AWS Asset Security Handbook for Resmo Users

AWS adheres to a shared responsibility model, which means that you share the security responsibilities for your cloud with AWS. The key to securing your cloud environment in this model is understanding where the provider’s responsibility ends, and yours begins. AWS defines the customer end of responsibility as:

“Customer responsibility for “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities” (AWS)

Its scope covers customer data, platform, application, identity and access management, client-side data encryption, server-side encryption, and more on configurations. That’s why Resmo plays a critical role in ensuring asset visibility, monitoring, and security for your AWS cloud resources and resource configurations.

AWS cloud security and shared responsibility model

Let’s walk you through the Resmo AWS integration for less stressed engineers, secure resources, compliant cloud, and ultimately a protected environment.

How Does Resmo Integrate with AWS?

First things first, you need to create a custom-managed IAM Policy and IAM role to grant Resmo read-only access to your AWS resources. There are several ways of creating policy and role, but you can pick the best option for your needs:

  • CloudFormation
  • Manually using AWS CLI
  • Manually using AWS Console
  • Terraform(Coming Soon)
AWS Resmo integration page

Apart from the IAM Role, the integration requires your 12-digit AWS account ID and external ID. Once you have set up the integration correctly, you can start querying your AWS cloud assets right away. Learn how to integrate Resmo with AWS.

Benefits of Resmo for AWS Users

  • Collect all AWS resources in one place
  • Track resource changes across your AWS environment
  • Query your S3 buckets, KMS keys, IAM roles, Lambda functions, and loads of other resources
  • Use managed and custom rules to automate security and compliance audits.
  • Set up notification rules to get alerted when there’s a rule violation

You might also like to read Introduction to AWS Config: Simplified Cloud Auditing.

Uncover Your AWS Cloud Asset Inventory (100+ Resources)

Having an all-seeing perspective is essential in securing your cloud infrastructure. A modern organization’s AWS assets extend across an ever-growing attack surface that needs defending on all fronts. So, the best and foremost way of doing that is to know your resources 360-degree. 

AWS cloud assets on Resmo

Resmo pulls resource updates in near real-time to accelerate security and compliance checks. There are over 1600 resources available on Resmo, ranging from AWS services like CloudTrail to Amazon S3 buckets and EC2 instances. Available resource types include:

Monitor Resources in Near Real-Time

IAM Managed Policy security detail page

Here’s how it works: Resmo uses API to pull existing resources and updates at regular intervals to provide near real-time asset visibility. Monitoring your cloud resources is streamlined and consolidated in a unified view to accelerating your security and compliance controls. Each resource has a detailed page where you can:

  • See a summary of each resource.
  • Track resource changes: All individual resource changes, such as the date created, modified, or deleted, will be listed on the Changes tab. It assists your remediation and incident investigation operations, making resource configuration restoration quicker.
  • View as JSON

Simplify Asset Visibility

Resmo dashboard for AWS resources

Understanding what resources you own, their configurations, and changes gives you an edge over potential threats. Therefore, we made sure that you can easily and rapidly visualize complex resource relationships in one place using dashboards. Dashboards on Resmo come in ready-to-use templates or in blank canvas form where you can build from scratch.

Common Use Cases & Related Queries

Siloed solutions often result in slower response times and less efficient security controls as they require more effort and potentially risk an overlook. That’s what renders Resmo a go-to solution for asset visibility and governance. The real-time SQL query ability and resource aggregation empower our users to accelerate operations. 

Let’s demonstrate things with actual use cases. Here are some AWS security best practices with Resmo:

1. Prevent public access to your private S3 buckets

Amazon made sure S3 buckets are private and only the root user of the AWS account and the IAM principal, if used, have read and write permissions. However, they still acknowledge that users could misconfigure the bucket policy and unintentionally make it public. It is, in fact, one of the most common S3 bucket misconfigurations.

Example SQL query in Resmo
Public read access:
SELECT DISTINCT bucket.name, bucket.region, bucket.accountId FROM aws_s3_bucket bucket, bucket.acl.grants as grants WHERE grants.uri = 'http://acs.amazonaws.com/groups/global/AllUsers' AND (grants.permission = 'FULL_CONTROL' OR grants.permission = 'READ_ACP')

2. Enforce password policy for accounts

As per usual, IAM users login to the AWS Management Console using a username and password, with MFA recommended. The best practice to secure your cloud environment and accounts, however, is requiring and adhering to a strong password policy. That said, Resmo offers a bunch of managed queries to understand the scope of your password strength across AWS.

AWS query on Resmo

Related queries include the following and more:

  • Find accounts without an IAM password policy.
  • Discover accounts with a password policy that does not require password length greater than or equal to 14
  • List accounts with a password policy that does not require a lower case, upper case character, number, and symbol.
  • See AWS IAM users with credentials not used for 45 days. 

3. Enable multi-factor authentication (MFA) 

As we stated in the previous best practice, MFA is a recommended action to take for stronger account protection. You can run an SQL query to detect if MFA is enabled or not and receive an instant answer on Resmo.

Related SQL Query in Resmo:

SELECT username, accountId FROM aws_iam_user WHERE SIZE(mfaDevices) = 0

4. Encrypt Amazon EBS Volumes

Another AWS security best practice is enforcing encryption for your Amazon Elastic Block Store (Amazon EBS) volumes. This practice helps prevent rebuilding volumes at a later date and gives you more granular control for compliance goals. 

Related queries in Resmo:

  • EBS volumes without encryption per region
  • EBS volumes without encryption per account
  • EBS volumes in use and without encryption per region

5. Ensure encryption for RDS databases

Encrypting your RDS DB instances gives you an additional layer of data protection by preventing unauthorized access to your underlying storage. This way, you can enhance the data protection of your applications deployed in the cloud. Also, it provides another checkmark on your compliance requirements list, fulfilling data encryption at rest.

Related queries in Resmo:

  • Amazon RDS cluster snapshots with storage encryption disabled
  • Amazon RDS instance snapshots with encryption disabled

Dig Deeper 

Preserving security hygiene for assets in the cloud can be a lot to handle for security and engineering teams, especially with multi-cloud usage. While Amazon offers many security solutions for organizations, there is an evident lack of a more comprehensive one that covers different cloud services and SaaS in one place. That’s where Resmo steps in.

You can secure your resources on AWS cloud and other services while boosting team productivity and accelerating vulnerability management at the same time. We tried to give you a glimpse of what you can achieve with our AWS integration, but it’s always better to test it out and see it in action