Taking a Look at AWS and Cloud Security Monitoring

More and more companies understand the benefits of cloud computing, which is making their migration to the cloud more rapid. Per IDG’s 2020 Cloud Computing Study, 81% of organizations said that they’ve migrated either one application or a portion of their infrastructure to the cloud. The reasons why a company would shift its services towards the cloud depend on its business priorities, of course. General reasons for migrating include 1) cost-savings, 2) reliability, 3) scalability, and 4) flexibility.

Even so, it’s important that organizations implement the necessary security controls to once they’ve migrated to the cloud. This whitepaper puts particular focus on cloud-native security controls offered by Amazon Web Services (AWS), one of the most common public cloud infrastructure providers used by organizations today. The controls in Network Security and Endpoint as well as Services Security can help security engineers to protect the AWS infrastructure and ensure that they function effectively.

Let’s break them down below.

AWS Organization and VPC

AWS architecture provides maximum accessibility to services within the same geographical area and helps organizations have a higher uptime. Geographical areas called regions are where physical data centers are located. Within a region, there can be several Availability Zones (AZ) hosting multiple isolated data centers. So, a company can have multiple accounts for different projects/environments and for accessing AWS services across different AWS regions. In the end, accounts can be managed separately or controlled and monitored under AWS Organizations.  

Amazon VPC, a virtual data center located on the cloud, is the foundation of AWS environments. Organizations can build virtual networks within, launch different infrastructure resources from a VPC, and achieve high availability by placing various servers in multiple AZs and having multiple subnets of a VPC. Each subnet, in turn, routes traffic between the subnet and other VPC networking components. Other VPC networking components include Security Groups (SG) and Network Access Control List (NACL), Internet Gateways and NAT Gateways, Route Tables and VPNs, as well as direct connect and VPC endpoints.

To capture and troubleshoot traffic flows, security groups, and NACLs rules, VPC Flow logs are used. They can be created for specific networks, subnets, or a VPC, and they can be configured to capture different types of traffic on various AWS services. However, they cannot be used for traffic inspection since they don’t capture traffic instantaneously. Instead, VPC Traffic Mirroring can capture almost-real-time traffic and send a copy of the output to out-of-band security appliances.

The Reachability Analyzer, a new feature in the VPC, examines network communication pathways between resources by showing either all hops in the path from source to destination for reachable destinations or configurations blocking communication for unreachable destinations. Unlike ping, which uses packets, Amazon VPC builds a model of the network configuration and then assesses that configuration.

By using technical controls such as Network Security, Endpoint and Services Security, and Monitoring and Automation, the infrastructure can be sufficiently protected.  

Deploying Security Controls

Using AWS native services such as AWS Network Firewalls, AWS Web Application Firewalls (WAF), AWS Shield, or 3^rd-party software available in AWS Marketplace, security engineers can organize various security controls. Here’s some context on how these services can help:

AWS Network Firewall provides network protection for Amazon VPCs by inspecting traffic flow for matches against a database of known threat signatures and anomalies.

WAF provides Layer 7 protection for AWS services against common web application exploits, and WAF rules can be either built from scratch or pre-configured.

AWS Shield provides Standard and Advanced protection against DDoS incidents, with the Advanced protection offering additional benefits such as 24/7 accessibility to the AWS DDoS Response Team and cost protection against spikes.

To control all these different security rules and policies, AWS Firewall Manager can be extended to numerous AWS accounts under the same AWS organizations. It can also be used to eliminate unused and redundant security groups.

Securing and Monitoring Endpoints

Security and monitoring of the different types of endpoints is essential, and several AWS services are available to help organizations do this. For instance, Amazon CloudWatch monitors real time traffic, collects logs for different AWS services and applications, as well as collects performance metrics among many other operations. It integrates well with other security monitoring tools such as AWS CloudTrail, an auditing service which records all account activities and events history, tracks changes, and proves non-repudiation. It then publishes the logs to Amazon CloudWatch.

Easily managing the various company assets located in the cloud can be done using AWS System Manager. It provides services that are suited for different purposes in system management, monitoring, and automation such as AWS System Manager Inventory, AWS System Manager Distributor, AWS System Manager Patch Manager, AWS System Sessions Manager, and AWS System Automation.

Continuous Monitoring

To ensure a company’s assets in the cloud remain safe from attacks and run as they should, continuous monitoring tools are used to detect and respond to threats as well as to constantly evaluate resources.

As an example, Amazon Inspector is used to find vulnerabilities and security misconfigurations by using pre-defined assessment templates. Each assessment template contains rules packages that instruct Amazon Inspector on how the assessment target should be evaluated. There are four rules packages: 1) Network reachability, 2) Common vulnerability and exposures (CVEs), 3) Center for Internet Security (CIS) benchmarks, and 4) Security best practices.

While Amazon Inspector finds the vulnerabilities, Amazon GuardDuty detects various types of threats and unauthorized behaviors. Once a threat has been detected, Amazon Detective can help a security engineer with incident investigation and threat hunting.

Ensuring that OSes, applications, and database are compliant is the job of services such as AWS Config and AWS Audit Manager. AWS Config ensures that technical controls that meet compliance requirements are in place, while AWS Audit Manager collects the evidence to show that these technical controls are implemented. 

Viewing all the security controls from different services and AWS accounts within a company from a centralized console can be achieved with either AWS Security Hub or AWS -ELK (Elasticsearch, Logstash and Kibana), which is offered as a SaaS.

Automating Services

Many AWS services have automation built-in to continuously run assessments, collect information, and combine results. Scripts can be run to complete a specific task using services like System Manager Run Command and System Manager Automation.

Both AWS CloudTrail and CloudWatch Events allow for full automation, i.e., finding the event, sending an alarm, and then triggering a remediation action. CloudWatch integrates with almost every AWS service, and an event will trigger a CloudWatch Event that is captured by CloudTrail and invokes an action based on the event patterns.

Conclusion

The various AWS native managed security services outlined in this review can help organizations decide how they best fit into their security landscape. Implementing these services can help organizations reduce operations complexities and workloads, better discern the environment’s security standing, and eliminate costs by removing unnecessary duplicate 3^rd-party controls.

Not all organizations can implement those measures on their own, however. That’s because many don’t have just AWS environments to worry about. In July 2021, for instance, 73% of security professionals told Dimensional Research in a recent survey that their employers have a multi-cloud strategy. This figure doesn’t even consider the number of organizations that need to secure hybrid-cloud environments.

Fortunately, Tripwire’s cybersecurity solutions help organizations to achieve complete visibility of their entire infrastructure including single AWS deployments, multi-cloud environments, and hybrid-cloud arrangements. Those tools then help security teams to monitor their connected assets’ configurations and manage any known vulnerabilities.

Learn more about Tripwire’s cloud cybersecurity solutions here.

About the Author: With a passion for cybersecurity education and awareness, Liselle Henry is currently a 2nd-year Cybersecurity student at Fanshawe College Ontario who enjoys researching and writing about current cybersecurity issues and technologies along with their impact in various industries.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.