AWS Security Services: Logging and Monitoring
Be Aware of 10 AWS Services to Improve Cloud Security Posture
AWS security services are designed to help organizations achieve AWS Well-Architected status, and fall into these 5 categories:
- Incident Response
- Logging and Monitoring
- Identity and Access Management
- Data Protection
Logging and monitoring requirements vary across organizations. Depending on your industry, regulatory environment or cloud migration status, your approach to security needs to be personalized and thorough.
10 Logging and Monitoring AWS Security Services
In typical Amazon fashion, the names of AWS security services are complicated. Here are 10 logging and monitoring services that we at Bloomip find to be critical for security:
- Amazon Inspector
- AWS Security Hub
- AWS WAF - Web Application Firewall
- AWS Systems Manager
- Amazon CloudWatch
- Amazon Athena
- AWS CloudTrail
- Amazon Macie
- Amazon Virtual Private Cloud
- Amazon Simple Notification Service
AWS Security Services: Amazon Inspector
Amazon Inspector is similar to a vulnerability scanner that will scan the system for specific assessment rules and provide the results. It relies on the agent installed on the server to scan the server.
Amazon Inspector has certain predefined templates that create Inspector Rules:
- CVE (Common Vulnerabilities and Exposure): As the name suggests, this rule will scan for all the packages in the OS to see if there are any vulnerabilities associated with the version of packages installed.
- CIS Benchmarks: This rule will check the OS against CIS benchmarks to verify whether the server is following all the best practices mentioned in the CIS Benchmarks.
- Security Best Practices: This is a set of certain rules which the Inspector will check against and report.
- Network Reachability: Shows findings of the ports that are reachable from the internet through an internet gateway. It can help if ports are misconfigured at the security group level.
AWS Security Services: AWS Security Hub
AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. For instance, AWS IAM security alerts report to the AWS Security Hub.
AWS Security Hub also has the ability to generate its own findings by running automated and continuous checks against the rules in a set of supported security standards. The following Standards are supported:
- CIS AWS Foundation
- PCI DSS
AWS Security Services: AWS WAF - Web Application Firewall
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.
Rule Statements define basic characteristics that would be analyzed within a web request. We can combine multiple statements into Rules to precisely target requests. Association defines which entity WAF is associated with. WAF cannot be associated with EC2 instances directly. Web ACL is a centralized place that contains the rules, rule statements and associated configuration.
Customers can decide to use ready-made AWS-Managed Rules or even Rules from AWS Marketplace. Each Rule has a priority. If a request matches Priority 0 Rule, none of the other rules will inspect the request.
AWS Security Services: AWS Systems Manager
AWS Systems Manager is a group of services that allows customers to have better visibility and control of the infrastructure.
The basic idea behind the AWS Systems Manager is that there will be an SSM Agent installed in the EC2 instances, and the customer can provide specific tasks to the installed agent from the systems manager console.
AWS Systems Manager Agent (SSM Agent) is Amazon software that can be installed and configured on an Amazon EC2 instance, an on-premises server, or a virtual machine (VM).
SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):
- Amazon Linux
- Amazon Linux 2
- Ubuntu Server 16.04, 18.04, and 20.04
- Amazon Linux 2 ECS-Optimized Base AMIs
Part of AWS Systems Manager is Session Manager:
“Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs).... Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and fully auditable logs with node access details, while providing end users with simple one-click cross-platform access to your managed nodes.”
Some of the notable benefits of Sessions Manager are as follows:
- Centralized Access Control using IAM Policies
- No Inbound Ports Needs to be Open
- Logging and auditing session activity
- One-click access to instances from the console and CLI
- No need for a VPN to connect to instances.
AWS Security Services: Amazon CloudWatch
As the name suggests:
“Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), IT managers, and product owners. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, and optimize resource utilization.”
With CloudWatch, there are certain metrics that are captured by default. Some of these include:
- CPU Utilization
- Network Related
- Disk Related
But some challenges arise with the default AWS security service. You may need more or different metrics, such as memory metrics, disk usage metrics or netstat related metrics. Also, you may need to monitor logs. During debugging, it is important to have log files at hand.
That’s where Unified CloudWatch Agent is helpful. It allows customers to capture both the internal system level metrics as well as logs collection.
Another aspect of this AWS security service is CloudWatch Events, which enables us to respond to changes in our AWS environment in real-time. For example, if an EC2 instance gets terminated, we want to de-register the instance from all centralized servers like monitoring server, AV server, IP server and others.
AWS Security Services: Amazon Athena
Amazon Athena is a service that allows us to analyze various log files from S3 using standard SQL. Here’s a real-world use case to explain the usefulness of Amazon Athena.
Let’s say an organization received a huge spike in traffic that took its systems down. It needs to investigate if the spike was genuine traffic or an attack. Using Amazon Athena to query VPC Flow logs gives certain information:
- Number of Accept and Reject Logs one hour before the spike
- Number of Accept and Reject Logs one hour after the spike
- Most number of IP address with the reject logs
- Which ENI received the highest spike?
AWS Security Services: AWS CloudTrail
AWS CloudTrail is a must for organizations that require governance, compliance, and operational and risk auditing of their AWS accounts. It records activity that occurs within the infrastructure and servers and is enabled by default on AWS accounts.
AWS Security Services: Amazon Macie
Amazon Macie can be used to recognize sensitive information like PII data, DB backups as well as data related to intellectual property. It discovers and protects your sensitive data at scale using machine learning and pattern matching.
AWS Security Services: Amazon Virtual Private Cloud
Amazon Virtual Private Cloud uses VPC Flow Logs like a visitor register. Many secure locations that receive visitors use this same concept (like schools, nursing homes or hospitals). A traditional visitor register includes information like name, destination, entry/exit time and purpose of visit.
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. The scope of the VPC Flow logs:
- Records the traffic information that is visiting the resource (eg EC2)
- Records data about resources connecting to which outbound endpoint
AWS Security Services: Amazon Simple Notification Service
Amazon Simple Notification Service (SNS) is a fully-managed messaging and mobile notification service for delivering messages to the subscribed endpoints.
AWS CloudWatch integrates well with SNS. For instance, you might configure SNS to send an email and SMS notification to the NOC team whenever disk usage of a server exceeds 95%. Another example might be whenever a server load in production is more than 90%.
Is your organization using these 10 AWS security services to best effect? Get confident in your cloud security. Start a conversation with our AWS cloud experts and contact us.