hammer: Protect the cloud with the power of the cloud(AWS)

Overview

Dow Jones Hammer is a multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts. It has near real-time reporting capabilities (e.g. JIRA, Slack) to provide quick feedback to engineers and can perform auto-remediation of some misconfigurations. This helps to protect products deployed on the cloud by creating secure guardrails.

Optionally, you can:

• enable CSV reporting with detected vulnerabilities to designated S3 bucket;
• integrate Dow Jones Hammer with JIRA and/or Slack. After detecting an issue, Dow Jones Hammer can raise a JIRA ticket for a specific person and/or send a Slack message to a specific Slack channel or directly to a Slack user;
• configure Dow Jones Hammer so that it can automatically remediate certain issues it had detected if these issues have persisted for a given timeframe.

Architecture Diagram

Lifecycle Description

Step 1: CloudWatch Events launches an instance of the initialization Lambda function which after that launches multiple instances of the identification Lambda function.

• The initialization Lambda function selects slave accounts to check for this issue as designated in the Dow Jones Hammer configuration files and triggers the check.
• The identification Lambda function identifies the issue for each account/region selected by the initialization Lambda function.

By default, CloudWatch Events launches initialization Lambdas once an hour (maximum possible identification frequency). You can decrease it while deploying the identification CloudFormation stack by changing any part of IdentificationCheckRateExpression parameter with CloudWatch Schedule Cron Expression. Minutes part is hardcoded to spread Lambda execution because of AWS Lambda concurrent execution limit.

Step 2: Identification lambdas identify all enabled issues. You can configure for each issue type independently whether the identification is enabled or not.

Step 3: Identification lambdas create records in DynamoDB table defined in the configuration file for all identified issues.

Step 4: Reporting engine according to discovered issues in DynamoDB creates tickets in JIRA or sends a notification to Slack. You can configure for each issue type independently whether reporting is enabled or not.

Step 5: Dow Jones Hammer provides automatic remediation for some issue types within a defined timeframe after reporting. You can configure for each issue type independently whether automatic remediation is enabled or not. Additionally, you can run remediation scripts manually from reporting and remediation EC2 instance. See the list of the issues for which Dow Jones Hammer supports remediation in the corresponding area at the diagram.

Security features

• Insecure Services
• S3 ACL Public Access
• S3 Policy Public Access
• IAM User Inactive Keys
• IAM User Keys Rotation
• CloudTrail Logging Issues
• EBS Unencrypted Volumes
• EBS Public Snapshots
• RDS Public Snapshots

Technologies

• Python 3.6
• AWS (Lambda, Dynamodb, EC2, SNS, CloudWatch, CloudFormation)
• Terraform
• JIRA
• Slack

Install & Use

Copyright 2018 Dow Jones