Creating cloud resources is as simple as going to the candy store. It only takes a few clicks for an organization to create an account with a public cloud provider and eventually create resources that may include complex infrastructure to set up a distributed environment.
As time passes, "clutter," which includes unused or unwanted resources, accumulates. This clutter is not limited to categories such as compute, storage, and so on, but can also include unused roles, over-privileged policies, unused tags, and so on. This cloud clutter can, in particular, result in:
- Increase in wasteful cloud spending
- An increase in attack surface area exposes a security vulnerability.
I recently faced a similar challenge, and this post summarises my approach to cleaning the clutter in an AWS environment. This sanitization effort will eventually provide more control over the resources being used, reducing the attack surface area, increasing security posture, and lowering operating costs. A summary of various approaches to decluttering AWS environments is provided below.
Using Trusted Advisor — Cost Optimization, identify idle or underutilized resources.
The 'Cost Optimization' feature in AWS Trusted Advisor not only recommends cost-cutting measures but also lists unused or idle resources that could be deleted. This is a very useful service and a good place to start the journey to clean up the cloud clutter, but it is not a one-size-fits-all solution because the inspection of resource utilization is limited to:
- Idle Instances of RDS DB
- Balancers for Idle Loads
- Inadequate utilization of AWS EC2 instances
- IP addresses that are unrelated
- EBS Volumes That Are Underutilized
AWS Security Hub Findings can help you identify unnecessary resources.
The primary goal of AWS Security Hub is to detect deviations from security best practices and reduce mean time to resolution through automated response and remediation actions. However, AWS Security Hub's ability to aggregate security findings from various AWS integrations and partner services is a critical feature.
Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS IAM Access Analyzer, AWS Systems Manager Patch Manager, AWS Config, and AWS Firewall Manager are among the AWS integrations. This means that security findings will concentrate on a broad range of AWS resources, including IAM roles and policies.
Remediating each security finding is a time-consuming process, but it will aid in understanding an organization's resource posture. For example, the remediation process will identify unused SNS topics, SQS queues, Secrets, KMS keys, over-provisioned policies, users with console access but no MFA setup, and so on.
Determine appropriate tags and tag the necessary resources.
After cleaning up the idle, underutilized, and unnecessary resources, it's critical to identify a clear set of tags that can be used to group resources and tag appropriately.
For resource tagging, it is strongly advised to use approaches such as Infrastructure as Code (IaaC) (for example, Terraform or AWS CloudFormation). An alternative, but time-consuming, method of tagging resources is to use the 'Tag Editor' feature of the service 'AWS Resource Groups.'
It is also recommended that the required tags be activated as 'Cost Allocation Tags.' This can be accomplished by using the 'Cost allocation tags' option in AWS Billing.
Identify resources that have not-yet-required tags and either clean up the resource or the tags that are attached to the resources.
Tags that existed prior to this sanitization effort could exist. These tags can be applied to resources that are either required or must be deleted. The EC2 service's 'Tags' section will list all used tags and associated resources. A review of the non-required tags will help to declutter the environment even more.
Maintain environmental sanity by using an automated solution such as The Cloud Custodian
Cloud Custodian is an open-source tool that can automate cloud environment management by ensuring compliance with security policies, tax policies, unused resource garbage collection, and cost management. The tool is simple to use and allows you to create millions of policies using an easy-to-read DSL.
The tool is highly recommended because it provides the necessary automation for removing cloud clutter.
To summarise, cleaning up cloud environments is a frequently overlooked task. However, this could be extremely costly in terms of actual spending while also posing a significant risk to the security posture. A one-time cleanup followed by an automation setup using tools like Cloud Custodian will be extremely beneficial in the long run. If you have any doubt about this topic. Don’t hesitate to contact us. Airzero Cloud will be your digital partner.
Email id: [email protected]
Author - Johnson Augustine
Cloud Architect, Ethical hacker
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/