TLS Version Monitor

Number of APIs: 6

Who this collection is for?

Organizations that are looking to automatically monitor the assets that need to be compliant with TLS v1.2 and/or TLS v1.3.

What does this collection do?

This collection is designed to scan resource record sets from AWS hosted zones. If the TLS version less than 1.2 (or 1.3) is enabled, an alert will be sent to a Slack channel (the integration can be configured from the collection) of choice.

Setup

As the collection relies on error messages (failed requests) for disabled TLS v1.2 and/or TLS v1.3 protocol from request settings, we will be using [Newman] to run the collection.

1) Export the collection as tls_monitor_collection.json and environment as tls_monitor_environment.json

2) Run the collection with an accompanying set of environment variables using -e flag

newman run tls_monitor_collection.json -e tls_monitor_environment.json

Scheduling runs with AWS Lambda

You can automate the collection run to schedule runs and receive alerts on your Slack channel.

We'll be using Newman as a Node.js module within the Lambda function.

1) Create a directory and navigate into it

2) Export the collection as tls_monitor_collection.json and environment as tls_monitor_environment.json

3) Create a package.json file

npm init

4) Install Newman in the directory and save it in the dependency list of your package.json file

npm install newman

5) Create index.js file (entry point)


const newman = require('newman');
exports.handler = function(event, context, callback)
{
    newman.run({
    collection: require('./tls_monitor_collection.json'),
    environment: require('./tls_monitor_environment.json'),
    reporters: 'cli'
}, function (err) {
    if (err) { throw err; }
    console.log('collection run complete!');
    var results = [];
    callback(null, results);
});
};

6) Create a .zip file for the project

7) From the AWS lambda console, select NodeJS runtime and chose the execution role (should have lambda-basic-execution-role)

8) Upload the .zip file package (you can also use S3 for uploading)

9) Make sure to update the basic settings (Memory, Timeout) for your lambda function accordingly

10) Create a CloudWatch event rule and attach the lambda function as the target. The lambda function will execute the Newman run when the schedule is triggered

  1. Fetch Hosted Zones GET {{hostedZoneURL}}

  2. Fetch Paginated Hosted Zones GET {{hostedZoneUrl}}?marker={{nextMarker}}

  3. Fetch Resource Records GET https://route53.amazonaws.com/2013-04-01{{hostedZone}}/rrset

  4. Fetch Paginated Resource Records GET https://route53.amazonaws.com/2013-04-01/hostedzone/{{hostedZoneIdPaginated}}/rrset?name={{rrNamePaginated}}

  5. Push to Slack POST {{slackWebhookURL}}

  6. Check TLS Version GET {{requestURL}}