5 Ways to secure your unused AWS regions.

AWS has 22 geographic regions currently available at the time of this post.

If your environment contains one or more unused regions, monitoring those regions is vital for security and financial benefits.

Deploying and running security scanning tools like AWS Cloudtrail, ConfigService, or any 3rd party tool, is a must for all environments, including empty Regions and Default VPC environments.

Failing to monitor these environments is an attacker\’s dream, and with careful planning, they can utilize these unmonitored environments for months, undetected.

Remove AWS Default VPCs

Though not recommended because it could risk in deleting something you don’t want to delete in an established account, this Python script attempts to delete the AWS default VPC in each region.

"""

Remove those pesky AWS default VPCs.

Python Version: 3.7.0
Boto3 Version: 1.7.50

"""

import boto3
from botocore.exceptions import ClientError

def delete_igw(ec2, vpc_id):
  """
  Detach and delete the internet gateway
  """

  args = {
    'Filters' : [
      {
        'Name' : 'attachment.vpc-id',
        'Values' : [ vpc_id ]
      }
    ]
  }

  try:
    igw = ec2.describe_internet_gateways(**args)['InternetGateways']
  except ClientError as e:
    print(e.response['Error']['Message'])

  if igw:
    igw_id = igw[0]['InternetGatewayId']

    try:
      result = ec2.detach_internet_gateway(InternetGatewayId=igw_id, VpcId=vpc_id)
    except ClientError as e:
      print(e.response['Error']['Message'])

    try:
      result = ec2.delete_internet_gateway(InternetGatewayId=igw_id)
    except ClientError as e:
      print(e.response['Error']['Message'])

  return

def delete_subs(ec2, args):
  """
  Delete the subnets
  """

  try:
    subs = ec2.describe_subnets(**args)['Subnets']
  except ClientError as e:
    print(e.response['Error']['Message'])

  if subs:
    for sub in subs:
      sub_id = sub['SubnetId']

      try:
        result = ec2.delete_subnet(SubnetId=sub_id)
      except ClientError as e:
        print(e.response['Error']['Message'])

  return

def delete_rtbs(ec2, args):
  """
  Delete the route tables
  """

  try:
    rtbs = ec2.describe_route_tables(**args)['RouteTables']
  except ClientError as e:
    print(e.response['Error']['Message'])

  if rtbs:
    for rtb in rtbs:
      main = 'false'
      for assoc in rtb['Associations']:
        main = assoc['Main']
      if main == True:
        continue
      rtb_id = rtb['RouteTableId']

      try:
        result = ec2.delete_route_table(RouteTableId=rtb_id)
      except ClientError as e:
        print(e.response['Error']['Message'])

  return

def delete_acls(ec2, args):
  """
  Delete the network access lists (NACLs)
  """

  try:
    acls = ec2.describe_network_acls(**args)['NetworkAcls']
  except ClientError as e:
    print(e.response['Error']['Message'])

  if acls:
    for acl in acls:
      default = acl['IsDefault']
      if default == True:
        continue
      acl_id = acl['NetworkAclId']

      try:
        result = ec2.delete_network_acl(NetworkAclId=acl_id)
      except ClientError as e:
        print(e.response['Error']['Message'])

  return

def delete_sgps(ec2, args):
  """
  Delete any security groups
  """

  try:
    sgps = ec2.describe_security_groups(**args)['SecurityGroups']
  except ClientError as e:
    print(e.response['Error']['Message'])

  if sgps:
    for sgp in sgps:
      default = sgp['GroupName']
      if default == 'default':
        continue
      sg_id = sgp['GroupId']

      try:
        result = ec2.delete_security_group(GroupId=sg_id)
      except ClientError as e:
        print(e.response['Error']['Message'])

  return

def delete_vpc(ec2, vpc_id, region):
  """
  Delete the VPC
  """

  try:
    result = ec2.delete_vpc(VpcId=vpc_id)
  except ClientError as e:
    print(e.response['Error']['Message'])

  else:
    print('VPC {} has been deleted from the {} region.'.format(vpc_id, region))

  return

def get_regions(ec2):
  """
  Return all AWS regions
  """

  regions = []

  try:
    aws_regions = ec2.describe_regions()['Regions']
  except ClientError as e:
    print(e.response['Error']['Message'])

  else:
    for region in aws_regions:
      regions.append(region['RegionName'])

  return regions

def main(profile):
  """
  Do the work..

  Order of operation:

  1.) Delete the internet gateway
  2.) Delete subnets
  3.) Delete route tables
  4.) Delete network access lists
  5.) Delete security groups
  6.) Delete the VPC 
  """

  # AWS Credentials
  # https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html

  session = boto3.Session(profile_name=profile)
  ec2 = session.client('ec2', region_name='us-east-1')

  regions = get_regions(ec2)

  for region in regions:

    ec2 = session.client('ec2', region_name=region)

    try:
      attribs = ec2.describe_account_attributes(AttributeNames=[ 'default-vpc' ])['AccountAttributes']
    except ClientError as e:
      print(e.response['Error']['Message'])
      return

    else:
      vpc_id = attribs[0]['AttributeValues'][0]['AttributeValue']

    if vpc_id == 'none':
      print('VPC (default) was not found in the {} region.'.format(region))
      continue

    # Are there any existing resources?  Since most resources attach an ENI, let's check..

    args = {
      'Filters' : [
        {
          'Name' : 'vpc-id',
          'Values' : [ vpc_id ]
        }
      ]
    }

    try:
      eni = ec2.describe_network_interfaces(**args)['NetworkInterfaces']
    except ClientError as e:
      print(e.response['Error']['Message'])
      return

    if eni:
      print('VPC {} has existing resources in the {} region.'.format(vpc_id, region))
      continue

    result = delete_igw(ec2, vpc_id)
    result = delete_subs(ec2, args)
    result = delete_rtbs(ec2, args)
    result = delete_acls(ec2, args)
    result = delete_sgps(ec2, args)
    result = delete_vpc(ec2, vpc_id, region)

  return

if __name__ == "__main__":

  main(profile = '')

All Credit and thanks to Todd for the above script.
https://github.com/toddm92/vpc-delete

Monitoring Unused Regions with CloudTrail

AWS provides an easy way to enable CloudTrail to monitor across all regions using multi-region, set up and configuration that applies across all existing and newly launched regions, Aggregating CloudTrail Log Files to a Single Amazon S3 Bucket.

Deactivate Unused Region Endpoints

By default, AWS activates all-region endpoints for regions introduced before March 20, 2019.

Regions such as the Middle East (Bahrain) and Asia Pacific (Hong Kong), or any others being introduced after March 20, 2019, are disabled by default.

You can reduce your exposure by deactivating the endpoints to any unused regions.

You can disable or reactivate and Manage AWS STS in an AWS Region via the IAM console.

Monitor for Regional Activity

CloudTrail monitors events for your account and delivers those events as log files to an Amazon S3 bucket, a log file will contain one or more records and can become quite challenging to digest and prone to human error.

Integrating CloudTrail into a 3rd part platform such as Splunk can reduce the burden of reading through logs by setting up alerts based on regions, to detect any activity if or when it happens.

Diagrams and Documentation

Having a visual overview of your cloud infrastructure is vital when it comes to cloud security, monitoring, and planning.

Understand and know what’s running and where, 3rd party tools like Hava.io generate automated and interactive diagrams of your cloud infrastructure.

Quickly identify and uncover, hidden or unused VPC across accounts and regions, view the connection between resources, security group configuration, and capture the change over time with auto-sync and version history.

Conclusion

The simplicity, low pricing, and availability of cloud computing comes with high complexity, and this has become a hackers dream.

As humans, we’re all prone to error.

Cloud computing has many layers, configurations, rules, roles, products, services, and integrations.

We’re all responsible for the systems we create and work on, and security teams need to be more vigilant than ever.

Start identifying potential risks and understand what\’s running and where through cloud visualization, monitoring cloud environments for unusual activity, and reducing the attack surface by removing or restricting resources such as the default regions.

Don’t compromise Intellectual Property or Personal Data. As a security professional, architect or engineer, you need to know your cloud environments and understand what’s running, where it’s running and identify any potential weaknesses waiting to be exploited.

Last modified: May 30, 2020

Author

Comments

Write a Reply or Comment

Your email address will not be published.