Tyler Healy and Asif Wani
Security in the cloud can be intimidating. There are multiple layers to consider, from simply protecting your cloud account login down to hardcore Linux operating system security. Founders and developers at technology companies looking to scale quickly often wear many hats, security included. At DigitalOcean we believe you shouldn’t need to be a security expert to do the basics in protecting your cloud infrastructure, and we’re constantly working to abstract security complexities out of your infrastructure. And when we do leave choices up to you as a developer, we want to make the secure choice the simple choice.
As you scale your footprint and your business on DigitalOcean, it’s almost a certainty that you will need to test your security configurations. This is both a healthy security best practice, and also demonstrates to your customers, auditors, and partners that you’ve taken a thoughtful approach to cloud security. To help on your security journey, we’ve published guidance on the basics like Securing Your DigitalOcean Account and Securing Your Infrastructure, which are excellent starters.
For those who are looking for something more comprehensive in assessing your infrastructure, we work with great partners, including marketplace options like Kloudle, and open source options for cloud security posture management. One of these open source options is ScoutSuite, and we’ve contributed to the inclusion of DigitalOcean security posture scanning in the latest release of ScoutSuite, which we’ll outline below.
With major security features coming up from DigitalOcean like VPC, Spaces per bucket keys, and fine-grained access management with RBAC, we’ll continue to refresh the simple-secure guidance for configuring your DigitalOcean cloud.
The remainder of this blog will go into the details of our contributions into ScoutSuite, covering 27 common security configurations across 7 DigitalOcean services. Our hope is to familiarize you with how to approach security across DigitalOcean projects, and arm you with knowledge in how to evaluate which cloud security posture management tool (commercial or open source) will be right for you and your business.
Cloud security posture management (CSPM) comprises security tools and practices designed to ensure that cloud environments adhere to security best practices, compliance regulations, and organizational policies. It provides continuous monitoring, assessment, and remediation capabilities to help organizations proactively identify and address security risks in their cloud infrastructure.
In an age where digital transformation is driving businesses to the cloud, ensuring the security of cloud environments is paramount.
ScoutSuite stands out as a versatile open source multi-cloud security-auditing tool designed to assess the security posture of cloud environments comprehensively. With support for various cloud service providers like AWS, GCP, Azure, Oracle, Alibaba. ScoutSuite empowers organizations to identify and address misconfigurations and security risks proactively.
DigitalOcean has become a popular choice for developers and businesses alike, offering simplicity, scalability, and affordability. However, previously, DigitalOcean customers lacked a free and open-source solution for performing quick security assessments of their cloud configurations. The addition of DigitalOcean support in ScoutSuite [5.14.0] bridges this gap, providing customers with a valuable tool for enhancing the security of their DigitalOcean environments.
The initial release of DigitalOcean support in ScoutSuite includes scanning for 27 misconfigurations across 7 DigitalOcean services:
Droplet service
Database service
Firewall service
Load balancer service
Domain service
Spaces service
Kubernetes services
These misconfigurations cover a range of security concerns, from publicly exposed databases and missing backups to overly permissive firewall rules and insecure Kubernetes settings. By scanning for these misconfigurations, ScoutSuite enables DigitalOcean customers to identify and remediate potential security risks before they can be exploited by malicious actors. A few additional examples of such misconfigurations are given below.
Database users having Legacy MySQL 5.x encryption
Droplets operating without essential firewall protection
Spaces buckets with publicly readable permissions
Firewalls configured with risky quad-zero rules, etc
For a comprehensive list please check ScoutSuite/providers/do/rules/findings.
With ScoutSuite, developers and security professionals gain valuable insights into their DigitalOcean environments, allowing them to:
Identify misconfigurations and security risks across multiple DigitalOcean services.
Prioritize remediation efforts based on the severity of detected issues.
Support compliance with industry regulations and best practices.
Enhance overall security posture and reduce the risk of security breaches.
Setting up ScoutSuite on your system is straightforward, provided you have Python 3 already installed:
$ virtualenv -p python3 venv
$ source venv/bin/activate
$ pip install scoutsuite
$ scout --help
$ scout do --token <TOKEN>
If your environment has Spaces object, then you will need an access key and its secret
$ scout do --token <TOKEN> --access_key <ACCESS KEY> --access_secret <SECRET KEY>
How do I get the token required?
The token here is simply a read-only scoped personal access token which can be generated at https://cloud.digitalocean.com/account/api/tokens
In today’s rapidly evolving threat landscape, cloud security is non-negotiable. With the integration of DigitalOcean support in ScoutSuite, organizations using DigitalOcean can now leverage a powerful tool to enhance the security of their cloud environments. By proactively scanning for misconfigurations and security risks, ScoutSuite helps empower DigitalOcean customers to stay one step ahead of potential security misconfigurations and safeguard their valuable assets and data in the cloud.
July 17, 2024•4 min read
Sr. Product Manager II
July 9, 2024•3 min read