In my previous articles, we looked at security governance in both small-scale and large-scale Amazon Web Services (AWS) environments.
In this article we will look at several security tools that we can quickly deploy to our AWS accounts. These tools are easy to implement, especially when you are working with a smaller number of accounts. In particular, we will explore:
The Center for Internet Security (CIS) maintains what many consider as industry standard security hardening guides for different technologies. The CIS Amazon Web Services Foundations Benchmark provides a set of security configuration best practices for hardening AWS accounts.
AWS maintains a security-related Quick Start that implements a set of security best practices and continuous monitoring capabilities based on the CIS AWS security recommendations.
The AWS Quick Start can be found at https://aws-quickstart.s3.amazonaws.com/quickstart-compliance-cis-benchmark/templates/main.template. Here you will find a deployment guide, a security controls matrix that shows how the Quick Start maps to the CIS controls, and a set of AWS CloudFormation scripts to install the Quick Start. The CloudFormation scripts can also be pulled and modified to add other capabilities or update the checks to meet your needs.
Let’s take a quick look at some the checks and the AWS capabilities used to implement the checks:
|AWS CloudWatch Events||Implements checks to detect changes in:
|CloudWatch Metrics and Alarms||Implements continuous monitoring on CloudTrail events sent to CloudWatch Logs for:
|Config Rules||Implements custom Config rules and supporting AWS Lambda scripts for evaluating:
There are couple of things to be aware of with the default Quick Start:
When problems are detected by this AWS Quick Start, alert messages driven CloudWatch Events and Alarms are sent using AWS Simple Notification Services (SNS) to an email address passed to the CloudFormation scripts. Issues flagged as non-compliant by Config Rules are viewable in the AWS Config Console.
One of AWS’ newer security services is AWS GuardDuty. GuardDuty provides a managed threat detection service to monitor for malicious or unauthorized activity within your AWS Accounts and workloads. GuardDuty applies analytics against your VPC flow logs, API calls via CloudTrail, internal DNS resolvers, and other data samples to look for potentially malicious activity.
AWS GuardDuty can be enabled via the AWS Console by:
GuardDuty is AWS Region dependent and must be enabled in all Regions that are to be monitored. AWS does recommend enabling to all AWS Regions provides the best coverage.
You can view and manage your GuardDuty findings on the Findings page in the AWS GuardDuty Console, using the GuardDuty CLI, or via API calls. Filters can be created to help review results or to auto-archive events to stop specific events from alerting. More details on GuardDuty Filters can be found here.
GuardDuty does not create an alerting mechanism when it is enabled, but it is easy to create a simple email alert system using AWS CloudWatch Events and AWS SNS. This will send all GuardDuty findings to the SNS topic’s subscribers.
The AWS Quick Start for the CIS AWS Benchmark and GuardDuty can be easily added to an AWS account to provide a more secure AWS configuration, threat intelligence, and continuous monitoring of the account. They provide a good start on reducing risk in how the account itself is accessed and managed, but they do not address all potential security issues one may encounter in the Cloud. The workload itself, the services used to build that workload, and the threat profile of the workload will drive the other security tools and process that need to be implemented.