CMS’ ISPG (Information Security and Privacy Group) decided to discontinue funding the customization of MITRE’s Security Automation Framework (SAF) for CMS after September 2023. This repo is now in archive mode, but still accessible. For more information about SAF with current links, see https://security.cms.gov/learn/security-automation-framework-saf
InSpec profile overlay to validate the secure configuration of AWS RDS Infrastructure against the CIS's Amazon Web Services Three-tier Web Architecture Benchmark v1.0.0 tailored for CMS ARS 3.1 for CMS systems categorized as Moderate.
It is intended and recommended that InSpec and this profile overlay be run from a "runner" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target remotely over ssh.
For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.
Latest versions and installation options are available at the InSpec site.
This overlay also requires the AWS Command Line Interface (CLI) which is available at the AWS CLI site.
The following inputs must be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the InSpec Profile Documentation.
# Description: Identifier for the database instance (e.g., ['test', 'post']).
db_instance_identifier: []
# Description: Security group identifier for virtual private cloud (e.g., ['sg-04de43a5bab54586c']).
vpc_security_group_id: []
# Description: Allowed range of IP addresses (e.g., '0.0.0.0/0').
allowed_ip_address_range: ''
Prior to running this overlay, certain credentials and permissions need to be established for the AWS CLI to work properly.
-
The IAM account used to run this profile against the AWS environment needs to be attached through a group or role with at least
AWS IAM "ReadOnlyAccess" Managed Policy
. -
If running in an AWS Multi-Factor Authentication (MFA) environment, derived credentials are needed to use the AWS CLI. Default
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
will not satisfy the MFA Policies in the CMS AWS environments. To do this, the AWS CLI environment needs to have the right system environment variables set with your AWS region and credentials and session key. InSpec supports the following standard AWS variables:
AWS_REGION
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
The environment variables can be set using the following commands.
# Set required ENV variables
$ export AWS_ACCESS_KEY_ID=<key-id>
$ export AWS_SECRET_ACCESS_KEY=<access-key>
$ export AWS_SESSION_TOKEN=<session_token>
$ export AWS_REGION='<region>'
More information about these credentials and permissions can be found in the AWS documentation and AWS Profile documentation.
A useful bash script for automating this process is here
Furthermore, to generate credentials using an AWS Profile you will need to use the following AWS CLI commands.
a. aws sts get-session-token --serial-number arn:aws:iam::<$YOUR-MFA-SERIAL> --token-code <$YOUR-CURRENT-MFA-TOKEN> --profile=<$YOUR-AWS-PROFILE>
b. Then export the AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
and AWS_SESSION_TOKEN
that was generated by the above command.
# How to run
inspec exec https://github.com/CMSgov/cms-ars-3.1-moderate-aws-rds-infrastructure-cis-overlay/archive/master.tar.gz --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --target aws:// --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>
If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this overlay and all of its dependent tests:
(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the Git site.)
When the "runner" host uses this profile overlay for the first time, follow these steps:
mkdir profiles
cd profiles
git clone https://github.com/CMSgov/cms-ars-3.1-moderate-aws-rds-infrastructure-cis-overlay.git
inspec archive cms-ars-3.1-moderate-aws-rds-infrastructure-cis-overlay
inspec exec <name of generated archive> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --target aws:// --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>
For every successive run, follow these steps to always have the latest version of this overlay and dependent profiles:
cd profiles/cms-ars-3.1-moderate-aws-rds-infrastructure-cis-overlay
git pull
cd ..
inspec archive cms-ars-3.1-moderate-aws-rds-infrastructure-cis-overlay --overwrite
inspec exec <name of generated archive> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --target aws:// --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>
The JSON results output file can be loaded into heimdall-lite for a user-interactive, graphical view of the InSpec results.
The JSON InSpec results file may also be loaded into a full heimdall server, allowing for additional functionality such as to store and compare multiple profile runs.
- Alicia Sturtevant - asturtevant
- Shivani Karikar - karikarshivani
To report a bug or feature request, please open an issue.
© 2018-2020 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.
CIS Benchmarks are published by the Center for Internet Security (CIS), see: https://www.cisecurity.org/.