Configuration audit, is one of the most important activities to provide service security assurance. In essence Configuration Audit is about checking and obtaining the evidence that cloud environment has been configured as per organization policies and other applicable compliance standards.
Configurations in a typical cloud IaaS deployment model are multi-dimensional. Organizations are typically using many different types of clouds such as AWS, Azure etc. and each of these clouds offer myriads of services. Some of the applicable configurations could be –
- IaaS Account configurations – e.g. users, groups access rights
- IaaS Service Configurations – e.g. S3/Firewall permissions
- Operating System – e.g. User disk quota on a Windows server or mounting of varied filesystem on a Linux
- Software configurations – e.g. VPN software config
As per public cloud shared responsibility model, customers are responsible for all configurations.
Configuration Benchmark –
Based on auditing & compliance there are various configuration requirements such as PCI, HIPAA etc. These regulations dictate applicable benchmarks. Over the years, Center for Internet Security (CIS) has been publishing de facto standard for prescriptive, industry-accepted best practices for securely configuring traditional IT components. Recently they have published AWS Foundation Benchmark – consensus based best practices guidance on securing AWS-IaaS.
Configuration Audit Best Practices –
From security audit perspective, it is recommended to do configuration audit regularly. These audit runs should be against either best practices baseline such as CIS or compliance standards such as PCI. Ideally an automated tool such as CloudOptics be deployed to run regular compliance checks and report on problems. Identified problems can either be auto-remediated or reported on to operations team for manual intervention.
It is recommended that for production environments, config checkups should be done at least once a day but for DevOps environments checkups should be done several times a day to keep up with dynamics changes.
Achievement of continuous compliance should really be the target for the organization.