Running AWS Foundational Security Best Practices with CloudQuery Policies

February 7, 2022

Mike Elsmore
Name
Mike Elsmore
Twitter
@ukmadlz
⚠️

HCL policies were deprecated - see up-to-date policy documentation here (opens in a new tab).

Back in mid-2020 AWS Security Hub released a new security standard called AWS Foundational Security Best Practices. This new standard sets security controls to detect when an AWS account or deployed resources don’t match up to the best practices set out by the AWS security experts. The complete standard can be found in the AWS Security Hub documentation (opens in a new tab).

As with any security guidelines, factors such as AWS environments, requirements, and capacity of your security team, will impact how you implement those guidelines.

The new AWS Foundational Security Best Practices CloudQuery policy gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL.

The CloudQuery AWS Foundational Security Policy covers 200+ checks - you can review them on GitHub (opens in a new tab) or review them in the GitHub (opens in a new tab).

Prerequisites

Please follow the quickstart guide to install CloudQuery, and fetch your AWS configuration into a PostgreSQL database.

Running

After fetching your AWS configuration into a PostgreSQL database, you can use SQL to check your cloud deployment for compliance!

For example, you can check for certificates that are going to expire soon and need to be renewed.

#https://github.com/cloudquery-policies/aws/blob/main/queries/acm/certificates_should_be_renewed.sql

SELECT arn

FROM aws_acm_certificates

WHERE not_after < NOW() AT TIME ZONE 'UTC' + INTERVAL '30' DAY;

You can also use the cloudquery command to run the entire AWS Foundational Security Best Practices policy pack. The policy is split into sections as sub-policies, so you can run either the entire policy, a sub-policy, or even one specific check.

# execute the AWS foundational-security-best-practices policy pack

cloudquery policy run aws//foundational_security

# execute the ACM section in AWS Foundational Security policy

cloudquery policy run aws//foundational_security/acm

# execute the S3 related section in AWS Foundational Security policy

cloudquery policy run aws//foundational_security/s3

# describe all available policies and sub-policies available for AWS on cloudquery

cloudquery policy describe aws

# execute the entire AWS policy pack, including other benchmarks.

cloudquery policy run aws

You can also output the results into a JSON and pass them to downstream processing for automated monitoring and alerting.

cloudquery policy run aws//foundational_security --output-dir=results

Build your own and share!

Do you have a policy that you want to codify, or that you’ve been running with python or bash scripts? You are welcome to try codifying it with CloudQuery Policies (See our github (opens in a new tab) and docs for how to develop one). Feel free to drop on discord (opens in a new tab) or GitHub (opens in a new tab) to get any help, and we will share your policy on CloudQuery Hub (opens in a new tab).