Lab 3 - Auditing Your Security with AWS

Trusted Advisor | Qwiklabs

Qwiklabs
10-13 minutes

© 2021 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may
not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.
All trademarks are the property of their owners.
Corrections, feedback, or other questions? Contact us at AWS Training and Certification.
Overview
This lab guides you through auditing your AWS resources to ensure that your configuration
complies with basic security best practices. This lab uses AWS Trusted Advisor as it
applies to security. The topics that are covered will also include working with security
groups, multi-factor authentication (MFA), and AWS Identity and Access Management
(IAM).
Topics Covered
After completing this lab, you can:
 Use AWS Trusted Advisor to perform a basic audit of your AWS resources
 Modify Amazon Elastic Compute Cloud (Amazon EC2) security groups to meet
best practices
 Configure multi-factor authentication (MFA) (Optional; requires installation of
software on a mobile device)
Start Lab
1. At the top of your screen, launch your lab by choosing Start Lab
This starts the process of provisioning your lab resources. An estimated amount of time to
provision your lab resources is displayed. You must wait for your resources to be
provisioned before continuing.
If you are prompted for a token, use the one distributed to you (or credits you have
purchased).
2. Open your lab by choosing Open Console
This opens an AWS Management Console sign-in page.
3. On the sign-in page, configure:
 IAM user name:
 Password: Paste the value of Password from the left side of the lab page
 Choose Sign In
Do not change the Region unless instructed.
Common Login Errors
Error: You must first log out

If you see the message, You must first log out before logging into a different AWS
account:
 Choose click here
 Close your browser tab to return to your initial lab window
 Choose Open Console again

Task 1: Check Recommended Actions with AWS Trusted

Advisor
In this task, you will analyze the basic checks that are performed by AWS Trusted Advisor.
4. In the AWS Management Console, on the Services menu, Choose Trusted
Advisor.
You can also type Trusted Advisor in the Find Services search bar.
Critical – action recommended
Investigation is recommended
No issues or concerns found
5. If Trusted Advisor does not display any of the three icons that are shown above, or
if it displays a question mark, then choose the refresh button at the top right of the
page to update the status of AWS Trusted Advisor.
If you encounter the following notice at the top of the screen, then choose the refresh button
at the top of the page: Refresh is completed. Reload to see the updated information.
6. To access details, expand each AWS Trusted Advisor check by choosing it. Any
items that are not will list the criteria for the status, and provide a Recommended
Action that you should take.
Task 2: Modify Security Groups with Unrestricted Ports
In this task, you will review and address some of security issues by removing rules that
allow access to unused and unnecessary ports.
As part of the lab setup, some security best practices and settings have not been properly
implemented. You will review and address some of those issues.
7. Under the Recommended Actions section of the page, choose the button to the left
of Security Groups - Specific Ports Unrestricted.
8. In the Security Groups table at the bottom of this section, identify the security
groups that are marked as in the Status column.
One of the listed items shows that a port is open in the security group (port 21 / tcp). This
item is not currently used or needed, and it should be removed from the rules.
9. Find the item that contains tcp in the Protocol column, and 21 in the From Port
column.
10. Choose the link for this tcp / port 21 item that is in the Security Group Name
column. This will take you to the Security Group page.
11. In the lower pane, choose the Inbound rules tab.
12. Choose Edit inbound rules
13. In the row for port range 21, click Delete
14. Choose Save rules
Task 3: Exclude Security Groups if Unrestricted Access
Is Required
15. At this point, please skip ahead to task 4. The Trusted checks might take 30
minutes to finish checking your resources. You can come back to this task after you
finish task 4.
After 30 minutes, the Exclude & Refresh button within your Security Groups - Specific
Ports Unrestricted will no longer be greyed out.
The rules for the color warnings that are related to security groups are:
 Green (Acceptable): HTTP (80), HTTPS (443), SMTP email (25), SMTPS email
(465).
 Red (Error): FTP (20, 21), SQL Server (1433, 1434), MySQL (3306), RDP (3389),
mini-SQL (4333), PostgreSQL (5432), Oracle (5500).
 Yellow: All other ports.
Unrestricted access increases opportunities for malicious activity (hacking, denial-of-
service attacks, and loss of data). Any security group that intentionally has unrestricted
access to ports other than 80, 443, or 465 will be reported as yellow. These security groups
can be excluded from Trusted Advisor checks.
If you must allow unrestricted access to any port, it is vital to have other controls, such as a
firewall or secure authentication.
16. Go back to the Trusted Advisor dashboard by choosing Services and then choosing
Trusted Advisor.
17. Examine the remaining security groups in the table.
 Port 3389 grants Remote Desktop Protocol (RDP) access to Windows instances.
 Port 22 grants Secure Shell (SSH) access to Linux-based instances.
In some situations, you will want to approve having ports like these open. You can
therefore configure Trusted Advisor to skip over these warnings.
18. Select the check box for these security groups, and then Choose Exclude & Refresh
If the Exclude & Refresh button is greyed out, you will have to wait a few minutes for it to
reactivate. You can hover over the button, and it will tell you when it will reactivate. You
might need to reload the page.
19. Refresh Trusted Advisor. The status of the Security Groups check should now be
Task 4: Configure Multi-Factor Authentication
(Optional)
In this task, you will configure multi-factor authentication for your IAM user mfauser by
using a virtual device.
This task requires you to download and install a Multi-Factor Authentication (MFA) app
on your mobile device. If you prefer not to, you can skip ahead to the next task.
The check by AWS Trusted Advisor recommends enabling MFA for the root account. For
the purposes of this lab, we will only configure MFA for the mfauser. The process for the
root account is identical.
20. Expand the MFA on Root Account section by Choosing next to the section.
21. Under Alert Criteria, note that the status is Red, and that MFA is not currently
enabled on the root account.
22. Download and install one of the supported Virtual Multi-Factor Authenticator
Software tools on your mobile device.
23. In the AWS Management Console, choose Services and then under the Security,
Identity & Compliance group, select IAM.
24. In the left navigation pane, select Users.
25. Choose mfauser.
26. Choose Security credentials, and go to the Sign-in credentials section under it.
27. Copy the Console sign-in link to your text editor.
The sign-in link should look similar to
https://612439403963.signin.aws.amazon.com/console
This tab shows several ways that this IAM user can authenticate to AWS. Note that
Assigned MFA device is currently set to Not assigned. You might need to scroll up to find
it.
28. In Sign-in credentials section, choose the link Manage next to Not assigned for
Assigned MFA device.
29. On the Manage MFA device screen, choose Virtual MFA device.
30. Choose Continue
31. Click Show QR code.
The resulting screen will have a QR code that is used if you are configuring with a mobile-
device-based virtual MFA tool. If your virtual MFA app and device are able to scan the QR
code, then do that now by choosing Show QR code. If not, select Show secret key for
manual configuration and configure your app manually.
32. In the MFA Code 1 of the MFA configuration page, enter the code that was
provided. You might need to scroll down.
33. Wait 30 seconds for the next new code on your mobile device.
34. In the MFA Code 2 of the MFA configuration page, enter the code that was
provided. The second code should be a different code than the first code.
35. Choose Assign MFA
 36. After the assignment is complete, you should receive a message that states that the
MFA device was successfully associated. Choose Close
In Assigned MFA device, you should now see a virtual device that is assigned an ID
similar to arn:aws:iam::12345678901:mfa/awsstudent
Verify Authentication Using an MFA Token
37. Log out of the AWS Console by selecting on your account at the top of the screen,
and select Sign Out.
38. Paste the console sign-in link into your browser's address bar and then press Enter.
39. At the sign-in page, configure:
 IAM user name:
 Password: Paste the value of mfaUserPassword located to the left of these
instructions.
40. Choose Sign In.
41. Refresh the code in the virtual MFA app that you're running on your mobile device,
then in the MFA Code field of the AWS Login page, enter the code number.
42. Choose Submit.
If you can log in, then you have successfully configured MFA authentication for the
mfauser.
Lab Complete
Congratulations! You now have successfully learned how to:
 Use AWS Trusted Advisor to perform a basic audit of your AWS resources.
 Modify Amazon EC2 Security Groups to meet best practices.
 Configure multi-factor authentication (MFA) (Optional; required installation of
software on a mobile device).
End Lab
Follow these steps to close the console, end your lab, and evaluate the experience.
43. Return to the AWS Management Console.
44. On the navigation bar, choose awsstudent@<AccountNumber>, and then choose
Sign Out.
45. Choose End Lab
46. Choose OK
47. (Optional):
 Select the applicable number of stars
 Type a comment
 Choose Submit
o 1 star = Very dissatisfied
o 2 stars = Dissatisfied
o 3 stars = Neutral
o 4 stars = Satisfied
o 5 stars = Very satisfied
You may close the window if you don't want to provide feedback.
 AWS Trusted Advisor
 AWS Security Groups Rules
For more information about AWS Training and Certification, see
http://aws.amazon.com/training/.
Your feedback is welcome and appreciated.
If you would like to share any feedback, suggestions, or corrections, please provide the
details in our AWS Training and Certification Contact Form.