Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Trusted Advisor Checks

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: TrustedAdvisor-002

Ensure that all Amazon Trusted Advisor checks (also known as best practices) found within your AWS account are inspected and resolved. Trusted Advisor is an AWS service that provides real-time guidance to help you provision and manage your cloud resources following AWS best practices. Trusted Advisor scans your AWS environment, compare it to AWS best practices available in 5 categories (security, fault tolerance, performance, cost optimisation and service limits) and provides recommended actions in order to help you secure and optimise your AWS infrastructure and save money. A Trusted Advisor check contains a detailed description of the recommended best practice, a set of alert criteria described using color coding: Green (no issues), Yellow (an investigation is required) and Red (an action is required), guidelines for action, and a list with links to useful resources on the topic. AWS Trusted Advisor integrates seamlessly with Cloud Conformity so that you can receive the checks (for one or more AWS accounts) on your Cloud Conformity dashboard. Also, Cloud Conformity automatically generates tickets in your preferred task management system ensuring risks are not only identified, but also actioned using your current business workflow.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security
Reliability
Performance
efficiency
Cost
optimisation

With Amazon Trusted Advisor and Cloud Conformity you can analyze your AWS environment and get recommendations when opportunities exist to reduce costs, improve infrastructure/system availability and performance, or help close security gaps.

Note: As example, this conformity rule demonstrates how to examine and solve an AWS Trusted Advisor check. The selected check, named "MFA on Root Account", recommends the use of Multi-Factor Authentication (MFA) for your root account in order to improve security by requiring additional authentication data from a secondary device.


Audit

To find and examine Trusted Advisor checks within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Trusted Advisor dashboard at https://console.aws.amazon.com/trustedadvisor/.

03 In the left navigation panel, choose Security to access the Trusted Advisor checks available in the Security category, then click the Refresh button:

Refresh button

to refresh the security checks.

04 In the Security Checks section, choose the check that you want to examine (i.e. "MFA on Root Account").

05 Click on the MFA on Root Account entry to expand the check details panel.

06 Based on the information listed on the details panel (especially within the Alert Criteria and Recommended Action sections), you can analyze the selected check and create a plan to implement the recommended fix (in this case, to enable Multi-Factor Authentication for your AWS root account).

07 Repeat steps no. 3 – 5 to examine other Amazon Trusted Advisor checks available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

Note: To find and examine Trusted Advisor checks using AWS CLI, you must subscribe to an AWS Premium Support plan such as Business or Enterprise.

01 Run describe-trusted-advisor-checks command (OSX/Linux/UNIX) using custom query filters to list the names of all Trusted Advisor checks currently available within your AWS account:

aws support describe-trusted-advisor-checks
	--region us-east-1
	--language en
	--output table
	--query "checks[*].name"

02 The command output should a table that contains the names of all existing checks:

--------------------------------
| DescribeTrustedAdvisorChecks |
+------------------------------+
| MFA on Root Account          |
| Exposed Access Keys          |
| ...                          |
| Amazon EBS Public Snapshots  |
+------------------------------+

03 Run describe-trusted-advisor-checks command (OSX/Linux/UNIX) using custom query filters to get the unique ID of the "MFA on Root Account" security check, available for the selected region:

aws support describe-trusted-advisor-checks
	--region us-east-1
	--language en
	--query "checks[?name=='MFA on Root Account'].id"

04 The command output should return the requested AWS Trusted Advisor check ID:

7DAFEmoDos

05 Run refresh-trusted-advisor-check command (OSX/Linux/UNIX) using the check ID returned at the previous step as identifier to request a refresh of the selected Trusted Advisor check (the command does not produce an output):

aws support refresh-trusted-advisor-check
	--region us-east-1
	--check-id 7DAFEmoDos

06 Now run describe-trusted-advisor-check-refresh-statuses command (OSX/Linux/UNIX) using custom query filters and the same check ID as identifier to return the refresh request status of the selected AWS Trusted Advisor check:

aws support describe-trusted-advisor-check-refresh-statuses
	--region us-east-1
	--check-id 7DAFEmoDos

07 The command output should return the refresh request status for the selected check. If the refresh request is complete, the status returned should be "success", as shown in the output example below:

[
    "success"
]

08 Run describe-trusted-advisor-check-result command (OSX/Linux/UNIX) to return the result (i.e. essential information about the check) for the selected Amazon Trusted Advisor check, identified by the ID "7DAFEmoDos":

aws support describe-trusted-advisor-check-result
	--region us-east-1
	--language en
	--check-id 7DAFEmoDos
	--query 'result.{FlaggedResources[*].metadata}'

09 The command output should return the requested check result metadata:


MFA on Root Account

AWS Account ID: 123456789012

Description: Checks the root account and warns if multi-factor authentication (MFA) is not enabled. For increased security, we recommend that you protect your account by using MFA, which requires a user to enter a unique authentication code from their MFA hardware or virtual device when interacting with the AWS console and associated websites.

Alert Criteria:
Red: MFA is not enabled on the root account.

Recommended Action:
Log in to your root account and activate an MFA device. See Checking MFA Status and Setting Up an MFA Device.

Additional Resources:
Using Multi-Factor Authentication (MFA) Devices with AWS.

Status: error.

Summary:
Total number of resources processed: 1
Number of resources flagged: 1
Number of suppressed resources: 0

10 Based on the information returned at the previous step (especially within the Alert Criteria and Recommended Action sections), you can analyze the selected check and create a plan to implement the recommended fix.

11 Repeat steps no. 3 – 10 to examine other Amazon Trusted Advisor checks available in the current region.

12 Change the AWS region by updating the --region command parameter value and repeat steps no. 3 – 11 to perform the audit process for other regions.

Remediation / Resolution

To fix the issue(s) highlighted by the selected AWS Trusted Advisor check (i.e. enable Multi-Factor Authentication for the AWS root account), perform the following actions:

Note 1: As example, this section will use Google Authenticator as MFA device since is one of the most popular MFA virtual applications used by AWS customers. To use a hardware device to enable Multi-Factor Authentication (MFA) for your root account, see this conformity rule.
Note 2: Installing and activating an MFA device for the AWS root account via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console using your root credentials.

02 Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the Multi-Factor Authentication (MFA) accordion tab to expand the MFA management section.

04 In the MFA management section click the Activate MFA button to initiate the MFA device setup.

05 In the Manage MFA Device dialog box, select A virtual MFA device and click Next Step.

06 Install the AWS MFA-compatible application. The MFA application used in this example is Google Authenticator. This guide assumes that you have already the application installed on your smartphone at this point, otherwise just follow these simple steps: Install Google Authenticator. Once the application is installed, click Next Step.

07 Scan the QR code using the Google Authenticator application and enter two consecutive authentication passcodes in the Authentication Code 1 and Authentication Code 2 boxes, then click Activate Virtual MFA to complete the MFA device setup process. If successful, the following message will be displayed: “The MFA device was successfully associated.”. Click Finish to exit the setup wizard. The new MFA virtual device should be listed inside the Multi-Factor Authentication (MFA) section.

08 Repeat steps no. 1 – 7 for each AWS root account that you want to protect using an MFA device.

References

Publication date Feb 9, 2018