Welcome to our first official product update! Now that we are deep into our Beta testing we plan to publish these updates on a regular basis to keep you informed on all the latest product features and Ops. We’ve just finished our latest sprint which makes this a great time to dig in and talk about a bunch of features we have added over the past weeks and some exciting new Ops.
As VP of Product announcing new features is pretty much the best part of my job. Especially now that, after years of design and development, we have real customers improving their cloud deployments every day with DisruptOps.
And if you hadn’t heard, we are insanely excited to have been selected as finalist in the RSA Security Conference Innovation Sandbox. And while being a finalist is an accomplishment on its own, we have every intention of winning!
Core Product Features
Depending on when you started your Beta testing only some of these will look new but most have been added within the past few weeks:
- Inventory was massively enhanced with a separate display for Inventory items that includes key metadata in both tabular and JSON view. You can now dig in on Inventory items instead of having to bounce back to the AWS console to get the information you need. Clicking on an Inventory item also shows you all associated issues, resolved issues, and exemptions. If you don’t see some metadata in there you expect, definitely drop us a line.
- Group Issue management is now available. This allows you to select multiple Issues to take action on simultaneously. This will really speed up Issue management, even allowing you to quickly select every Issue generated by an Op at once.
- Inventory is linked within Issues! This is an ongoing project and right now we link the non-compliant item within the Issue so you can speed up your investigation and Issue handling. Don’t worry, we keep track of where you started so just click the Back indicator to return to the Issue from Inventory.
- You can add Ops and manage Issues right from the Policy page. Personally, this is now my preferred way of managing things since I scope my policies to just the accounts and Ops I’m working on for a particular context (like Op testing or securing our production account). And yes, I know my handwriting is terrible, my 9 year old doesn’t let me forget.
There are a lot of other small changes throughout the system but I think these are the most important ones that should help you get the most out of DisruptOps.
This is the most exciting part! We have significantly increased our pace of Op development and are adding multiple Ops a week. Please keep those Op suggestions coming via email or Slack.
- Manage High-Risk IAM Permissions: This is one of the most important security Ops in the system and the one I’m most excited to release. This Op assesses all of your IAM looking for combinations of permissions across policies that could lead to privilege escalation. It evaluates the entire set of policies associated with IAM Users, Groups, and Roles and even identifies potential privilege escalation due to elements in different policies when they are combined. You can fully quarantine the user/group/role or the Op can remove just one of the offending policy elements to reduce the risk while minimizing impact (Guardrails for the win). We definitely want feedback on this one as you implement it since the logic gets a little complex and we are always looking for new ways to improve it.
- Manage IAM Password Requirements: This Op checks your IAM password policy to see if it complies with the Center for Internet Security Benchmarks for AWS. Supported actions will update the policy to the recommended settings.
- Manage Root Account Security: AWS has some limitations on their APIs for the root account, since they only want you to manage those settings when logged in as root. This Op checks for the settings it can, but also allows you to create issues for manual checks (like setting the account’s security challenge questions) so you can still track those in DisruptOps for compliance.
- Manage VPC Flow Logs: Check all your VPCs to see if flow logs are both enabled and configured to send the logs to the proper location (which you set). If you don’t know where you want to keep them yet it will, but default, save to CloudWatch in the same region.
- Manage Unused Default VPCs: AWS creates a default VPC in every region you use, with a default Security Group that is typically more open than it should be. This Op finds and allows you to remove them. One of our Beta testers removed 17 all at once when getting their first product walk through which was pretty cool to watch in the user interface as they all cleared out in less than 30 seconds.
- Manage Internet Exposed Administrative Servers: We have been improving the logic on our network-focused Ops, and this and the Database Servers Ops are the first two that leverage the new capabilities.We now look for full public access (open to the world), limited access (open to some of the Internet but not everything) and potential misconfigurations (usually when you have public ports open on a security group to a resource that isn’t otherwise Internet accessible).
- New port picker integrated into networking Ops : This isn’t an Op itself but is a new user interface element on most of our network-related Ops that allows you to customize the ports used in assessments. Have an administrative server on port 8808? Use port 123456 for your databases? You can add them to the port list so you aren’t restricted to our defaults.
Like any software company we are always a little careful about promising future features, but some of these may be in production by the time you read this update:
- Comprehensive CloudTrail and Config management Ops to ensure your AWS monitoring is properly configured and aligned with the CIS benchmarks.
- Dynamic Op configuration item support. Want to set an organization-wide S3 bucket for all your CloudTrails? Store an approved list of Internet IP addresses for a particular project? Supported dynamic elements will not only appear as defaults when configuring new Ops, but you can change them and update all the relevant Ops.
- A nicer looking Op Template Library.
- Even more Inventory search bar improvements.
There is actually a lot more in the works, including a very significant enhancement to what Ops are capable of, but I don’t want to spoil it until we have more we can actually show you.