Centralised security information for AWS accounts.
This webapp presents the primary interface for Security HQ.
The watched-account CloudFormation template will create ConfigRules
that monitor the status of other AWS accounts. This application
presents the data collected by those processes.
It also provides an interface on some markers of a watched AWS account's health from a security point of view.
Security HQ uses information from AWS Trusted Advisor. This might not be as up-to-date as one might wish and may be noticeable for S3 buckets.
- Java 11. See .tool-versions for the exact version. asdf is the recommended Java version manager.
- Docker.
- dev-nginx.
- AWS credentials for the
securityprofile.
Note Guardian Engineers can use credentials from Janus. External engineers can use the CloudFormation template to provision an IAM user, and create an access key separately.
-
Ensure requirements are met. See above.
-
Run the setup script:
./script/setup
-
Ensure project has been setup as described in the previous section.
-
Run the start script:
./script/start
If you want to debug, you can run
./script/start --debugYou will need to attach you debugger (Remote JVM Debug) to the right port (possibly 1058)
When running Security HQ locally, you can modify the list of AWS accounts to include additional accounts. For example, you may want to add a specific account for debugging purposes. You will need valid AWS credentials for any accounts you wish to include.
To add a new AWS account, go to ~/.gu/security-hq.local.conf,
add a new object to the AWS_ACCOUNTS list, like this Deploy Tools account example:
AWS_ACCOUNTS = [
{
name = "Deploy Tools"
id = "deployTools"
roleArn = ""
}
]
The value of id should be the same as the AWS Profile name, which you can see when you copy your credentials from Janus.
You can add a roleArn if you want to generate an IAM report, otherwise you don't need it.
See watched-account template under cloudformation folder for the security policies needed to run security-hq.
The aws cli can perform some basic template validation.
It requires AWS credentials to run, and can validate a single file like so:
aws cloudformation validate-template --template-body file:///${PWD}/cloudformation/security-test-user.yaml --profile <AWS_PROFILE>
CFN nag is a linting tool for CloudFormation templates that can help catch security issues.
If you have it installed, you can run:
cfn_nag_scan --input-path cloudformation/*
The Credentials Reaper is a feature in Security HQ which automatically disables permanent IAM users with access keys that haven’t been rotated within 90 days for users with a password (human users) or 365 days for users without a password (machine users). It also disables permanent users who have left the Guardian.
The reaper sends email notifications to the AWS account the user is in, before disabling a user. The emails are sent via Anghammarad and uses its AWS Account to email address mappings.
You can also find the dynamo table in the Security AWS Account.
Security HQ holds a Lambda, which checks for security groups that are open to the world, except ELB groups. This data is used for https://security-hq.gutools.co.uk/security-groups.
It is deployed as a stack set and is defined in cloudformation/watched-account.template.yaml.
- Update the version in
build.sbt. - Build the lambda by running
.script/package-lambda. - Upload it to S3 (ask DevX where the bucket is located).
- Deploy the stack set manually (ask DevX if you are unsure of how to do this), making sure to update the version parameter.
NOTE: The version is important, because the cloudformation version parameter is used to locate the correct S3 file. The lambda code will not change unless a new version is deployed, even if the infrastructure changes.