IT Security Audit – MODIS

• Industry: HR
• Location: Europe
• Company size: 10,000+ employees
• Tech Stack: EC2, Route 53, S3, CloudWatch, VPC

Modis is a global leader delivering cross-industry IT and digital engineering expertise to accelerate innovation and digital transformation. With many years of experience running End User Compute solutions in the AWS Public Cloud, including configuring, deploying, and maintaining fleets of AWS Workspaces and AppStream 2.0 deployed applications, ensuring cost effectiveness and compliance, while maximizing the flexibility for staff to leverage high speed compute and large data volumes.

They have reached out to Zetta Systems to perform IT security audit about the current status of their AWS infrastructure, investigate, review, analyze and document all findings and provide recommendations based on the security best practices of Amazon Web Services.

An IT security audit is evaluation of organization’s current level of security. The audit helps identify potential vulnerabilities in a number of areas, including technical vulnerabilities, and administrative vulnerabilities. Each audit concludes with a summary of findings. These summaries usually include a list of potential weak points in security, along with recommendations for how to make up for them.

There are several benefits of getting an IT security audit:

Uncover potential vulnerabilities

The obvious benefit here is that a security audit can help find a security vulnerability before it’s too late. For example, if there’s a critical weakness in one of your platforms that can easily be exploited, it can be identified and patched before any hackers find out about it.

Ensure regulatory compliance

Depending on the nature of the business, it may be legally required to follow certain standards for data privacy and security. A security audit will ensure a business remains in compliance.

Learn more about new technologies and processes

If the business is experimenting with new technologies and processes, this is the perfect chance to learn more about them. It’s possible to put them to the test in a safe environment before taking them live.

Reduce costs

While IT security audits cost money upfront, they tend to save the business money in the long run, since this will prevent potential hacks and breaches.

Each security audit is focused on collecting needed data which then would be analyzed and compared to the industry security best practices. All findings are carefully studied, and any vulnerabilities and security risks found are then categorized. Then recommendations and risk mitigation steps are given and presented to the stakeholders.

We started by performing interviews with the stakeholders, defining the scope and the deliverables. Once we have agreed on the deliverables, we have analyzed the 3 main areas:

• Identity and Access Management (AWS organization, IAM users, groups, and roles, AWS account credentials, AWS and IAM policies, IAM providers for SAML and OpenID Connect (OIDC))
• Resources (JSON access lists per machines and groups, Network configuration and Resources (log files). Amazon security configuration.
• Cost Management (Current usage / consumption per AWS ID)

This audit gives you an opportunity to remove unneeded IAM users, roles, groups, and policies, and to make sure that your users and software have only the permissions that are required. With the audit performed we have covered the following aspects:

• Review of AWS account credentials, IAM users, IAM groups, IAM roles, IAM providers for SAML and OpenID Connect (OIDC), Amazon EC2 security configuration, AWS policies in other services, activity in AWS accounts, IAM policies. AWS usage, cost analysis and recommendations

Following the guidelines for systematically reviewing and monitoring AWS resources for security best practices, we have managed to provide our recommendations for the following situations:

• If there are changes in your organization, such as people leaving.
• If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need.
• If you’ve added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWorks stacks, AWS CloudFormation templates, etc.
• If you ever suspect that an unauthorized person might have accessed your account.

We have created a general map of Modis AWS organization OUs and accounts structure with hierarchy.

After analyzing the following segments: OU Structure, AWS account list, management/member accounts, integrated services and features, Service list, CloudTrail, Security Hub, Tag and Service Control Policies, we have managed to provide recommendations for each segment. Furthermore, we have provided recommendations for Compute, Network (EC2 and S3, Amazon S3 server-side encryption options) and Backup and DR, based on AWS Backup recommendations

We managed to collect all the required information per AWS ID and resource type. This information was used to prepare a proper analysis of the security aspects for each single resource and their dependencies as well. Our team carefully structured the data gathered focusing on access lists, network configuration, log files, separate resources, and security configuration.