatten(input => parse_json(f.value:Document):Statement) as s
where f.value:IsDefaultVersion = 'true'
    and s.value:Effect = 'Allow'
            and (s.value:Action = '*' or s.value:Action = '*:*')
            and s.value:Resource = '*' 
)
select
    'IAM policies should not allow full * administrative privileges' as title,
    account_id,
    arn as resource_id,
    CASE
        WHEN b.id is not null THEN 'fail'
        ELSE 'pass'
    END as status
from
    aws_iam_policies as p
LEFT JOIN bad_statements as b
    ON p.id = b.id

[KMS.3] AWS KMS keys should not be deleted unintentionally

SELECT 
  'AWS KMS keys should not be deleted unintentionally' AS title,
    account_id,
    arn AS resource_id,
    CASE 
        WHEN key_state IN ('PendingDeletion', 'PendingReplicaDeletion') AND key_manager = 'CUSTOMER' THEN 'fail'
        ELSE 'pass'
    END AS status
FROM aws_kms_keys;

[CloudTrail.2] CloudTrail should have encryption at-rest enabled

select
    'CloudTrail should have encryption at rest enabled' as title,
    account_id,
    arn as resource_id,
    case
        when kms_key_id is NULL then 'fail'
        else 'pass'
    end as status
FROM aws_cloudtrail_trails

[EC2.8] EC2 instances should use Instance Metadata Service Version 2

select
  'EC2 instances should use IMDSv2' as title,
  account_id,
  instance_id as resource_id,
  case when
    metadata_options:HttpTokens is distinct from 'required'
    then 'fail'
    else 'pass'
  end as status
from aws_ec2_instances

[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination

select
  'Classic Load Balancer listeners should be configured with HTTPS or TLS termination' as title,
  lb.account_id,
  lb.arn as resource_id,
  case when
    li.value:Listener:Protocol not in ('HTTPS', 'SSL')
    then 'fail'
    else 'pass'
  end as status
from aws_elbv1_load_balancers lb, lateral flatten(input => parse_json(lb.listener_descriptions)) as li

[RDS.2] RDS DB Instances should prohibit public access

select
    'RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration' as title,
    account_id,
    arn AS resource_id,
    case when publicly_accessible = TRUE then 'fail' else 'pass' end as status
from aws_rds_instances

[S3.1] S3 Block Public Access setting should be enabled

select
    'S3 Block Public Access setting should be enabled' as title,
    aws_iam_accounts.account_id,
    aws_iam_accounts.account_id AS resource_id,
    case when
        config_exists is distinct from TRUE
        or block_public_acls is distinct from TRUE
        or block_public_policy is distinct from TRUE
        or ignore_public_acls is distinct from TRUE
        or restrict_public_buckets is distinct from TRUE
    then 'fail' else 'pass' end as status
from
    aws_iam_accounts
left join
    aws_s3_accounts on
        aws_iam_accounts.account_id = aws_s3_accounts.account_id

[EC2.1] Amazon EBS snapshots should not be publicly restorable

WITH snapshot_access_groups AS (
    SELECT account_id,
           region,
           snapshot_id,
           create_volume_permissions.value:Group AS "group",
           create_volume_permissions.value:UserId AS user_id
    FROM aws_ec2_ebs_snapshot_attributes, lateral flatten(input => parse_json(aws_ec2_ebs_snapshot_attributes.create_volume_permissions)) as create_volume_permissions
)
SELECT DISTINCT
  'Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone' as title,
  account_id,
  snapshot_id as resource_id,
  case when
    "group" = 'all'
    -- this is under question because
    -- trusted accounts(user_id) do not violate this control
        OR user_id IS DISTINCT FROM ''
    then 'fail'
    else 'pass'
  end as status
FROM snapshot_access_groups

[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2

SELECT
  'Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2' AS "title",
  account_id,
  arn AS resource_id,
  case
  when METADATA_OPTIONS:HttpTokens = 'required' then 'pass'
    else 'fail'
  END
    AS status
FROM
  aws_autoscaling_launch_configurations;

[Lambda.1] Lambda function policies should prohibit public access

SELECT DISTINCT
    'Lambda function policies should prohibit public access' AS title,
    account_id,
    arn AS resource_id,
    'fail' AS status
FROM (
  SELECT
    account_id,
    arn
  FROM
  aws_lambda_functions,
  table(flatten(policy_document, 'Statement')) as statement
where
  statement.value:Effect = 'Allow'
  and
    statement.value:Principal = '*'
    or
    statement.value:Principal:AWS = '*'
  )

Get Started

To get started, check out our documentation (opens in a new tab) and the example queries above. We'd love to hear your feedback. We can be reached on GitHub (opens in a new tab) and Discord (opens in a new tab).

CloudQuery supports additional compliance frameworks and visualizations. For more information, see our policies (opens in a new tab) and dashboards (opens in a new tab) references.

References