AWS Security Best Practices Part 4 : Detective Services

In this AWS security best practices series, we will talk about the next major AWS security threat landscape revolving around your AWS resource inventory, changes in your infrastructure and all API actions performed. You would have guessed it by now, we are talking about AWS Config, CloudTrail Logs, CloudWatch and VPC FlowLogs. All 4 put together can be termed the Detective Services from AWS. You can use these services from AWS to track and find out who did what and when. These are really useful in finding out an unauthorized access or an act from a disgruntled employee!

Let’s analyze some of the important features of AWS which enables monitoring, storing, and accessing of logs and configurations containing info about your entire AWS infrastructure as well as the changes within it. The inventory and configuration management tools help you in viewing constantly updated details of all configuration features of your AWS resources. They also allow you to monitor overall compliance of your AWS resource configurations with business plans and guiding principles.

Inventory and configuration management tools

AWS Config

AWS Config is a completely managed service to offer customers with an AWS reserve inventory, configuration record, and configuration adjusts warnings to facilitate security and control. Customers can create rules using Config Rules to automatically check the configuration of AWS resources recorded by AWS Config.

With AWS Config, it is easy for enterprises to learn about accessible and deleted AWS resources, establish the overall agreement against rules, and jump into configuration information of a resource at any point in time. These abilities facilitate compliance auditing, security investigation, resource modification tracking, and troubleshooting.

AWS CloudTrail

AWS CloudTrail  is the most special service any AWS security detective would love. It is a network service that can record AWS API calls for your account and deliver log files to you. The recorded data comprises of the identity of the API caller, the instant of the API call, the source IP address of the API caller, the application parameters, and the reaction fundamentals returned by the AWS service. Simply a goldmine of all the access attempts in any form to your AWS infrastructure!

CloudTrail can smooth the progress of compliance reporting for enterprises using AWS and require tracking the API calls for one or more AWS account. This service can also be configured to maintain security information (SIEM), event management stages, and resource management.

With CloudTrail, it is easy to get history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call records given by CloudTrail enable security examination, resource transformation tracking, and compliance auditing.

VPC Flow Logs

VPC Flow Logs is a feature provided by AWS to let you monitor IP traffic going to and from network interfaces in your VPC. You can use it to monitor that no undesired traffic is reaching your EC2 instances within VPC.

VPC Flow Logs data is stored in the form of CloudWatch Logs. You can create a flow log for a VPC, a subnet or a network interface. Each network interface has its own flow log stream. If you enable flow logs for a VPC, network traffic flow will be logged for all network interfaces in all the subnets within that VPC.

You cannot enable flow logs for any EC2 instance in EC2-Classic platform. Hence, if you really have few instances still left in EC2-Classic, then this is another reason you must move them to a VPC!

AWS CloudWatch

AWS CloudWatch is a screening check for AWS cloud resources and the applications being executed on AWS. It can be used to gather and follow metrics, assemble and observe log files, set alarms, and routinely react to changes in your AWS resources. AWS CloudWatch is capable of monitoring several resources like Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances. It can also monitor custom metrics produced by your applications and services. It offers you system-wide visibility into resource employment, application performance, and operational strength. These insights are very helpful in keeping your application’s performance smooth.

Now let’s see the best practices which organizations should follow:

Enable AWS CloudTrail Logs even in regions where you don’t have instances

CloudTrail should be turned on using the console or the command line interface in all the regions and not just in the regions you have your infrastructure setup. As you may know that any compromise to your console or to any of AccessKey/SecretKey can lead to actions in all the AWS regions. As at the time of this writing IAM is still region-agnostic!

Hence, please do enable CloudTrail for all the regions. This can help you in following changes to resources, getting answers to your questions about user action, demonstrating compliance, troubleshooting, or performing security analysis. You can easily retrieve and view your log files.

Enable AWS Config for all your major regions and for all the services you use

As discussed above, enabling AWS config can be helpful in a wide range of use cases such as discovery, change management, Continuous Audit and Compliance, Troubleshooting, and Continuous Audit and Compliance. Using AWS config an IT Administrator can easily find out when and how any resource went out of agreement.

Enable VPC Flow Logs for all VPCs

It is always better to be safe than sorry. So it is recommended to enable flow logs for all your major production VPCs. Enabling VPC Flow Logs can help you in capturing information about the IP traffic going to and from network interfaces in your VPC. Not only this but flow logs can help you with multiple tasks such as, in troubleshooting why explicit traffic is not reaching an instance and monitoring the traffic that is reaching your instance.

Enable ELB Access Logs for all public ELBs

By enabling ELB access logs, you can get an easy access to the logs that contain comprehensive information about all requests sent to your load balancer.

Enable Termination Protection for your critical EC2 production instances

Enabling termination protection can prevent your instance from being terminated by mistake using Amazon EC2 APIs. It mainly helps you in avoiding accidental termination of your critical EC2 instances. Also it adds an extra layer of security as even when your AccessKey/SecretKey has been compromised, the attacker cannot terminate the instances unless your AWS console is also compromised.

You must follow these simple tips religiously and ensure that you use all these detective services provided by AWS. Idea is to be prepared. Security should be taken as task zero on AWS cloud.

Getting deep insights into the behaviour and performance of your cloud computing resources is utmost important. But it is also important to examine various parameters that let enterprises proactively monitor the critical cloud infrastructure, including applications hosted on the cloud. You must perform regular AWS security audits to ensure that all the AWS security best practices are being followed for your AWS infrastructure. But performing such an extensive audit manually on regular periods, even once a day is a difficult task.

Botmetric’s thorough AWS security audit helps you discover AWS security best practices violations within minutes. It also allows you to automate security audit of your infrastructure and deliver results directly to your inbox.

If you aren’t using Botmetric yet, sign up for a 14-day trial and automate your security audit.

Hope this post helps you in strengthening your AWS cloud infrastructure’s security. We would love to hear your feedbacks and questions. Tweet to Us.

Other posts in our AWS Security Best Practices series :

AWS Security Best Practices Part 1 : IAM & EC2 Key Pairs

AWS Security Best Practices Part 2 : Network Security

AWS Security Best Practices Part 3 : Data Security