Monitor AWS & GCP Configurations: Security Monkey

2017-04-27T20:56:06
ID N0WHERE:171572
Type n0where
Reporter N0where
Modified 2017-04-27T20:56:06

Description

Monitor AWS & GCP Configurations


Security Monkey is an OpenSource application from Netflix ( NetflixOSS) which monitors/alerts/reports one or multiple AWS/GCP accounts for anomalies. Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.

Security Monkey can be extended with custom account types , custom watchers , custom auditors , and custom alerters .

It works on CPython 2.7. It is known to work on Ubuntu Linux and OS X.

Architecture

At a high-level, Security Monkey consists of the following components:

  • Watcher – The component that monitors a given AWS account and technology (e.g. S3, IAM, EC2). The Watcher detects and records changes to configurations. So, if a new IAM user is created or if an S3 bucket policy changes, the Watcher will detect this and store the change in Security Monkey’s database.
  • Notifier – The component that lets a user or group of users know when a particular item has changed. This component also provides notification based on the triggering of audit rules.
  • Auditor – Component that executes a set of business rules against an AWS configuration to determine the level of risk associated with the configuration. For example, a rule may look for a security group with a rule allowing ingress from 0.0.0.0/0 (meaning the security group is open to the Internet). Or, a rule may look for an S3 policy that allows access from an unknown AWS account (meaning you may be unintentionally sharing the data stored in your S3 bucket). Security Monkey has a number of built-in rules included, and users are free to add their own rules.

General Features and Operations

Security Monkey is relatively straightforward from an operational perspective. Installation and AWS account setup is covered in the installation document, and Security Monkey does not rely on other Netflix OSS components to operate. Generally, operational use includes:

  • Initial Configuration
    • Setting up one or more Security Monkey users to use/administer the application itself.
    • Setting up one or more AWS accounts for Security Monkey to monitor.
    • Configuring user-specific notification preferences (to determine whether or not a given user should be notified for configuration changes and audit reports).
  • Typical Use Cases
    • Checking historical details for a given configuration item (e.g. the different states a security group has had over time).
    • Viewing reports to check what audit issues exist (e.g. all S3 policies that reference unknown accounts or all IAM users that have active access keys).
    • Justifying audit issues (providing background or context on why a particular issues exists and is acceptable though it may violate an audit rule).

Plugins

Security Monkey can be extended by writing own Account Managers, Watchers and Auditors. To do this you need to create a subclass of either security_monkey.account_manager.AccountManager , security_monkey.watcher.Watcher or security_monkey.auditor.Auditor .

To make extension available to Security Monkey it should have entry point under group security_monkey.plugins .

Monitor AWS & GCP Configurations: Security Monkey Documentation

Monitor AWS & GCP Configurations: Security Monkey Download