Bot of the Week: SECURITY RULE AUDIT BOT
What it Does: Identify and Close Ports Open to Unauthorized Networks
This bot inspects all configured resource access lists such as AWS Security Groups, Azure Network Security Groups and Google Compute Engine Firewalls for the presence of ports/protocols which are open to the world. Examples of services which are inspected are SSH (TCP 22), Redis (TCP 6379), MySQL (3306) and Microsoft RDP (3339). The configuration of this bot can be fully customized.
Why do I Care?
Launching cloud-based services means you have to open access to your infrastructure to allow people and programs to communicate with your cloud resources. Think of your cloud infrastructure as your office building. Some people have keycards that allow them access to the building. If you don’t lock the doors, anyone can walk in, with or without the key. The cloud is the same way.
Ports can be opened for a number of reasons. Classic case is a developer trying to get some work done on Starbucks’s public internet access. Or a rogue cloud being thrown up in another department in your organization. Sometimes the accidental or careless actions of internal users causes the greatest risks.
Trolling for Open Ports
Leaving an unwanted port open to the world, such as SSH leaves the system susceptible to attacks. Attackers can hack into your system, log in and do anything they want from hosting bad code, to adding your servers a malicious Botnet for DDOS attacks, or simply accessing your sensitive data. At DivvyCloud, we’ve found it take less than 5 mins for trolls and bad actors to find an open port and start to compromise cloud systems.
Customize Your Bot’s Response to Open Ports
With BotFactory automation and security rules you can define who can come in and out and from where, and what ports should be closed or open to specific networks using black/white lists. The Security Rules Audit Bot will inspect your cloud infrastructure and continuously monitor, giving you near real time detection of non-compliant resources, straight out of the box. The bot then provides you with a report card of your cloud infrastructure, listing all non-compliant resources and open ports.
Take Automated Action to Fix the Problem
This bot is also fully customizable and can be configured to take automated action to remediate problems. Actions can be managed across various environments, allowing for environment-specific actions. Bots can send an alert to IT or delete the offending security rule in real time. For example, an unauthorized open port to your production environment can expose customer data and revenue generating workloads so immediate action to delete noncompliant resources is warranted. A developer on the other hand might open a port to a development environment to test their code so an email notification and scheduled action to remove the rule in 24 hours might be most appropriate. The bot can also be configured to log security actions in other enterprise tracking and monitoring tools such as splunk.