Enable security and automated continuous compliance using CloudGuard from AWS Marketplace
AWS Control Tower enables you to create new AWS accounts in your AWS Organization with AWS-recommended best practices and guardrails in place. Our customers and partners often ask for ways to automate the execution of some customizations specific to their organization on the creation of a new AWS account. This is especially true for customers who operate in regulated environments such as financial services and healthcare. Commonly, customers want to enable services such as VPC Flow Logs and AWS Security Hub. They also want to integrate with partner products to offer additional visibility, auditability, and traceability of actions and resources as part of building a cloud security operating model. By automatically enabling these services in all newly created AWS accounts, you have a view of your security posture. This can help identify and remediate resources that are non-compliant with industry standards, such as Center for Internet Security (CIS) Foundations and Health Insurance Portability and Accountability Act (HIPAA).
Earlier, we shared a blog post introducing a number of software vendors who have worked with AWS to build software solutions. These solutions integrate with AWS Control Tower using native functionality, such as AWS Lambda and AWS Control Tower Lifecycle Events.
Check Point Software Technologies is an Advanced Technology Partner of AWS Partner Network (APN) in Security and Compliance automation and Network Security solutions.
The Check Point CloudGuard Cloud Security Posture Management (CSPM) solution, available in AWS Marketplace, is an agentless cloud compliance solution for the AWS cloud. It integrates threat prevention and policy orchestration through AWS cloud native controls and APIs. It also enables organizations to visualize and evaluate security postures, thereby enforcing golden standard policies and regulatory compliance.
CloudGuard uses the centralized logging model of AWS Control Tower to build a unified operational and security view across a multi-account environment.
In this blog post, we demonstrate the customization with CloudGuard to automate the security of new AWS accounts being created. Automation of posture management is a key component of this solution. This automation verifies that cloud accounts achieve a state of continuous compliance for major industry frameworks and security best practices. For example, a financial services customer who operates in Singapore can run rulesets that simultaneously assess compliance against Center of Internet Security (CIS) Foundations v.1.2.0, Payment Card Industry Data Security Standard (PCI-DSS) 3.2 and Monetary Authority of Singapore’s Technology Risk Management (MAS TRM). Automatic remediation can be used to accelerate the resolution of high-risk misconfigurations.
Before getting started, you should have the following:
- A working version of AWS Control Tower environment. You can configure AWS Control Tower by following the Getting Started with AWS Control Tower documentation or Jeff Barr’s blog post.
- A valid subscription to CloudGuard Dome9: Cloud Compliance for AWS Marketplace. Refer to the latest CloudGuard Implementation Guide for the subscription steps.
- A deployment of the CloudGuard serverless app in your AWS Control Tower environment. Refer to the same CloudGuard Implementation Guide linked in step 2 for detailed steps.
In this solution, we will show you how to onboard AWS accounts into CloudGuard and view compliance against two rulesets.
Follow these steps to integrate AWS Control Tower with CloudGuard:
- Enroll an AWS account into AWS Control Tower and automatically onboard the account to CloudGuard using the CloudGuard serverless app.
- Onboard existing AWS Control Tower managed AWS accounts into CloudGuard.
- Create a unified view of the posture of your AWS Control Tower managed accounts in CloudGuard and run a compliance ruleset.
- Explore the output of the compliance ruleset for CIS Foundations.
- Explore the output of the compliance ruleset for PCI-DSS.
The CloudGuard serverless app includes the following AWS resources:
- AWS Lambda function for onboarding automation
- Amazon EventBridge rule, configured to be triggered by CreateManagedAccount lifecycle event
- AWS Secrets Manager to store API credentials
- Amazon CloudWatch alarm, for Lambda failures
- Amazon SNS topic for email notifications, as a subscription confirmation email will be sent
Here is how the solution works:
- AWS Control Tower publishes the lifecycle events after successful enrollment of an AWS account. The AWS Control Tower Lifecycle Event CreateManagedAccount triggers the AWS Lambda function to onboard the AWS account to CloudGuard. Refer to the following diagram.
- The Lambda function deploys the AWS CloudFormation StackSet based on the CloudGuard template. The stack gets successfully deployed to the AWS account that has been enrolled to AWS Control Tower. The stack also retrieves the CloudGuard credentials from the AWS Secrets Manager secret. Refer to the following diagram.
- The Lambda function launches a request to the CloudGuard API with the required credentials and onboarding payload and thus the AWS account is onboarded to CloudGuard. There is also a CloudWatch alarm configured which will trigger when the Lambda failures count is equal or greater than 1. Refer to the following diagram.
Once the CloudGuard serverless app is integrated with AWS Control Tower and you have onboarded AWS accounts from the CloudGuard console, you can then view the protected assets. The assets shown for AWS will depend on which resources you have in your AWS Control Tower managed accounts but can include Identity and Access Management (IAM) roles, AWS VPCs, network interfaces, Amazon Elastic Block Store (Amazon EBS) storage volumes, and many more.
From CloudGuard, you can run assessments against compliance rulesets, such as AWS CIS Foundations. You can also run security best practice rulesets for all AWS Control Tower managed accounts.
Step 1: Enroll account into AWS Control Tower and automatically onboard to CloudGuard
Once you have completed the prerequisites, you can go ahead and enroll an account in AWS Control Tower. This account can either be a new account or an existing account. For details on the AWS Control Tower account enrollment process, see the steps in the AWS Control Tower documentation.
The account creation usually takes about 20-30 minutes. Once it is complete, the CreateManagedAccount Lifecycle event is published. This triggers the CloudGuard serverless app to onboard the account to CloudGuard.
Step 2: Onboard existing AWS Control Tower managed accounts into CloudGuard
You can now onboard existing AWS accounts into CloudGuard from the CloudGuard UI console. CloudGuard provides instructions for this process within their online documentation.
Step 3: See a unified view of the posture of your AWS Control Tower managed accounts in CloudGuard and run a compliance ruleset
- From the CloudGuard console, you can now see the dashboard with a summary of all AWS accounts that are onboarded. You can also customize this dashboard to display the information you need at hand with widgets. An example of a customized dashboard is shown in the following screenshot. It includes widgets showing CIS benchmarks, latest events and traffic alerts, copy of trend of CIS now, accounts with high severity, event and traffic alerts, trend of CIS now, vulnerability management, and compute alerts.
- Here is how CloudGuard can be used to assess your security posture. In the CloudGuard console, navigate to POSTURE MANAGEMENT and then Compliance Rulesets. From here, you can select one or more rulesets that you can use to run assessments against your AWS accounts. We added filters for Policy Category: Compliance Frameworks, Platform: AWS, and Type: CloudGuard Managed. The system returned 57 results to choose from. Refer to the following screenshot, which shows the top six results, including AWS CPPA Framework, SOC2, HIPAA, AWS CIS Foundations, ISO, and AWS CloudGuard Best Practices.
- For this example, we are using rulesets that might be selected by a Financial Services customer. So, we changed our filters to Platform: AWS, and Type: CloudGuard Managed. We then selected the following rulesets: AWS CIS Foundations v. 1.2.0, AWS PCI-DSS 3.2, and AWS CloudGuard Well Architected Framework.
- For each of our rulesets, we choose RUN ASSESSMENT.
Step 4: Explore the output of the compliance ruleset for AWS CIS Foundations v. 1.2.0
After the assessment has finished, you see the assessment summary and detailed results in the CloudGuard console. This includes individual findings that have been identified as being non-compliant with the selected rulesets.
- The following screenshot shows the summary results of the AWS CIS Foundations v 1.2.0 assessment. It shows the tests score, failed tests by rule severity, distribution by geolocation, entities by type and pass versus fail, and tested entities.
- Following the summary, you can see your detailed results. Our example showed the results of evaluating security group configuration and Multi-Factor Authentication (MFA) for IAM users showing the number of non-compliant resources. We can see that the number of failed tests is three.
- From the compliance ruleset assessment results, you can find the list of all the failed tests, including the non-compliant resources. One of the failed tests is Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389). The specific AWS resources in your AWS Control Tower managed accounts are displayed. For each resource displayed, you can view further details in the Actions column on the right side. Select the eye icon for Preview entity, for example. You can also flag the item by selecting the flag icon or remediate it by selecting the robot icon, both in the Actions column. Remediation instructions are listed in this view, however you may also consider another CloudGuard feature, CloudBots, which allows you to set up auto-remediation for failed rulesets.
Step 5: Explore the output of the compliance ruleset for AWS PCI-DSS 3.2
- The following screenshot shows the summary results of the assessment run against the AWS PCI-DSS 3.2 ruleset. It includes tests score, failed tests by rule severity, distribution by geolocation, and tested entities.
- Following the summary, you can see your detailed results. In this example, results for each rule show the number of resources tested, how many are relevant, and how many are non-compliant with the given rule. Our detailed results included the number of EC2 instances that haven’t had Amazon Inspector run assessments in the last 30 days and the number of non-compliant S3 resources. You can configure automatic remediation action on the problematic cloud entity leveraging CloudBots.
- CloudGuard’s automatic remediation solution, CloudBots, can be configured to trigger automatically for a failed rule in these selected rulesets. More information about this open source solution can be found on the CloudBots page. To configure an automatic reaction upon failure of a specific rule, use the Configure remediation. We did this and got detailed findings for the rule Use encryption for S3 Bucket write actions. If we have configured automatic remediation, it will trigger directly from the compliance rule that failed.
You can remove resources by going to the AWS CloudFormation console and deleting the AWS CloudFormation stack serverlessrepo-dome9-automatic-onboarding that was created as part of the prerequisites. Alternatively, you can run the following AWS Command Line Interface (AWS CLI) command:
aws cloudformation delete-stack –stack-name <stack_name>
In this blog post, we showed how to subscribe to CloudGuard in AWS Marketplace. We described how you can integrate CloudGuard so that when you enroll AWS accounts in AWS Control Tower, these accounts are automatically onboarded to CloudGuard. We shared an example of a unified view of your security posture in CloudGuard. We also showed how to run compliance rulesets on your AWS accounts to identify and remediate misconfigurations that may otherwise leave you exposed to attacks.
Find out more about CheckPoint products available in AWS Marketplace.
To get started on AWS or to learn more about building a well-architected AWS environment, visit the Getting Started with AWS Control Tower page for guidance.
About the authors
Arijit Paul is a Partner Specialist Solutions Architect focusing on AWS Service Catalog, AWS Control Tower, AWS Systems Manager, and AWS Marketplace. Outside of work, he enjoys cooking, travelling and spending time with his family.
Emily Arnautovic is an Enterprise Solutions Architect at AWS, where she helps customers architect and manage multi-account environments on AWS to solve a range of business needs. She specializes in the Financial Services industry. Outside of work, she enjoys travelling, physical fitness, and foreign language learning.
Maya Levine worked as a Security Engineer at Check Point Software Technology before moving to her current role of Technical Marketing Engineer for Cloud Security. She is a Technical Evangelist with the company, regularly speaking at technology conferences and conducting media interviews with news channels.
Trisha Paine is Head of Marketing Programs, Cloud Security at Check Point Software Technologies.