Custom Signatures

Custom Signatures

Custom Signature

Custom signature is one of our premium features which we have enabled for those customers who would want to write their own security rules based on their specific requirements and which are missing in our signature directory.

Create Custom Signatures 

For example; Let’s assume that a customer wants to check if his S3 Buckets are encrypted. For this, he would need to create a custom signature that would list all the Buckets in his AWS account and would then check though each bucket for encryption. Following are the steps he needs to follow in order to fulfill this requirement. 

 1. Navigate to Custom Signatures dashboard and click on the button.

 2. Custom Signature screen would show up.

 

 3. Enter an accessible name for your ‘signature’. I.e: AWS-S3-CUS-001

 4. Write a precise description of the signature in the description box. In this scenario simply type: “Ensure S3 Buckets are encrypted”.

 5. Choose a cloud provider. In this case, it would be AWS since we are checking for ‘S3 Bucket’ encryption.

 6. Choose the S3 service from the dropdown menu.

The service layer is related to the cloud vendor, such as AWS provide storage services, database services, etc.

 7. Set the severity level to High since this is a critical security rule of high importance.

It depends upon how the compliance is being affected; based on its internal policy.

 8. Select Cryptography as a category, from the dropdown menu.

It works like an umbrella over the service, under which your signature falls. You can filter the purpose for your signature in the ‘category’ section.

 9. Select the function you want to perform. (Here we chose Cryptography since we are checking the storage encryption)

Here you can define the functionality of the signature.

10. Write your own Pass, Fail, Remediation messages for each output.

  • Pass message: When the signature runs successfully. i.e: S3 Bucket is encrypted.
  • Fail message: When the signature fails to run successfully. I.e: S3 Bucket is not encrypted. 
  • Remediation message: When the signature shows errors/fails to run the command in the output, write steps that should be followed to fix that bug.

    • Please Log in to your S3 console
    •  Select on the bucket name.
    • Click Properties.
    • Select Default Encryption.
    • Select AES-256 or AWS-KMS
    • If using AWS-KMS, then select a KMS key.
    • Click Save.

 11. In the Code Editor section, you have the facility to write your own code for the signature. Cloudnosys provides a function named apiCaller, in which the user has to pass the default params related to its desired public cloud API.
After adding the snippet,  since we want to check the encryption status of our S3 buckets, our code editor will look like this:

					
// console.log('resource',resource);
    const apiResponse = await apiCaller({
      service: "S3",
      serviceParams: { apiVersion: "2015-03-31", region: [resource.region] },
      endpoint: "getBucketEncryption",
      params: {FunctionName:resource.name}
    });
    let a = apiResponse[0][0]
    let obj = JSON.parse(a.Policy);
    let {Principal}=obj.Statement[0];
        if (SSEAlgorithm != "AES256") {if (!Statement.hasOwnProperty(Condition)) {
                status = false;
              }
            }
//   console.log('true')
        return true;
      } catch (err) {
        return false;
      }
};
  • Service: For service, we put S3 in the editor.
  • serviceParams: Here, we put API-version as per AWS ‘documentation’ and ‘region’ of our choice.
  • endpoint: Since we want to check for S3 Bucket encryption, we would put “getBucketEncryption”.
  • params: getBucketEncyption’ takes Bucket name in the parameters so we’ll write the desired Bucket name for which we need to check the storage encryption.

 12. Then, Click on the button, to check if the code is running successfully.
After clicking on the test signature on each resource it returns:

  • true // incase of pass
  • false // incase of failure

 13. Scroll down to the console tab to check the result, the other tab shows the resources that exist within the chosen service.

If you see the result as shown above, navigate to the button and click away! 

Voila! You have created your own Custom Signature in your cloudnosys account.

Leverage the Power of CloudEye Security

Cloudnosys platform delivers security, compliance, and DevOps automation. Continually scan your entire AWS services for security and compliance violations for Network Security, IAM Policies, VPC, S3, Cloudtrail etc. Provides DevOps automation and policy driven guided remediation for Azure and AWS. Meet PCI, HIPAA, NIST, ISO27001, SOC2, FISMA, AWS CIS Benchmark compliance quickly.

+1 (404) 692-5787

205 Market Place, Suite 200,Atlanta,
GA 30075, USA

[email protected]