AWS security audits with Scout2
Inspired by a link in the always excellent Last Week in AWS I decided to investigate Scout2, a “Security auditing tool for AWS environments”. Scout2 is a command line program, written in Python, that runs against your AWS account, queries your configuration data and presents common issues and misconfigurations via a set of local HTML files.
The dashboard itself is simple, but effective, and displays a nice overview of all the checks Scout2 ran.
Installing the program and generating a report against your own infrastructure
is remarkably easy and has no external requirements. In my experiments I
decided to run it locally under a virtualenv
against AWS using an existing
profile.
cd /tmp
virtualenv scout
cd scout/
source bin/activate
pip install awsscout2
# set up your access here
Scout2 --profile <your profile name> --regions eu-west-1
In the above example I use a named profile from ~/.aws/credentials
rather than specifying the values in environment variables. As an aside:
I have two profiles defined for each of my AWS accounts, one with
permissions to use all the list, read and describe functions but nothing
that allows changes (which I used for this experiment), and another with more admin powers. If you’re running
Scout2 in AWS you can use an IAM profile with the
default Scout2 IAM policy.
Once you’ve run the tool there’s a pleasant little trick where the report is
opened in your local web browser, unless you’re running under something like
Jenkins, in which case you should specify --no-browser
. Behind the dashboard
there are per service pages with the configs that require attention, here’s a
peek of the IAM services in my experimentation VPC.
Although I’ve not tried to extend Scout2 yet the default reports highlighted a couple of configuration details that I’ll have to think about, which shows that it provides some immediate value. It’s been quite an easy tool to set up and run and I highly recommend taking it for a spin.