What is Security Monkey?

Security Monkey is an OpenSource application from Netflix which monitors, alerts and reports one or multiple AWS accounts for anomalies. Security Monkey can run on an Amazon EC2 (AWS) instance, Google Cloud Platform (GCP) instance (Google Cloud Platform), or OpenStack (public or private cloud) instance. While Security Monkey’s main purpose is security, it also proves a useful tool for tracking down potential problems as it is essentially a change tracking system.

How to set up Security Monkey?

Set up your IAM roles

At first, we are going to create two IAM roles namely SecurityMonkeyInstaceProfile and SecurityMonkey. Before creating these roles we need to create our own custom policies for them. Navigate to your IAM console and on the left pane click on Policies. Choose to Create a Policy and select the JSON tab.

Paste the following JSON code in the given area:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendEmail"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}

 

After that name the policy SecurityMonkeyLaunchPerms. Similar to this create a new policy named SecurityMonkeyReadOnly with the following JSON code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "ec2:Describe*",
                "elasticloadbalancing:Describe*",
                "iam:List*",
                "iam:Get*",
                "route53:Get*",
                "route53:List*",
                "rds:Describe*",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "s3:GetBucketVersioning",
                "s3:GetLifecycleConfiguration",
                "s3:ListAllMyBuckets",
                "sdb:GetAttributes",
                "sdb:List*",
                "sdb:Select*",
                "ses:Get*",
                "ses:List*",
                "sns:Get*",
                "sns:List*",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ReceiveMessage"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

 

Now we are ready with our policies and we can proceed to our role creation. Navigate to your IAM console again and select Roles from the left pane. Click on Create Role and on the next page select EC2 as the service. In the next page add your previously created Policy SecurityMonkeyLaunchPerms to the role and on the last page, name your role SecurityMonkeyInstaceProfile and proceed with the role creation. Repeat the same steps to create another role and attach the Policy SecurityMonkeyReadOnly this time. Name this role SecurityMonkey and proceed with role creation.

After completing the above successfully, go to your newly created Role SecurityMonkey and navigate to the Trust relationships tab and add the following JSON code:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<YOUR ACCOUNTID GOES HERE>:role/SecurityMonkeyInstanceProfile"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

 

NOTE: You will have to add your own account id in the above code.

Your SecurityMonkey role should now look something like this:

Creating an EC2 Instance

For creating an EC2 instance navigate to your EC2 console and select Launch Instance.

Select an AMI or Amazon Machine Instance in the next page. Do not click on Review and Launch as we have to add our Instance that we had previously created.

Navigate to the Configure Instance tab and under “IAM Role”, select SecurityMonkeyInstanceProfile.

You may now launch the new instance. Please take note of the “Public DNS” entry. We will need that later when configuring security monkey.

You will be asked to create a key before launching the instance. This key will be required to connect to the instance and is generated only ONCE. Hence, it needs to be kept properly and further, you will be asked to change the permissions of the key file so that the access can be restricted. After that ssh can be used as shown below to connect to your EC2 instance.

Installing Pre-requisites

Now we have a fresh install of Ubuntu as an EC2 instance.

Next, we need to create the logging folders:

sudo mkdir /var/log/security_monkey
sudo mkdir /var/www
sudo chown -R `whoami`:www-data /var/log/security_monkey/
sudo chown www-data /var/www

Following that, install the required tools that are essential for running the application:

sudo apt-get update
sudo apt-get -y install python-pip python-dev python-psycopg2 postgresql postgresql-contrib libpq-dev nginx supervisor git libffi-dev gcc python-virtualenv redis-server

Setting up local Postgres

For actual use, an Amazon RDS or similar database instance is recommended but however, for this demo we are going to set up a local database. We are going to use password ‘securitymonkeypassword’ throughout this demonstration.

sudo apt-get install postgresql postgresql-contrib
#Configuring the Database
sudo -u postgres psql 
CREATE DATABASE "secmonkey"; 
CREATE ROLE "securitymonkeyuser" LOGIN PASSWORD 'securitymonkeypassword'; 
CREATE SCHEMA secmonkey; 
GRANT Usage, Create ON SCHEMA "secmonkey" TO "securitymonkeyuser"; 
set timezone TO 'GMT'; 
select now(); 
\q

 

Cloning into the repository

Now you’ll need to clone the repository from Github. The following commands will help to do that:

cd /usr/local/src
sudo git clone --depth 1 --branch develop https://github.com/Netflix/security_monkey.git
sudo chown -R `whoami`:www-data /usr/local/src/security_monkey
cd security_monkey
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
virtualenv venv
source venv/bin/activate
pip install --upgrade setuptools
pip install --upgrade pip
pip install --upgrade urllib3[secure]  
python setup.py develop

A virtual environment ‘venv’ has been created. This virtual environment must be used for executing all the commands of the Security Monkey.

We can start that virtual env anytime by using this command

cd /usr/local/src/security_monkey
source venv/bin/activate

As we know that Security Monkey requires a web interface, you’ll have to compile the web app from the Dart code.or just download the compiled code from here. Downloading the latest compiled code is recommended(personal experience!)

We will be downloading the static.tar.zip file from the above URL

Use the following command to download the compiled code tar file

curl -L https://github.com/Netflix/security_monkey/releases/download/1.1.3/static.tar.gz > static.tar.gz tar -xvzf static.tar.gz

Now the contents of the UI are extracted into the static folder.
OR you can do the following to compile the UI code yourself
# Get the Google Linux package signing key.
$ curl https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

# Set up the location of the stable repository.
cd ~
curl https://storage.googleapis.com/download.dartlang.org/linux/debian/dart_stable.list > dart_stable.list
sudo mv dart_stable.list /etc/apt/sources.list.d/dart_stable.list
sudo apt-get update
sudo apt-get install -y dart

# Build the Web UI
cd /usr/local/src/security_monkey/dart
/usr/lib/dart/bin/pub get
/usr/lib/dart/bin/pub build

# Copy the compiled Web UI to the appropriate destination
sudo mkdir -p /usr/local/src/security_monkey/security_monkey/static/
sudo /bin/cp -R /usr/local/src/security_monkey/dart/build/web/* /usr/local/src/security_monkey/security_monkey/static/
sudo chgrp -R www-data /usr/local/src/security_monkey
Configure the Application

Security Monkey already comes with a config file that supports this guide called config.py. You can override this behavior by setting the SECURITY_MONKEY_SETTINGS environment variable.

You need to modify:env-config/config.py and update the following values

  • FQDN: Add the IP or DNS entry of your instance.
  • SQLALCHEMY_DATABASE_URI: This config assumes that you are using the local db option. If you setup AWS RDS or GCP Cloud SQL as your database, you will need to modify the SQLALCHEMY_DATABASE_URI to point to your DB.
  • SECRET_KEY: Something random.
  • SECURITY_PASSWORD_SALT: Something random.

Type the following command to edit the config.py

sudo vim env-config/config.py

Leave all the other values as default. Just add the instance’s public DNS and some random secret text into the config file and save it using ‘:wq’

Create the database tables

Now we need to populate the database with security monkey tables. Security Monkey uses Flask-Migrate (Alembic) to keep database tables up to date. To create the tables, run this command:

cd /usr/local/src/security_monkey/
monkey db upgrade

After the tables are set up, we are almost done with the installation and setup.

Adding AWS accounts to Security Monkey

Security Monkey has the ability to check which accounts are accessing your resources. This is helpful to detect if there is unknown cross-account access. In some cases, your items will be configured to permit Amazon-owned accounts that provide specific AWS services, such as ELB access logging. Security Monkey is equipped with a command to automatically add these accounts to the database, which will prevent Security Monkey from raising an “unknown cross-account access” issue on a given item.

Use the following command to execute this function

monkey amazon_accounts
Creating a user account on Security Monkey

We will have to create our first account on Security Monkey before we start using the application. Use the following command to create one

monkey create_user "setu" "Admin"
> Password:
> Confirm Password:

the ‘create_user’ function takes 2 parameters, one is the user id followed by the role. [View, Comment, Justify, Admin]

Creating SSL certificate

We will need to generate an SSL certificate for the application before running the server. Use the following commands

cd ~
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..........................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: xxxxxxx

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Now the ssl keys and certificates are ready and stored in the ssl directory

Setting up Nginx

This is the final step in running the Security Monkey application. Use the following commands to setup the Nginx configuration

sudo cp /usr/local/src/security_monkey/nginx/security_monkey.conf /etc/nginx/sites-available/security_monkey.conf
sudo ln -s /etc/nginx/sites-available/security_monkey.conf /etc/nginx/sites-enabled/security_monkey.conf
sudo rm /etc/nginx/sites-enabled/default
sudo service nginx restart

The nginx should restart without any issues. If there are issues with the certificate, please trying creating a certificate and keys without using a blank passphrase.

After restarting the Nginx, we have to start the Security Monkey API server using the following commands

cd /usr/local/src/security_monkey 
source venv/bin/activate
monkey run_api_server

YES!!! That’s all that needs to be done. We have our Security Monkey up and running. Access the Security monkey by using the public DNS of the instance from the host browser.

You can login into the Security Monkey web app using the user account created earlier. After logging in you will be presented with a UI like the one below

Conclusion

You can refer the user guide posted here to perform other functions on the Security Monkey. Security Monkey provides a lot of services and reporting functionalities that can be leveraged to monitor and manage AWS accounts.

Thank you for reading! – Setu Parimi, Steve George & Indranil Roy

Sign up for the blog directly here.

Check out our professional services here.

Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]

 


0 Comments

Leave a Reply

%d bloggers like this: