By using AWS re:Post, you agree to the Terms of Use

SSM Network firewall audit

0

Hi all, I'm using SSM on some hybrid linux nodes. I was going through the documentation and there is a mention of being able to use SSM to check open network ports on the nodes but there isn't any example of how to do it. I'm trying to setup a proof of concept right now and if there is a tutorial on how to do that that would be awesome, and would help my case. Are there any available resources?

2 Answers
0

Hello!

Usually we would suggest using AWS Firewall Manager as this is the best way to have a single view for your Security Groups and enforce a baseline policy across applications/ many instances. This is described in detail under this documentation: https://aws.amazon.com/blogs/security/how-to-continuously-audit-and-limit-security-groups-with-aws-firewall-manager/ https://aws.amazon.com/firewall-manager/ AWS Firewall Manager may be more suitable for what you are trying to accomplish.

For your questions regarding this under SSM, I was not able to find the documentation which you are referring to. Could I please ask that you include a link here so that I can check on that for you?

SUPPORT ENGINEER
answered 9 months ago
0

Hi!

If you're looking to see if the security groups on the instances allow for overly permissive access (such as wide open 0/0), you could use Trusted Advisor: https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html#security-groups-specific-ports-unrestricted. Trusted Advisor can be displayed in Systems Manager: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-trusted-advisor-and-phd.html.

If you're looking for something else, you could also use Systems Manager OpsCenter to configure alerts based off AWS Security Hub events: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html.

AWS Firewall Manager can offer more network security checks, but requires integration with more services (Organizations, possibly Network Firewall) and can be pricier as well.

And lastly, AWS Config offers the ability to check resources and their configuration as well: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html. It's possible to create your own custom Config rules too.

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions