Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Policy Statement
This policy is to present system-level security principles to be considered in the design, development, and operation of an information system, especially in the cloud-first era. This should constantly be in the company's mindset and especially in the management board to ensure maximum security is achieved in business operations, product development, and customer care.
Most of your organization's Security Architecture and Design model is derived from the OWASP-maintained Software Assurance Maturity Model (SAMM).
Scope
People, processes, technology, and devices.
Objectives
- Security should be a topic at all forums, e.g. engineering weekly calls and throughout the organization;
- Ensure systems and business resilience with best practices for all business, operational, and technical departments;
- Cloud-first, cloud-native, and data-centric culture;
- Automate security, compliance, development, deployment, and monitoring using repeatable scripts and tools;
- Enforce and raise awareness for the "Never trust, always verify" principle.
Procedures
Procedures and mapped controls
Secure Development Environment
Maintaining a secure development environment is essential for the development of a secure architecture that provides good functionality for the organization whilst minimizing risk.
It consists of a few major components which are subdivided as per their functional scope:
- Business of security - the way information security is practiced in your organization;
- The Cloud;
- DevXOps - DevOps, DevSecOps, DevCloudOps - technical operations;
- Developers - developers and development process (SDLC);
- Technology.
Secure Production Environment
-
Production Systems are created after the CISO has approved a request, which is then forward to the DevOps and Security Teams
-
If the system will be used to store Protected data, the requester must ensure the volume containing this sensitive data is encrypted
-
The requester and Security Team will ensure that the system hardening has been performed as detailed in the System Hardening Procedure
-
Production environments are activated only after a final inspection and validation that all required procedures were respected
Secure Cloud Architecture
your organization operates a Cloud-first model, which puts cloud-native, containers, and cloud functions at the base of the software products it develops and commercializes.
A detailed implementation diagram with virtual network components and the software used to glue everything together is maintained in the company's Wiki pages. Autoscaling is enabled across multiple data centers in multiple regions around the world for resilience. The network topology segments network traffic into the following zones:
- Inspection Zone to ensure all inbound and outbound network traffic is monitored (think WAF);
- Private Web Tier for all web servers and content;
- Private Application Tier to segregate Web and Application tiers;
- Private data zone for transactions, processing, and asset inventory or other persistent data;
- Monitoring zone to store all logs and analysis.
Mapped controls
Ensure management ports are restricted from the internet
Ensure a log metric filter and alarm exist for security group changes
Ensure the default security group of every VPC restricts all traffic
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
Ensure Compute instances do not have public IP addresses
Ensure Cloud SQL database instances do not have public IPs
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Principles of Engineering Secure Systems
These principles would be used from the onset of a program (at the beginning of, or during the initiation phase) and then employed throughout the system's life-cycle. These principles are also helpful in affirming and confirming the security posture of already deployed information systems.
There are several security principles grouped into the following categories:
- Security Foundation
- Risk-Based
- Ease of Use
- Increase Resilience
- Reduce Vulnerabilities
- Design with Network in Mind
Mapped controls
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure management ports are restricted from the internet
Ensure log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure log metric filter and alerts exist for VPC network route changes
Ensure log metric filter and alerts exist for VPC network changes
Ensure the default network does not exist in a project
Ensure legacy networks do not exist for a project
Ensure VPC Flow logs is enabled for every subnet in a VPC Network
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure DNSSEC is enabled for Cloud DNS
Ensure RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Ensure RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Server Hardening
Linux
Security configuration is maintained as code and applied automatically. Hardening consists of:
- Disk encryption;
- Installing and configuring pre-approved NTP server;
- Up-to-date with security patches;
- Stopping and disabling any unnecessary services;
- Expiration of SSH connections after 5 minutes of session inactivity;
- Installing and configuring endpoint protection;
- Configuring monitoring and audit logging as described in the System Audits, Monitoring and Assessments Policy.
Windows
Security configuration is maintained in Group Policy and can also be applied automatically. Hardening consists of:
- Register on your organization Active Directory and apply AD Group Policy configuration;
- Disk encryption;
- Installing and configuring pre-approved NTP server;
- Up-to-date with security patches;
- Stopping and disabling any unnecessary services;
- Expiration of remote connections after 5 minutes of session inactivity;
- Configuring monitoring and audit logging as described in the System Audits, Monitoring and Assessments Policy.
Mapped controls
Ensure no "root" user account access key exists
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure IAM instance roles are used for AWS resource access from instances
Ensure that there are only GCP-managed service account keys for each service account
Ensure Service Account has no Admin privileges
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure instances are not configured to use the default service account
Ensure Compute instances are launched with Shielded VM enabled
Ensure Compute instances do not have public IP addresses
Query logic
These are the stored checks tied to this policy.
Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
A log metric filter and alarm exist for security group changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}The default security group of every VPC restricts all traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
...AssetFragment
}
}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to network gateways
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachInternetGateway[\"]?\\s*\\)\\s*.*"){...AssetFragment}Log metric filter and alerts exist for VPC Network Firewall rule changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging7{...AssetFragment}Log metric filter and alerts exist for VPC network route changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging8{...AssetFragment}Log metric filter and alerts exist for VPC network changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging9{...AssetFragment}The default network does not exist in a project
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{name:"default"}){...AssetFragment}Legacy networks do not exist for a project
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{IPv4Range_NOT:"" gatewayIPv4_NOT:""}){...AssetFragment}VPC Flow logs is enabled for every subnet in a VPC Network
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{hasSubnetwork_SOME:{enableFlowLogs:false}}){...AssetFragment}Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{masterAuthorizedNetworksConfigEnabled_NOT:true}){...AssetFragment}Network policy is enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{networkPolicyEnabled:false}){...AssetFragment}DNSSEC is enabled for Cloud DNS
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{dnsSecConfigState_NOT:"on"}){...AssetFragment}RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"keySigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"zoneSigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}There are only GCP-managed service account keys for each service account
Connectors
Covered asset types
Expected check: eq []
{iamServiceAccounts(where:{hasIAMServiceAccountKeys_SOME:{keyType: "USER_MANAGED"}}){...AssetFragment}}Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: "roles/owner" }
{ name: "roles/editor" }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}"Block Project-wide SSH keys" is enabled for VM instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"block-project-ssh-keys" value:"false"}}){...AssetFragment}'Enable connecting to serial ports' is not enabled for VM Instance
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Connectors
Covered asset types
Expected check: eq []
disks(where:{encryptedWithCustomerSuppliedKey: false }){...AssetFragment}Instances are not configured to use the default service account
Connectors
Covered asset types
Expected check: eq []
vms(where: {serviceAccountEmail_CONTAINS: "[email protected]"}) {...AssetFragment}GCP VMs with security features disabled
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ shieldedInstanceConfigEnableVtpm: false }
{ shieldedInstanceConfigEnableSecureBoot: false }
{ shieldedInstanceConfigEnableIntegrityMonitoring: false }
]
}
) {
...AssetFragment
}
}
