Create a report of Network Access Analyzer findings for inbound internet access in multiple AWS accounts - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsEpicsTroubleshootingRelated resourcesAdditional information

Create a report of Network Access Analyzer findings for inbound internet access in multiple AWS accounts

Created by Mike Virgilio (AWS)

Code repository: Network Access Analyzer Multi-Account Analysis

Environment: Production

Technologies: Networking; Security, identity, compliance

AWS services: AWS CloudFormation; Amazon S3; Amazon VPC; AWS Security Hub

Summary

Unintentional inbound internet access to AWS resources can pose risks to an organization’s data perimeter. Network Access Analyzer is an Amazon Virtual Private Cloud (Amazon VPC) feature that helps you identify unintended network access to your resources on Amazon Web Services (AWS). You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements. You can use Network Access Analyzer to do the following:

  1. Identify AWS resources that are accessible to the internet through internet gateways.

  2. Validate that your virtual private clouds (VPCs) are appropriately segmented, such as isolating production and development environments and separating transactional workloads.

Network Access Analyzer analyzes end-to-end network reachability conditions and not just a single component. To determine whether a resource is internet accessible, Network Access Analyzer evaluates the internet gateway, VPC route tables, network access control lists (ACLs), public IP addresses on elastic network interfaces, and security groups. If any of these components prevent internet access, Network Access Analyzer doesn’t generate a finding. For example, if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an open security group that allows traffic from 0/0 but the instance is in a private subnet that isn’t routable from any internet gateway, then Network Access Analyzer wouldn’t generate a finding. This provides high-fidelity results so that you can identify resources that are truly accessible from the internet.

When you run Network Access Analyzer, you use Network Access Scopes to specify your network access requirements. This solution identifies network paths between an internet gateway and an elastic network interface. In this pattern, you deploy the solution in a centralized AWS account in your organization, managed by AWS Organizations, and it analyzes all of the accounts, in any AWS Region, in the organization.

This solution was designed with the following in mind:

  • The AWS CloudFormation templates reduce the effort required to deploy the AWS resources in this pattern.

  • You can adjust the parameters in the CloudFormation templates and naa-script.sh script at the time of deployment to customize them for your environment.

  • Bash scripting automatically provisions and analyzes the Network Access Scopes for multiple accounts, in parallel.

  • A Python script processes the findings, extracts the data, and then consolidates the results. You can choose to review the consolidated report of Network Access Analyzer findings in CSV format or in AWS Security Hub. An example of the CSV report is available in the Additional information section of this pattern.

  • You can remediate findings, or you can exclude them from future analyses by adding them to the naa-exclusions.csv file.

Prerequisites and limitations

Prerequisites

  • An AWS account for hosting security services and tools, managed as a member account of an organization in AWS Organizations. In this pattern, this account is referred to as the security account.

  • In the security account, you must have a private subnet with outbound internet access. For instructions, see Create a subnet in the Amazon VPC documentation. You can establish internet access by using an NAT gateway or an interface VPC endpoint.

  • Access to the AWS Organizations management account or an account that has delegated administrator permissions for CloudFormation. For instructions, see Register a delegated administrator in the CloudFormation documentation.

  • Enable trusted access between AWS Organizations and CloudFormation. For instructions, see Enable trusted access with AWS Organizations in the CloudFormation documentation.

  • If you’re uploading the findings to Security Hub, Security Hub must be enabled in the account and AWS Region where the EC2 instance is provisioned. For more information, see Setting up AWS Security Hub.

Limitations

  • Cross-account network paths are not currently analyzed due to limitations of the Network Access Analyzer feature.

  • The target AWS accounts must be managed as an organization in AWS Organizations. If you are not using AWS Organizations, you can update the naa-execrole.yaml CloudFormation template and the naa-script.sh script for your environment. Instead, you provide a list of AWS account IDs and Regions where you want to run the script.

  • The CloudFormation template is designed to deploy the EC2 instance in a private subnet that has outbound internet access. The AWS Systems Manager Agent (SSM Agent) requires outbound access to reach the Systems Manager service endpoint, and you need outbound access to clone the code repository and install dependencies. If you want to use a public subnet, you must modify the naa-resources.yaml template to associate an Elastic IP address with the EC2 instance.

Architecture

Target technology stack

  • Network Access Analyzer

  • Amazon EC2 instance

  • AWS Identity and Access Management (IAM) roles

  • Amazon Simple Storage Service (Amazon S3) bucket

  • Amazon Simple Notification Service (Amazon SNS) topic

  • AWS Security Hub (Option 2 only)

Target architecture

Option 1: Access findings in an Amazon S3 bucket

Architecture diagram of accessing the Network Access Analyzer findings report in an Amazon S3 bucket

The diagram shows the following process:

  1. If you’re manually running the solution, the user authenticates to the EC2 instance by using Session Manager and then runs the naa-script.sh script. This shell script performs steps 2–7.

    If you’re automatically running the solution, the naa-script.sh script starts automatically on the schedule you defined in the cron expression. This shell script performs steps 2–7. For more information, see Automation and scale at the end of this section.

  2. The EC2 instance downloads the latest naa-exception.csv file from the S3 bucket. This file is used later in the process when the Python script processes the exclusions.

  3. The EC2 instance assumes the NAAEC2Role IAM role, which grants permissions to access the S3 bucket and to assume the NAAExecRole IAM roles in the other accounts in the organization.

  4. The EC2 instance assumes the NAAExecRole IAM role in the organization’s management account and generates a list of the accounts in the organization.

  5. The EC2 instance assumes the NAAExecRole IAM role in the organization’s member accounts (called workload accounts in the architecture diagram) and performs a security assessment in each account. The findings are stored as JSON files on the EC2 instance.

  6. The EC2 instance uses a Python script to process the JSON files, extract the data fields, and create a CSV report.

  7. The EC2 instance uploads the CSV file to the S3 bucket.

  8. An Amazon EventBridge rule detects the file upload and uses an Amazon SNS topic to send an email that notifies the user that the report is complete.

  9. The user downloads the CSV file from the S3 bucket. The user imports the results into the Excel template and reviews the results.

Option 2: Access findings in AWS Security Hub

Architecture diagram of accessing the Network Access Analyzer findings through AWS Security Hub

The diagram shows the following process:

  1. If you’re manually running the solution, the user authenticates to the EC2 instance by using Session Manager and then runs the naa-script.sh script. This shell script performs steps 2–7.

    If you’re automatically running the solution, the naa-script.sh script starts automatically on the schedule you defined in the cron expression. This shell script performs steps 2–7. For more information, see Automation and scale at the end of this section.

  2. The EC2 instance downloads the latest naa-exception.csv file from the S3 bucket. This file is used later in the process when the Python script processes the exclusions.

  3. The EC2 instance assumes the NAAEC2Role IAM role, which grants permissions to access the S3 bucket and to assume the NAAExecRole IAM roles in the other accounts in the organization.

  4. The EC2 instance assumes the NAAExecRole IAM role in the organization’s management account and generates a list of the accounts in the organization.

  5. The EC2 instance assumes the NAAExecRole IAM role in the organization’s member accounts (called workload accounts in the architecture diagram) and performs a security assessment in each account. The findings are stored as JSON files on the EC2 instance.

  6. The EC2 instance uses a Python script to process the JSON files and extract the data fields for import into Security Hub.

  7. The EC2 instance imports the Network Access Analyzer findings to Security Hub.

  8. An Amazon EventBridge rule detects the import and uses an Amazon SNS topic to send an email that notifies the user that the process is complete.

  9. The user views the findings in Security Hub.

Automation and scale

You can schedule this solution to run the naa-script.sh script automatically on a custom schedule. To set a custom schedule, in the naa-resources.yaml CloudFormation template, modify the CronScheduleExpression parameter. For example, the default value of 0 0 * * 0 runs the solution at midnight on every Sunday. A value of 0 0 * 1-12 0 would run the solution at midnight on the first Sunday of every month. For more information about using cron expressions, see Cron and rate expressions in the Systems Manager documentation.

If you want adjust the schedule after the NAA-Resources stack has been deployed, you can manually edit the cron schedule in /etc/cron.d/naa-schedule.

Tools

AWS services

  • Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud. You can launch as many virtual servers as you need and quickly scale them up or down.

  • Amazon EventBridge is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. For example, AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts.

  • AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.

  • AWS Organizations is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.

  • AWS Security Hub provides a comprehensive view of your security state in AWS. It also helps you check your AWS environment against security industry standards and best practices.

  • Amazon Simple Notification Service (Amazon SNS) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses.

  • Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.

  • AWS Systems Manager helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale. This pattern uses Session Manger, a capability of Systems Manager.

Code repository

The code for this pattern is available in the GitHub Network Access Analyzer Multi-Account Analysis repository. The code repository contains the following files:

  • naa-script.sh – This bash script is used to start a Network Access Analyzer analysis of multiple AWS accounts, in parallel. As defined in the naa-resources.yaml CloudFormation template, this script is automatically deployed to the /usr/local/naa folder on the EC2 instance.

  • naa-resources.yaml – You use this CloudFormation template to create a stack in the security account in the organization. This template deploys all of the required resources for this account in order to support the solution. This stack must be deployed before the naa-execrole.yaml template.

    Note: If this stack is deleted and redeployed, you must rebuild the NAAExecRole stack set in order to rebuild the cross-account dependencies between the IAM roles.

  • naa-execrole.yaml – You use this CloudFormation template to create a stack set that deploys the NAAExecRole IAM role in all accounts in the organization, including the management account.

  • naa-processfindings.py – The naa-script.sh script automatically calls this Python script to process the Network Access Analyzer JSON outputs, exclude any known-good resources in the naa-exclusions.csv file, and then either generate a CSV file of the consolidated results or import the results into Security Hub.

Epics

TaskDescriptionSkills required

Clone the code repository.

  1. In a command-line interface, change your working directory to the location where you want to store the sample files.

  2. Enter the following command.

    git clone https://github.com/aws-samples/network-access-analyzer-multi-account-analysis.git

AWS DevOps

Review the templates.

  1. In the cloned repository, open the naa-resources.yaml and naa-execrole.yaml files.

  2. Review the resources created by these templates and adjust the templates as needed for your environment. For more information, see Working with templates in the CloudFormation documentation.

  3. Save and close the naa-resources.yaml and naa-execrole.yaml files.

AWS DevOps
TaskDescriptionSkills required

Provision resources in the security account.

Using the naa-resources.yaml template, you create a CloudFormation stack that deploys all of the required resources in the security account. For instructions, see Creating a stack in the CloudFormation documentation. Note the following when deploying this template:

  1. On the Specify template page, choose Template is ready, and then upload the naa-resources.yaml file.

  2. On the Specify stack details page, in the Stack name box, enter NAA-Resources.

  3. In the Parameters section, enter the following:

    • VPCId – Select a VPC in the account.

    • SubnetId ­–­ Select a private subnet that has internet access.

      Note: If you select a public subnet, the EC2 instance might not be assigned a public IP address because the CloudFormation template, by default, doesn’t provision and attach an Elastic IP address.

    • InstanceType – Leave the default instance type.

    • InstanceImageId – Leave the default.

    • KeyPairName – If you’re using SSH for access, specify the name of an existing key pair.

    • PermittedSSHInbound – If you’re using SSH for access, specify a permitted CIDR block. If you’re not using SSH, keep the default value of 127.0.0.1.

    • BucketName – The default value is naa-<accountID>-<region>. You can modify this as needed. If you specify a custom value, the account ID and Region are automatically appended to the specified value.

    • EmailAddress – Specify an email address for an Amazon SNS notification when the analysis is complete.

      Note: The Amazon SNS subscription configuration must be confirmed prior to completion of the analysis, or a notification will not be sent.

    • NAAEC2Role – Keep the default unless your naming conventions require a different name for this IAM role.

    • NAAExecRole – Keep the default unless another name will be used when deploying the naa-execrole.yaml

    • Parallelism – Specify the number of parallel assessments to perform.

    • Regions – Specify the AWS Regions you want to analyze.

    • ScopeNameValue – Specify the tag that will be assigned to the scope. This tag is used to determine the Network Access Scope.

    • ExclusionFile – Specify the exclusion file name. Entries in this file will be excluded from findings.

    • FindingsToCSV – Specify whether findings should be output to CSV. Accepted values are true and false.

    • FindingsToSecurityHub – Specify whether findings should be imported into Security Hub. Accepted values are true and false.

    • EmailNotificationsForSecurityHub – Specify whether importing findings into Security Hub should generate email notifications. Accepted values are true and false.

    • ScheduledAnalysis – If you want the solution to run automatically on a schedule, enter true, and then customize the schedule in the CronScheduleExpression parameter. If you do not want to run the solution automatically, enter false.

    • CronScheduleExpression – If you’re running the solution automatically, enter a cron expression to define the schedule. For more information, see Automation and scale in the Architecture section of this pattern.

  1. On the Review page, select The following resource(s) require capabilities: [AWS::IAM::Role], and then choose Create Stack.

  2. After the stack has been successfully created, in the CloudFormation console, on the Outputs tab, copy the NAAEC2Role Amazon Resource Name (ARN). You use this ARN later when deploying the naa-execrole.yaml file.

AWS DevOps

Provision the IAM role in the member accounts.

In the AWS Organizations management account or an account with delegated administrator permissions for CloudFormation, use the naa-execrole.yaml template to create a CloudFormation stack set. The stack set deploys the NAAExecRole IAM role in all member accounts in the organization. For instructions, see Create a stack set with service-managed permissions in the CloudFormation documentation. Note the following when deploying this template:

  1. Under Prepare template, choose Template is ready, and then upload the naa-execrole.yaml file.

  2. On the Specify StackSet details page, name the stack set NAA-ExecRole.

  3. In the Parameters section, enter the following:

    • AuthorizedARN – Enter the NAAEC2Role ARN, which you copied when you created the NAA-Resources stack.

    • NAARoleName – Keep the default value of NAAExecRole unless another name was used when deploying the naa-resources.yaml file.

  4. Under Permissions, choose Service-managed permissions.

  5. On the Set deployment options page, under Deployment targets, choose Deploy to organization and accept all defaults.

    Note: If you want the stacks deployed to all member accounts simultaneously, set Maximum concurrent accounts and Failure tolerance to a high value, such as 100.

  6. Under Deployment regions, choose the Region where the EC2 instance for Network Access Analyzer is deployed. Because IAM resources are global and not Regional, this deploys the IAM role in all active Regions.

  7. On the Review page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then choose Create StackSet.

  8. Monitor the Stack instances tab (for individual account status) and the Operations tab (for overall status) to determine when the deployment is complete.

AWS DevOps

Provision the IAM role in the management account.

Using the naa-execrole.yaml template, you create a CloudFormation stack that deploys the NAAExecRole IAM role in the management account of the organization. The stack set you created previously doesn’t deploy the IAM role in the management account. For instructions, see Creating a stack in the CloudFormation documentation. Note the following when deploying this template:

  1. On the Specify template page, choose Template is ready, and then upload the naa-execrole.yaml file.

  2. On the Specify stack details page, in the Stack name box, enter NAA-ExecRole.

  3. In the Parameters section, enter the following:

    • AuthorizedARN – Enter the NAAEC2Role ARN, which you copied when you created the NAA-Resources stack.

    • NAARoleName – Keep the default value of NAAExecRole unless another name was used when deploying the naa-resources.yaml file.

  4. On the Review page, select The following resource(s) require capabilities: [AWS::IAM::Role], and then choose Create Stack.

AWS DevOps
TaskDescriptionSkills required

Customize the shell script.

  1. Sign in to the security account in the organization.

  2. Using Session Manager, connect to the EC2 instance for Network Access Analyzer that you previously provisioned. For instructions, see Connect to your Linux instance using Session Manager. If you’re unable to connect, see the Troubleshooting section of this pattern.

  3. Enter the following commands to open the naa-script.sh file for editing.

    sudo -i
cd /usr/local/naa
vi naa-script.sh

  4. Review and modify the adjustable parameters and variables in this script as needed for your environment. For more information about customization options, see the comments at the beginning of the script.

    For example, instead of getting a list of all member accounts in the organization from the management account, you can modify the script to specify the AWS account IDs or AWS Regions that you want to scan, or you can reference an external file that contains these parameters.

  5. Save and close the naa-script.sh file.

AWS DevOps

Analyze the target accounts.

  1. Enter the following commands. This runs the naa-script.sh script.

    sudo -i
cd /usr/local/naa
screen
./naa-script.sh

    Note the following:

    • The screen command permits the script to continue running in the event that the connection times out or you lose console access.

    • After the scan starts, you can force a screen detach by pressing Ctrl+A D. The screen detaches, and you can close the instance connection while the analysis proceeds.

    • To resume a detached session, connect to the instance, enter sudo -i then enter screen -r.

  2. Monitor the output for any errors to make sure that the script is working properly. For a sample output, see the Additional information section of this pattern.

  3. Wait for the analysis to complete. If you configured email notifications, you receive an email when the results have been uploaded to the S3 bucket or imported into Security Hub.

AWS DevOps

Option 1 – Retrieve the results from the S3 bucket.

  1. Download the CSV file from the naa-<accountID>-<region> bucket. For instructions, see Downloading an object in the Amazon S3 documentation.

  2. Delete the CSV file from the S3 bucket. This is a best practice for cost optimization. For instructions, see Deleting objects in the Amazon S3 documentation.

AWS DevOps

Option 2 – Review the results in Security Hub.

  1. Open the Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Choose Findings from the navigation pane.

  3. Review the Network Access Analyzer findings. For instructions, see Viewing finding lists and details in the Security Hub documentation.

    Note: You can search findings by adding a Title starts with filter and entering Network Access Analyzer.

AWS DevOps
TaskDescriptionSkills required

Remediate findings.

Remediate any findings that you want to address. For more information and best practices about how to create a perimeter around your AWS identities, resources, and networks, see Building a data perimeter on AWS (AWS Whitepaper).

AWS DevOps

Exclude resources with known-good network paths.

If Network Access Analyzer generates findings for resources that should be accessible from the internet, then you can add these resources to an exclusion list. The next time Network Access Analyzer runs, it won’t generate a finding for that resource.

  1. Navigate to /usr/local/naa, and then open the naa-script.sh script. Make note of the value of the S3_EXCLUSION_FILE variable.

  2. If the value of the S3_EXCLUSION_FILE variable is true, download the naa-exclusions.csv file from the naa-<accountID>-<region> bucket. For instructions, see Downloading an object in the Amazon S3 documentation.

    If the value of the S3_EXCLUSION_FILE variable is false, navigate to /usr/local/naa and then open the naa-exclusions.csv file.

    Note: If the value of the S3_EXCLUSION_FILE variable is false, the script uses a local version of the exclusions file. If you later change the value to true, then the script overwrites the local version with the file in the S3 bucket.

  3. In the naa-exclusions.csv file, enter the resources that you want to exclude. Enter one resource in each line, and use the following format.

    <resource_id>,<secgroup_id>,<sgrule_cidr>,<sgrule_portrange>,<sgrule_protocol>

    The following is an example resource.

    eni-1111aaaaa2222bbbb,sg-3333ccccc4444dddd,0.0.0.0/0,80 to 80,tcp

  4. Save and close the naa-exclusions.csv file.

  5. If you downloaded the naa-exclusions.csv file from the S3 bucket, upload the new version. For instructions, see Uploading objects in the Amazon S3 documentation.

AWS DevOps
TaskDescriptionSkills required

Update the naa-script.sh script.

If you want to update the naa-script.sh script to the latest version in the repo, do the following:

  1. Connect to the EC2 instance by using Session Manager. For instructions, see Connect to your Linux instance using Session Manager.

  2. Enter the following command.

    sudo -i

  3. Navigate to the naa-script.sh script directory.

    cd /usr/local/naa

  4. Enter the following command to stash the local script so that you can merge custom changes into the newest version.

    git stash

  5. Enter the following command to get the latest version of the script.

    git pull

  6. Enter the following command to merge the custom script with the latest version of the script.

    git stash pop
AWS DevOps
TaskDescriptionSkills required

Delete all deployed resources.

You can leave the resources deployed in the accounts.

If you want to deprovision all resources, do the following:

  1. Delete the NAA-ExecRole stack provisioned in the management account. For instructions, see Deleting a stack in the CloudFormation documentation.

  2. Delete the NAA-ExecRole stack set provisioned in the organization’s management account or in the delegated administrator account. For instructions, see Delete a stack set in the CloudFormation documentation.

  3. Delete all objects in the naa-<accountID>-<region> S3 bucket. For instructions, see Deleting objects in the Amazon S3 documentation.

  4. Delete the NAA-Resources stack provisioned in the security account. For instructions, see Deleting a stack in the CloudFormation documentation.

AWS DevOps

Troubleshooting

IssueSolution

Unable to connect to the EC2 instance by using Session Manager.

The SSM Agent must be able to communicate with the Systems Manager endpoint. Do the following:

  1. Validate the subnet where the EC2 instance is deployed has internet access.

  2. Reboot the EC2 instance.

When deploying the stack set, the CloudFormation console prompts you to Enable trusted access with AWS Organizations to use service-managed permissions.

This indicates that trusted access has not been enabled between AWS Organizations and CloudFormation. Trusted access is required to deploy the service-managed stack set. Choose the button to enable trusted access. For more information, see Enable trusted access in the CloudFormation documentation.

Related resources

Additional information

Example console output

The following sample shows the output of generating the list of target accounts and analyzing the target accounts.

[root@ip-10-10-43-82 naa]# ./naa-script.sh
download: s3://naa-<account ID>-us-east-1/naa-exclusions.csv to ./naa-exclusions.csv

AWS Management Account: <Management account ID>

AWS Accounts being processed...
<Account ID 1> <Account ID 2> <Account ID 3>

Assessing AWS Account: <Account ID 1>, using Role: NAAExecRole
Assessing AWS Account: <Account ID 2>, using Role: NAAExecRole
Assessing AWS Account: <Account ID 3>, using Role: NAAExecRole
Processing account: <Account ID 1> / Region: us-east-1
Account: <Account ID 1> / Region: us-east-1 – Detecting Network Analyzer scope...
Processing account: <Account ID 2> / Region: us-east-1
Account: <Account ID 2> / Region: us-east-1 – Detecting Network Analyzer scope...
Processing account: <Account ID 3> / Region: us-east-1
Account: <Account ID 3> / Region: us-east-1 – Detecting Network Analyzer scope...
Account: <Account ID 1> / Region: us-east-1 – Network Access Analyzer scope detected.
Account: <Account ID 1> / Region: us-east-1 – Continuing analyses with Scope ID. Accounts with many resources may take up to one hour
Account: <Account ID 2> / Region: us-east-1 – Network Access Analyzer scope detected.
Account: <Account ID 2> / Region: us-east-1 – Continuing analyses with Scope ID. Accounts with many resources may take up to one hour
Account: <Account ID 3> / Region: us-east-1 – Network Access Analyzer scope detected.
Account: <Account ID 3> / Region: us-east-1 – Continuing analyses with Scope ID. Accounts with many resources may take up to one hour

CSV report examples

The following images are examples of the CSV output.

Example 1 of the CSV report generated by this solution.

Example 2 of the CSV report generated by this solution.