It’s criminally easy to roll out a fear-mongering list of industries, victims, and financial penalties related to ransomware. Gas pipelines, healthcare systems, local governments, all have been hit. Nearly every headline is some form of: “And it’s only getting worseare Ransomware attacks the new digital pandemic?”  It can seem inevitable, but when it comes to your AWS environment, there’s a few things you can do to protect yourself by reducing your attack surface, and then use Prowler to keep an eye on it all continuously. 

AWS Ransomware Best Practices

Ransomware attacks are only successful when you don’t have backups of your data so the attacker can hold your data hostage. Reducing your attack surface and putting consistent data backup/recovery processes in place will help you thwart malicious activity (and recover from application failures as well).

Implement IAM Best Practices 

These include setting least privilege policies, preventing IAM key leakage, applying policies only at the group level, and more. See our previous post on IAM checks in Prowler for all the details on this.

Enable S3 Object Versioning 

Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover more easily from both unintended user actions and application failures. 

Replicate S3 Buckets 

AWS offers a built-in mechanism for replicating buckets to different S3 buckets for backup purposes, including mitigating malicious delete operations.

Prevent Deletion with S3 Object Lock 

Per AWS, Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. You can use S3 Object Lock to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion.

Use GuardDuty S3 Findings 

GuardDuty monitors and generates findings for suspicious access to data stored in your S3 buckets.

Prowler Ransomware Checks

Running a Prowler check is quick and easy. The basic command is ./prowler, and if you run it without options it will use your environment variable credentials (if they exist) or will default to using the ~/.aws/credentials file and run checks over all regions when needed. The default region is us-east-1.

To run a single check, use option -c and the check ID:

./prowler -c check23

For multiple checks, separate them with a comma: 

./prowler -c check23,extra72,extra73

Check out the Prowler README for the full usage details. 

Check for Open Ports

Check now if you have any of those ports open to the internet with:

./prowler -c check41,check42,check45,check46,extra7134,extra7135,extra7136,extra7137,extra7138,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra779

Internet-exposed Resources

The list of things you don’t want exposed to the internet is pretty significant. Thankfully, Prowler has you covered with these checks for resources that could be set as public:

Check now if you have internet exposed resources with:

./prowler -c 
extra72,extra76,extra77,extra78,extra79,extra710,extra770,extra711,extra716,extra723,extra727,extra731,extra745,extra736,check23,extra798

There’s a few other useful checks in this set: 

Check all these with:

./prowler -c 
 extra738,extra73,extra771,check38,extra725,extra734, extra714,extra795,extra778,extra796,extra710,extra7873,extra788

If you have a Shodan API key, add this at the end:

-N <shodan_api_key>

RDS Checks

  • Publicly accessible RDS instances: Publicly accessible databases could expose sensitive data to bad actors—check if they exist, and if so, confirm there is a legitimate business reason.
  • Are RDS Snapshots or Cluster Snapshots public: If your RDS snapshot is public then the data which is backed up in that snapshot is accessible to all other AWS accounts.
  • Is storage encrypted: Use a CMK where possible, which will provide additional management and privacy benefits.
  • Is automated backup enabled: Be sure you have automated backup established for production data, with a clearly defined retention period. 
  • Are RDS instances integrated with CloudWatch logs: These logs help you monitor how your services are being used and assist with threat analysis when needed.
  • Is deletion protection enabled: If not, you can set it up in your AWS management console for any of your production instances.
  • Is minor version upgrade enabled: Auto Minor Version Upgrade does pretty much what it says: it automatically upgrades when a new minor database engine version is available. Such minor version upgrades often patch security vulnerabilities and fix bugs.
  • Is enhanced monitoring enabled: First you need to create an IAM role and then you can enable Enhanced Monitoring, which uses a smaller monitoring interval for more frequent reporting of OS metrics.
  • Is multi-AZ enabled: With a single-AZ deployment configuration, Amazon RDS can’t automatically fail over to a standby availability zone.

Check  RDS now with:

./prowler -g rds

Stay tuned for the next post in this series!


Sign up for Prowler Training

This free course covers everything from the history of Prowler to advanced features.


Toni de la Fuente

Founder of Prowler Open Source & Lead of Prowler Pro

I’m founder of Prowler Open Source, tool for AWS security best practices. I also worked for AWS as security engineer and security consultant. I’m passionate about FLOSS (Free Libre Open Source Software) in general and Information Security, Incident Response and Digital Forensics in particular. I like everything related to cloud computing and automation. I have done some things for security and the Open Source community like Prowler, phpRADmin, Nagios plugin for Alfresco, Alfresco BART (backup tool). I’ve also contributed in books and courses related to Linux, Monitoring and AWS Security for PacktPublishing.