This post details a command line tool I’ve written called awsbigbrother. It can be used to audit AWS accounts and check that you are not exposed in certain areas. The mentality behind it is continuous checking and monitoring for security issues.
Using AWS introduces a number of new security challenges. For a start logging in to manage your infrastructure is now something that can be done anywhere on the public internet. Therefore, without proper management you could become a target for someone looking to break into your account to dump your databases, deface your website or simply mine bitcoins at your expense. Most people with operations experience will already have some ideas for mitigation. One essential thing for me is multi factor auth, this can be configured with a Force MFA policy. However, sometimes people with too much power can take themselves out of the force MFA group. Then of course there’s the question, who watches the watcher? A lot of these kind of questions led to AWS Big Brother:
The basic idea is you have a simple awsbb cli that performs the checks - for example:
Show me all users who do not have MFA set:
awsbb --mfa
Show me all users who don’t have MFA set and also show me users who have not changed their password in 30 days:
awsbb --mfa --password_max_age 30
etc..
So I see awsbb helping for some examples:
User a who has accidentally been given too much privilege removes MFA on their account and removes themself from the force MFA group. A monitoring tool runs which spits out some errors and user a is asked to re-enable MFA.
So please get involved, contributors are always welcome :)