How I became a Wizard. Software engineer’s perspective on using Wiz on AWS.
Intro
Last year, I attended a KubeCon in Paris and toured the booths. I came across the Wiz booth. I’ve heard good things about Wiz before, but I've never had a demo of it. I was really impressed by its functionality, performance, and quality. I knew it provided much value and wanted to try it out on my production workloads. Not a long time later, we were onboarding Wiz at Ryanair. I wrote down my thoughts about using Wiz from a software engineering perspective.
Original post:
Functionalities
First of all, what is Wiz? I won’t explain it as well as Wiz’s marketing department, so if you have never heard about Wiz, go and check the platform details at https://www.wiz.io/platform/overview.
IAM Roles investigation
Wiz offers a single pane of glass that can show you an overview of privileges, policies, trusted identities, which services/lambdas are using your role, and what data sources can be accessed by your role. It will also suggest limiting your role privileges, helping you to achieve the least privilege. You want to see what actions this role has performed recently? You can go to CloudEvents in just a few clicks.
It is a fantastic user experience that changes the approach to reviewing IAM roles. What does it look like?
On the Overview tab, you can see basic information about the role, including the policies, who uses that role, and on which account it exists.
In the “Forensics” tab, you can see all potential checks and impact analysis that Wiz runs. An important thing here might be an overview of what data it can reach and what data class is stored there. You can quickly check the database details, but this is something we are going to check soon.
We can check the details of the effective permissions AKA “Role power”, what resources that specific role can access, and how SCPs affect its permissions.
In the case of some roles, Wiz also suggests what you can do to limit IAM Role policy permissions based on usage and their severity.
You can see the policy with reduced permissions with a single click to make your job easier and focus more on your business goals instead of tailoring IAM permissions.
Finally, you can check what databases your role can access. By a single click, we can check the details of that database. Let’s jump to it!
Database checks
In Wiz, you can also review security from a resource perspective. You can see what data type is stored in the database, what type of database it is, in which version it is, how much data is there, who can access that database, with what kind of permissions, and when the last scan was performed.
Identity Entitlements
With a single click from the Database details, we can go into the “Identity Entitlements” part of the platform. Within that view, we can find all IAM Roles that can perform some tier of operations on that specific database to narrow down roles to review.
Then you can check which policy or policies on a particular role grant that access.
This is an excellent feature that can be used to find, for example:
- All lambda functions that can manage DynamoDB in my organization?
- Who can write in the X table?
- Which roles can delete items on tables whose name contains “X”?
- Who can write to resources tagged with “X”?
- Which IAM roles can manage resources of type X on accounts A, B, and C?
Issues
Wiz helps teams focus on the issues that matter, particularly the critical ones. This means it is highly probable that if resources are compromised, it could lead to significant business impacts.
In other words, Wiz identifies combinations of risks that may appear insignificant on their own but become critical when taken together in a so-called toxic combination. All of those issues are analyzed and visualized in the form of an attack path visualization.
Within the reported issue, apart from the attached path visualization, we can see details of all risks involved to understand it better and see details on the investigation and potential generated remediations.
Tech stack overview
Wiz has many security-related features that can support your software engineering and give you an overview of your tech stack. This might be especially interesting and powerful if you are using multiple accounts.
SBOM
Wiz makes tracking of used libraries with their licenses and components using them a breeze. It also includes libraries used, for example, on lambda layers that you use, and base Docker images.
Typical scenarios for using SBOM:
- Which serverless components on X cloud on specific accounts use a library with a version between Y and Z
- On which accounts is library X in version Y used?
- What libraries are used for specific languages?
- What libraries are used for specific licenses?
- Which services didn’t upgrade to the latest framework version?
Technologies
Wiz has a track of technologies used in the organization. It can show you how popular some technology is in your organization.
It can answer questions like:
- Do we use X DB in our organization? If yes, are there any vulnerabilities? On which accounts? In which version? Is it still supported, or has it announced EOL support?
- Are there any discontinued technologies used in our organization?
- What are the database types that we use in our organization?
- What are the non-cloud services that we use?
- How many instances of X do we have in the organization? For example, IAM Roles, DynamoDBs, SQSes, etc.
- Do we use lambdas with runtime in no longer supported versions?
Promotes best practices
Apart from keeping an eye on the security of your cloud, Wiz also suggests best practices to follow in your AWS workloads, like:
- Setting up deletion protection on resources
- Using encryption at rest with CMK
- Setting up PITR on DynamoDB
- Setting up VPC endpoints
- Setting backups
- Using a multi-AZ setup
- Dropping invalid headers on ALB
- Using the latest TLS versions
- Using Dead-Letter Queues
- Limiting too-wide permissions on a role
- Limiting too-wide resource permissions
- Encrypting in-transit data in Elasticache replication groups
- Exposing through CloudFront buckets without OAC
- Setting proper policies by tracking roles that are vulnerable to the confused deputy problem
and many more.
Whenever Wiz finds some improvement, it will display its reasoning and suggest remediation! Let’s look at this SQS finding allowing all principals to access it.
Suggested remediations generation supports multiple options that will be generated for you. As you can see, it supports AWS CLI, AWS Console, Terraform, CloudFormation, and Pulumi.
For example, for CloudFormation with YAML generation, this is what will be generated. It’s not always perfect, but it's definitely something that makes engineers work easier. It would be perfect if Wiz could suggest changes to the CloudFormation template that defines that particular resource.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Fix overly permissive SQS Queue access policy'
Resources:
UpdateSQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
Queues:
- !Ref SQSQueueURL
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: 'RestrictedAccessPolicy'
Effect: 'Allow'
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:root' # Replace with specific IAM users/roles as needed
Action:
- 'sqs:SendMessage'
- 'sqs:ReceiveMessage'
- 'sqs:DeleteMessage'
- 'sqs:GetQueueAttributes'
Resource: !Ref SQSQueueARN
Condition:
StringEquals:
'aws:PrincipalOrgID': 'o-xxxxxxxxxx' # Replace with your Organization ID
Parameters:
SQSQueueURL:
Type: String
Description: 'The URL of the SQS Queue'
Default: 'https://sqs.REGION.amazonaws.com/ACCOUNT_ID/QUEUE_NAME' # Replace with your queue URL
SQSQueueARN:
Type: String
Description: 'The ARN of the SQS Queue'
Default: 'arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME' # Replace with your queue ARNCloud Events
Wiz Cloud Events takes CloudTrail to the next level. You can filter all events across the whole organization using multiple filters, as well as filter the content of Raw JSON. This is very helpful, as we are often not 100% sure what we are looking for, especially in the case of ambiguous error messages that you can sometimes find in CloudFormation errors, or you are not sure who invokes some particular action. With Cloud Events, you can find events that contain any piece of information that you have in the whole event’s raw JSON.
UI is very friendly, displayed columns are flexible, the filter bar is intuitive, and you can easily filter/filter out based on the table cells’ values. This is exactly how CloudTrail in the AWS Console should look, in my opinion.
We also get a quick link between action and roles / related resources.
CI/CD integration
Wiz works based on agentless scans, but we can do something extra. For example, scan our code, IaC templates, docker images, or VMs, and put them into our CI/CD pipelines.
Setup
It is super easy to set up Wiz for your code, container images, and IaaC scanning with the Wiz CLI tool. It can be used locally on demand or even within a git hook to prevent pushing code with vulnerabilities.
Loginwizcli auth --id **** --secret ****
or locallywizcli auth --use-device-code
Wiz CLI supports:
- Scanning code
- Scanning IaaC (misconfigurations and secrets detection)
- Scanning directory (vulnerabilities, secrets, and sensitive data detection)
- Scanning container and VM images (vulnerabilities, secrets, and sensitive data detection)
Most straightforward possible config for AWS CodeBuild:
version: 0.2
phases:
build:
commands:
- curl -o wizcli <https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64> && chmod +x wizcli
- ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
# Pick your scans
- ./wizcli dir scan --name ${BUILD_URL_DEEPLINK_DIR} --path .
- ./wizcli iac scan --name ${BUILD_URL_DEEPLINK_IAC} --path .
- ./wizcli docker scan --name ${BUILD_URL_DEEPLINK_DOCKER} --image demoimage:01Onboarding sanity:
It is expected that there might be more findings during initial onboarding than after successful onboarding. To get developers on board and not impact the velocity of delivery, you can start with:Marking builds with warnings based on returned status codes from the wiz cli
Set up emails that will report findings to the project owners
Scan names are random, but they can be adjusted to use, for example, by setting them to deep link to your build
Adjusting scanning policies for things like: secrets, sensitive data, malware, image trust, IaC configuration, or vulnerabilities
Scan results in a report of vulnerable resources that contain info, for example, about libraries with CVEs used in your code, like examples below:
Similar to the previous scenario, Wiz also suggests a remediation:
Searching the platform
I know that is very subjective, but working with Wiz and finding things on a platform is very intuitive. However, there are so many features that sometimes you can feel lost. How can I find what I am looking for?
Wiz suggests many searches, but now you can even search through the platform using natural language thanks to the AI integration. This is an amazing solution, especially for engineers who might not be as exposed to the security platform as security engineers.
For example, using just the prompt “find policies with excessive access” Wiz will open up a search in the security graph with a generated search for your resources.
or “show all S3 buckets which are encrypted with CMK”
or “show all publicly exposed Serverless functions”.
In this article, I am barely scratching the surface. I can’t mention all possible features, so I have to pass over some cool features like special views on a platform informing you about potentially malicious actions (e.g., someone deleted a database or bucket). I am trying to say that this search functionality is a great feature that helps onboard into a platform!
Automations and development access
You can interact with Wiz using the GraphQL API, e.g., to access your data. You can review the full docs to check resources and load them directly in the API Explorer.
What is also truly amazing is that every interaction you do with Wiz is stored, and you can easily see what call it is translated to.
To make this experience even better, you can generate a GraphQL query and code in any of the listed forms you can use for your automation. Truly fantastic DevEx!
Summary
Wiz is an amazing tool that can support not only your security team but also improve awareness and productivity of software engineering teams by providing them with a tool to see more in the complex Cloud environments, extending default AWS capabilities.
Wiz shows effective permissions, simplifying engineers’ efforts in understanding access rights by showing effective permissions (see: https://www.wiz.io/academy/effective-permissions). It allows engineers to correlate IAM roles with accessible resources quickly, along with their details, and gives insights into actions they take.
It does a great job by providing insights into our tech stack, a massive improvement in large organizations.
Additionally, Wiz promotes best practices in our AWS workloads, integrates seamlessly with CI/CD pipelines, and effectively improves security posture.
Wiz is a fantastic tool that brings security and engineering teams together, and I definitely recommend giving it a shot in case you have never seen it in action. See you at Zero Critical Club!
