Preparing for more advanced auditing
So far we have been leveraging native graphical user interface (GUI) tools to perform audits. To prepare for more advanced auditing, the IT auditor should familiarize themselves with the command-line interface (CLI). A GUI permits users to interact with the cloud platform using graphical features such as icons, windows, and menus. In contrast, a CLI allows users to interact with the system via commands. A CLI gives the IT auditor more autonomy to write custom scripts that could be used to automate processes.
Let’s start by looking at the AWS CLI.
Note
Instructions on getting started and installing the AWS CLI can be found at https://docs.
aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html.
Once you have the AWS CLI installed, you will need to configure the basic settings that the AWS CLI uses to interact with AWS. These include security credentials, Default region name, and Default output format, as shown in Figure 6.45:
Figure 6.45 – The AWS CLI configuration settings to interact with AWS
Now that we have the AWS CLI configured, we can run simple commands to perform audit actions. I will demonstrate two commands that an IT auditor can leverage. To list the number of users within AWS, we type in the following command:
aws iam-list users
Note that UserId, CreateDate, and PasswordLastUsed are displayed, as shown in Figure 6.46:
Figure 6.46 – AWS list users in IAM
As another example, if you need to know which groups are connected to AWS VPCs, you can type the following command:
aws ec2 describe-security-groups
This is shown inFigure 6.47:
Figure 6.47 – AWS describe-security-groups
VPC security groups and their respective attributes are shown in Figure 6.48:
Figure 6.48 – AWS security groups and their attributes
In Chapter 4, Network, Infrastructure, and Security Controls, we stated that all AWS accounts come with a default VPC.. A default VPC comes with a public subnet. As an IT auditor, it is important to ensure that sensitive company data is not placed in a public subnet.
AWS has a command library that can be found at https://awscli.amazonaws.com/v2/ documentation/api/latest/index.html. In addition, you can type in aws help on the AWS CLI for information about a specific command.
Next, we will look at the Azure CLI.
Note
Instructions on getting started and installing the Azure CLI can be found at https://docs.
microsoft.com/en-us/cli/azure/get-started-with-azure-cli.
Once you have the Azure CLI set up, you need to log in to Azure:
Figure 6.49 – Logging in to Azure
I will demonstrate two commands an IT auditor can leverage to perform an audit. To list all the resource groups we have, use the following command:
az resource list
Figure 6.50 – The resource list
To get a list of IP addresses associated with a VM, we can use the following command:
az vm list-ip-addresses
Figure 6.51 – Listing IP addresses associated with a VM
The full Azure CLI command reference can be found at https://docs.microsoft.com/ en-us/cli/azure/reference-index?view=azure-cli-latest. In addition, you can type in az help on the Azure CLI for information on a specific command.
Next, we will look at the Google Cloud CLI.
Note
Instructions on getting started and installing the Google Cloud CLI can be found at https:// cloud.google.com/sdk/docs/install.
Once you have installed the CLI, you need to authenticate using Google credentials:
Figure 6.52 – Authentication
I will demonstrate two commands an IT auditor can leverage to perform an audit. To list all credential accounts, type the following command:
gcloud auth list
Figure 6.53 – Listing credential accounts
To list your project’s logs, type the following command:
gcloud logging logs list
Figure 6.54 – Listing logs
The Google Cloud CLI cheat sheet can be found at https://cloud.google.com/sdk/docs/ cheatsheet. In addition, you can type in the following command on the Google Cloud CLI for information on a specific command:
gcloud help
In this section, we’ve reviewed how to leverage CLI for more advanced auditing. All the tools we have talked about in this chapter are native cloud tools.
It is important to acknowledge there are open source tools that can assist IT auditors in advanced auditing. One such tool is Cloud Custodian. Cloud Custodian is an open source tool developed by Capital One for implementing automated security, compliance, and governance. IT auditors can use Cloud Custodian to monitor cloud environments as it generates a set of outputs for any given security policies. In the next section, we will briefly touch on other cloud platforms on the market.