SlideShare a Scribd company logo

Beginners guide to aws security monitoring

R
rahuldesh

AWS Security Handbook for beginners from Alien Vault

Technology
1 of 12
Download to read offline
Beginner’s Guide to AWS Security Monitoring www.alienvault.com
Organizations around the world are embracing the benefits of shifting their workloads, apps, and services to Amazon Web Services (AWS) and other popular cloud infrastructure-as-a- service (IaaS) providers. Forrester Research1 predicts that more than half of global enterprises will rely on public cloud computing for their businesses by the end of 2018. At the same time, cloud security concerns continue to rise. According to a 2018 Cloud Security Report from Cybersecurity Insiders2 , 91% of respondents are concerned about cloud security, an increase of 11% over last year’s report. While security concerns haven’t slowed down the migration of workloads to the cloud, by examining these in detail, we can learn how to avoid making costly mistakes that leave our data exposed. The truth is that the top three biggest security concerns are all based on operational error. The good news? You can fix these (we’ll tell you how). The bad news? Left exposed, these mistakes provide huge gaps that an attacker can walk right through. And because of that, continuous security monitoring of your AWS assets, configuration, and infrastructure is essential. Introduction 1 Forrester Predictions 2018: Cloud Computing Accelerates Enterprise Transformation Every Where 2 2018 Cloud Security Report
TOP 3 AWS Security Concerns Experience is one of the best ways to gain knowledge. And as more enterprises move their critical workloads into the cloud, they’ve started to experience a bit of a steep learning curve. One that may also result in a few configuration errors along the way. The hope is that they realize the error of their ways before an attacker does. In the meantime, security monitoring will catch it in real-time. PLATFORM MISCONFIGURATION. AWS offers a number of security features from identity and access management (IAM) to security zones to multi-factor authentication to encryption (just to name a few). And for a new administrator, it may become a bit overwhelming to get all of those details completely right. Some organizations have learned by trial and error, and unfortunately, those errors have included leaving S3 buckets unsecured, exposing sensitive data to the world wide web. Attackers know that stolen PII is valuable and can be sold on the black market to cyber criminals to be repurposed in identity theft, fraud and other nefarious ways. 01
UNAUTHORIZED ACCESS. No matter how many security controls you may have in place, once an attacker has a set of authorized credentials, he can do a significant amount of damage under the guise of an authorized user. Credentials have enormous value - especially privileged ones with root and domain levels of access. Monitoring privileged access and privilege escalation activity within your AWS workloads is essential. By actively monitoring privileged account access and activities, you’ll be able to detect abnormal and suspicious behavior (e.g. direct and frequent downloads from a database housing customer data). TOP 3 AWS Security Concerns 02
INSECURE INTERFACES AND APIS. Without APIs, it would be nearly impossible to achieve all of the benefits that cloud platforms like AWS offer. By automating and enabling data transfer and use among disparate services, these interfaces unlock enormous scalability and efficiency gains. At the same time, if APIs are not carefully coded and configured, they pose significant security risks in terms of confidentiality, integrity, availability and accountability. Continuous monitoring of your AWS workloads and periodic vulnerability scans of your AWS environment will alert you to critical gaps that need attention. TOP 3 AWS Security Concerns 03
Getting Started with AWS Security Best Practices
AWS offers significant advantages for many organizations with its innovative technology model. However, one aspect of this innovation that can present unanticipated challenges is its ‘Shared Responsibility’ security model. As Amazon explains, “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site data center.” That means that if you rely on AWS, you need to regularly evaluate the configuration of your network access and security controls. Otherwise, you could inadvertently deploy insecure configurations, putting your instances and assets at risk. 01 Understand the Shared Responsibility Model
To avoid common cloud configuration errors and credential mismanagement, follow these key guidelines: ›› Lock down your root, domain, and administrator-level account credentials. Treat user accounts (especially privileged ones) like toothbrushes… it’s never healthy to share them. In fact, it can be dangerous. In addition, periodically reset passwords for privileged accounts and consider using password managers or other tools to protect these credentials. Another goal of locking down privileged account use is to always follow the model of principle of least privilege - only use root or administrator level account access when it’s absolutely necessary for the job at hand. That way, any mistakes are much more easily contained. ›› Use IAM Roles and Temporary Credentials: IAM roles can be used to define permission levels for different resources and applications that run on EC2 instances. When you launch an EC2 instance, you can assign an IAM role to it, eliminating the need for your applications to use AWS credentials to make API requests. This is one of the best tools when it comes to security in AWS. First of all, IAM roles can be very granular; you can control access at a resource level and for actions that can be performed. And when using IAM roles, if your EC2 instance gets compromised, you do not need to revoke credentials. ›› Enable MFA (multi-factor authentication). By using more than one factor to prove that you are who you say you are (something you have + something you know + time of day/location), it becomes much more difficult for a cyber attacker to impersonate you. ›› Limit administrative access with AWS Security Groups. Functioning much like gateway firewalls, Security Groups enable you to manage and apply access policies to instances that have similar functions and security requirements. For example, by restricting administrative access to only specific IP addresses, Security Groups helps block attackers who may try to probe your AWS environment. ›› Use VPCs (virtual private clouds). An Amazon Virtual Private Cloud (or VPC) is a virtual network that runs in your AWS account. This virtual network presents some key advantages from a security point of view: the network is isolated from other resources, it is not routable to the Internet by default, and you can apply security groups and access control lists to reduce the attack surface. ›› Activate native AWS monitoring tools. AWS monitoring tools such as CloudTrail, CloudWatch and VPC Flow Logs provide baseline information about how data flows in and out of your AWS environment. These also store rich data that can be correlated with other event log data from your critical assets to spot intrusions, identify suspicious behavior as well as collect indicators of compromise. 02 Identify the most common cloud configuration errors and make sure to avoid them
Unfortunately, cyber attackers don’t always use the same tools or techniques in every attack. But, there are enough common characteristics in AWS attacks to draw some instructive conclusions. Here are some specific warning signs to watch our for to detect an attack in progress: 1. AWS Temporary security credentials with long duration - Attackers will use temporary credentials with long lives to maintain connection persistence. 2. New AWS user account starting a high number of instances - Malicious actors will do this in an attempt to disrupt incident response efforts. 3. New user account used to delete multiple users - Once an attacker has created a new user account for themselves, they can use it to lock out legitimate users (en masse). 4. New AWS user account starting a high number of instances - While this activity could be a rookie user making an honest mistake, it could also be an attacker cryptojacking your valuable AWS resources. 5. Multiple instances being started or shut down programmatically - Attackers like to automate their exploits, and this is a clear signal one is in process. 6. CloudTrail log deleted - This could be an indication that an attacker is erasing traces of their malicious activity by deleting logs. 03 Know the prevailing types of AWS attacks and what activities attackers perform (so you can thwart them if/when they happen)
AWS logs to enable for EFFECTIVE SECURITY MONITORING Type of AWS Logs Description Security Relevance CloudWatch AWS CloudWatch logs let you monitor and troubleshoot your systems and applications using your existing system, application and custom log files. By using CloudWatch logs, you can monitor activity, in near real time, for specific phrases, values or patterns. Alarms can be triggered if certain suspicious patterns are found. In addition, security analysts can access the original log data for in-depth forensic investigations. CloudTrail AWS CloudTrail service enables logging of all account activities on different AWS resources (e.g. IAM console logins). Once enabled, AWS CloudTrail logs are delivered to your AWS S3 bucket. CloudTrail records important details about all AWS activity, including user accounts making requests, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. With this information, you can easily track changes made to AWS resources to verify compliance, mitigate operational issues, and reduce risks. VPC Flow Logs / Virtual Private Cloud VPC or Virtual Private Cloud flow logs capture network-level activity and connections among all the nodes on a VPC. Network flow data provides essential forensic clues for security incident and data breach investigations. Central to your AWS security monitoring program, VPC flow logs empower you to examine and monitor network flow data to verify compliance and detect threats. This network flow data includes: ●● Inbound network connections from external IP addresses ●● Traffic produced by traditional services (such as NFS file shares) on the internal network ●● Connections between microservices and APIs S3 Server Access / Simple Storage Service S3 is Amazon’s Simple Storage Service, which acts as a central database for your AWS environment. S3 server access logging provides detailed records for the requests that are made to a bucket, enabling security teams to track down whether API calls are authorized and verify that these access requests don’t put sensitive data at risk. ELB / Elastic Load Balancing ELB or Elastic Load Balancing provides access logs containing details of requests sent to your load balancer. You can use ELB access logs to analyze traffic patterns, troubleshoot issues, and investigate any suspicious activity. Because each log contains information such as the time the load balancing request was received, the client’s IP address, latencies, request paths, and server responses, you can use these details to build comprehensive security incident timelines. Fortunately, AWS provides extensive logging, giving you detailed visibility into what is happening in your environment. Here’s a summary of the different types of AWS logs and the purpose each can serve from a security perspective.
AWS provides a wealth of logging features and raw audit log data to help you monitor the overall security and compliance posture of your AWS assets. The next challenge is deriving actionable and relevant information from those mountains of event logs. Third party log analysis and event correlation tools apply correlation logic to AWS log data to alert you when emerging threats, as well as AWS misconfiguration and policy violations, expose your AWS assets to risk. Some of these tools can also integrate your on-premises event log data with your AWS log data for a complete picture of your security and compliance posture. That said, not all log analysis and event correlation tools are the same. Make sure you verify that they will work with your AWS environment as easily as they do within your on-premises environment. A consistent and unified security monitoring program across your environments will drive rapid and targeted incident response. Use the following questions to inform your log analysis tool evaluation process. 1. Questions to ask your AWS Security Monitoring Partner: 2. How do you detect cryptojacking or cryptomining activities in the cloud? 3. How do you detect AWS misconfigurations or other security exposures? 4. Which of the native AWS log file types do you support? 5. Which cloud-based enterprise apps can you collect logs for? (e.g. G Suite, Office 365, etc.) 6. What type of alarms does your tool generate? 7. How does your tool correlate events across disparate data sources and environments? 8. What are your capabilities for long term event log data storage? 9. What type of compliance reports does your tool generate? 10. What other security controls does your tool offer or integrate with (e.g. security automation and orchestration, file integrity monitoring, etc.)? 11. How does your tool automate threat hunting? 12. From what sources do you get your threat intelligence and security research? 04 Integrate native AWS Security Monitoring Tools with third-party apps
AlienVault® USM Anywhere is an all-in-one platform that delivers powerful threat detection, incident response, and compliance management across cloud, on-premises, and hybrid environments. Unlike traditional security approaches that try to retrofit their network-centric approach to AWS, USM Anywhere is optimized for AWS with support for: ›› CloudTrail monitoring & alerting ›› S3 access log monitoring & alerting ›› ELB access log monitoring & alerting ›› AWS API asset discovery ›› AWS-native cloud intrusion detection ›› AWS vulnerability assessment ›› AWS infrastructure assessment USM Anywhere provides an integrated security monitoring platform, saving you time and money so you can fully benefit from the speed and agility advantages of AWS. You can deploy USM Anywhere within minutes, and start detecting threats the same day. Learn more: AWS Security Monitoring with AlienVault USM Anywhere Watch a 2-minute Overview Video Explore the Online Demo Environment How AlienVault Can Help

Recommended

AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...Amazon Web Services
 
Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWSNathan Case
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityVAST
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices Cloudride LTD
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Cloud Security Demo
Cloud Security DemoCloud Security Demo
Cloud Security DemoCheah Eng Soon
 

Recommended

AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...Amazon Web Services
 
Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWSNathan Case
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityVAST
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices Cloudride LTD
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Cloud Security Demo
Cloud Security DemoCloud Security Demo
Cloud Security DemoCheah Eng Soon
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
GDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesGDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesAhmad Khan
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASBAmmar Hasayen
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questionsShivamSharma909
 
Tcp security white paper
Tcp security white paperTcp security white paper
Tcp security white paperWilliam McIntosh
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionAmazon Web Services
 
Ryan Smith's talk from the AWS Chicago user group May 22 - Security
Ryan Smith's talk from the AWS Chicago user group May 22 - Security Ryan Smith's talk from the AWS Chicago user group May 22 - Security
Ryan Smith's talk from the AWS Chicago user group May 22 - Security AWS Chicago
 
Containers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environmentsContainers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environmentsdhubbard858
 
Cloud App Security
Cloud App SecurityCloud App Security
Cloud App SecurityAlvaro Rezende
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityHari Kumar
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewAllessandra Negri
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantRobert Crane
 
Data Protection & Shadow IT in a cloud era
Data Protection & Shadow IT in a cloud eraData Protection & Shadow IT in a cloud era
Data Protection & Shadow IT in a cloud eraDavid De Vos
 
Microsoft Cloud App Security Demo
Microsoft Cloud App Security DemoMicrosoft Cloud App Security Demo
Microsoft Cloud App Security DemoCheah Eng Soon
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Amazon Web Services
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips Mario Worwell
 
The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfCraw Cyber Security
 
Incident response in cloud environments
Incident response in cloud environmentsIncident response in cloud environments
Incident response in cloud environmentsMohamed (Mody) Mohamed, MSc, CISSP
 

More Related Content

What's hot

The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
GDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesGDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesAhmad Khan
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASBAmmar Hasayen
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questionsShivamSharma909
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionAmazon Web Services
 
Ryan Smith's talk from the AWS Chicago user group May 22 - Security
Ryan Smith's talk from the AWS Chicago user group May 22 - Security Ryan Smith's talk from the AWS Chicago user group May 22 - Security
Ryan Smith's talk from the AWS Chicago user group May 22 - Security AWS Chicago
 
Containers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environmentsContainers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environmentsdhubbard858
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityHari Kumar
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewAllessandra Negri
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantRobert Crane
 
Data Protection & Shadow IT in a cloud era
Data Protection & Shadow IT in a cloud eraData Protection & Shadow IT in a cloud era
Data Protection & Shadow IT in a cloud eraDavid De Vos
 
Microsoft Cloud App Security Demo
Microsoft Cloud App Security DemoMicrosoft Cloud App Security Demo
Microsoft Cloud App Security DemoCheah Eng Soon
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Amazon Web Services
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips Mario Worwell
 

What's hot (20)

The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
GDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best PracticesGDPR - Top 10 AWS Security and Compliance Best Practices
GDPR - Top 10 AWS Security and Compliance Best Practices
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASB
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questions
 
Tcp security white paper
Tcp security white paperTcp security white paper
Tcp security white paper
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
 
Ryan Smith's talk from the AWS Chicago user group May 22 - Security
Ryan Smith's talk from the AWS Chicago user group May 22 - Security Ryan Smith's talk from the AWS Chicago user group May 22 - Security
Ryan Smith's talk from the AWS Chicago user group May 22 - Security
 
Containers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environmentsContainers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environments
 
Cloud App Security
Cloud App SecurityCloud App Security
Cloud App Security
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of Needles
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls Security
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overview
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenant
 
Data Protection & Shadow IT in a cloud era
Data Protection & Shadow IT in a cloud eraData Protection & Shadow IT in a cloud era
Data Protection & Shadow IT in a cloud era
 
Microsoft Cloud App Security Demo
Microsoft Cloud App Security DemoMicrosoft Cloud App Security Demo
Microsoft Cloud App Security Demo
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips
 

Similar to Beginners guide to aws security monitoring

The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfCraw Cyber Security
 
Aws security-pillar
Aws security-pillarAws security-pillar
Aws security-pillarsaifam
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Marcela Cárdenas Hidalgo
 
AWS User Group - Security & Compliance
AWS User Group - Security & ComplianceAWS User Group - Security & Compliance
AWS User Group - Security & ComplianceSatish Kumar Natarajan
 
AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9Amazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSAmazon Web Services
 
AWS Security Essentials
AWS Security EssentialsAWS Security Essentials
AWS Security EssentialsAaron Bedra
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudAmazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security SuperheroAmazon Web Services
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Denver AWS Users' Group Meetup - May 2020
Denver AWS Users' Group Meetup - May 2020Denver AWS Users' Group Meetup - May 2020
Denver AWS Users' Group Meetup - May 2020David McDaniel
 
How to implement cloud computing security
How to implement cloud computing securityHow to implement cloud computing security
How to implement cloud computing securityRandall Spence
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorAmazon Web Services
 

Similar to Beginners guide to aws security monitoring (20)

The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdf
 
Incident response in cloud environments
Incident response in cloud environmentsIncident response in cloud environments
Incident response in cloud environments
 
Aws security-pillar
Aws security-pillarAws security-pillar
Aws security-pillar
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
 
Oas un llamado a la accion
Oas un llamado a la accionOas un llamado a la accion
Oas un llamado a la accion
 
AWS User Group - Security & Compliance
AWS User Group - Security & ComplianceAWS User Group - Security & Compliance
AWS User Group - Security & Compliance
 
Aws security-pillar
Aws security-pillarAws security-pillar
Aws security-pillar
 
AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
Understanding AWS Security
Understanding AWS Security Understanding AWS Security
Understanding AWS Security
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 
AWS Security Essentials
AWS Security EssentialsAWS Security Essentials
AWS Security Essentials
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel Cloud
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Denver AWS Users' Group Meetup - May 2020
Denver AWS Users' Group Meetup - May 2020Denver AWS Users' Group Meetup - May 2020
Denver AWS Users' Group Meetup - May 2020
 
How to implement cloud computing security
How to implement cloud computing securityHow to implement cloud computing security
How to implement cloud computing security
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

Beginners guide to aws security monitoring

  • 1. Beginner’s Guide to AWS Security Monitoring www.alienvault.com
  • 2. Organizations around the world are embracing the benefits of shifting their workloads, apps, and services to Amazon Web Services (AWS) and other popular cloud infrastructure-as-a- service (IaaS) providers. Forrester Research1 predicts that more than half of global enterprises will rely on public cloud computing for their businesses by the end of 2018. At the same time, cloud security concerns continue to rise. According to a 2018 Cloud Security Report from Cybersecurity Insiders2 , 91% of respondents are concerned about cloud security, an increase of 11% over last year’s report. While security concerns haven’t slowed down the migration of workloads to the cloud, by examining these in detail, we can learn how to avoid making costly mistakes that leave our data exposed. The truth is that the top three biggest security concerns are all based on operational error. The good news? You can fix these (we’ll tell you how). The bad news? Left exposed, these mistakes provide huge gaps that an attacker can walk right through. And because of that, continuous security monitoring of your AWS assets, configuration, and infrastructure is essential. Introduction 1 Forrester Predictions 2018: Cloud Computing Accelerates Enterprise Transformation Every Where 2 2018 Cloud Security Report
  • 3. TOP 3 AWS Security Concerns Experience is one of the best ways to gain knowledge. And as more enterprises move their critical workloads into the cloud, they’ve started to experience a bit of a steep learning curve. One that may also result in a few configuration errors along the way. The hope is that they realize the error of their ways before an attacker does. In the meantime, security monitoring will catch it in real-time. PLATFORM MISCONFIGURATION. AWS offers a number of security features from identity and access management (IAM) to security zones to multi-factor authentication to encryption (just to name a few). And for a new administrator, it may become a bit overwhelming to get all of those details completely right. Some organizations have learned by trial and error, and unfortunately, those errors have included leaving S3 buckets unsecured, exposing sensitive data to the world wide web. Attackers know that stolen PII is valuable and can be sold on the black market to cyber criminals to be repurposed in identity theft, fraud and other nefarious ways. 01
  • 4. UNAUTHORIZED ACCESS. No matter how many security controls you may have in place, once an attacker has a set of authorized credentials, he can do a significant amount of damage under the guise of an authorized user. Credentials have enormous value - especially privileged ones with root and domain levels of access. Monitoring privileged access and privilege escalation activity within your AWS workloads is essential. By actively monitoring privileged account access and activities, you’ll be able to detect abnormal and suspicious behavior (e.g. direct and frequent downloads from a database housing customer data). TOP 3 AWS Security Concerns 02
  • 5. INSECURE INTERFACES AND APIS. Without APIs, it would be nearly impossible to achieve all of the benefits that cloud platforms like AWS offer. By automating and enabling data transfer and use among disparate services, these interfaces unlock enormous scalability and efficiency gains. At the same time, if APIs are not carefully coded and configured, they pose significant security risks in terms of confidentiality, integrity, availability and accountability. Continuous monitoring of your AWS workloads and periodic vulnerability scans of your AWS environment will alert you to critical gaps that need attention. TOP 3 AWS Security Concerns 03
  • 7. AWS offers significant advantages for many organizations with its innovative technology model. However, one aspect of this innovation that can present unanticipated challenges is its ‘Shared Responsibility’ security model. As Amazon explains, “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site data center.” That means that if you rely on AWS, you need to regularly evaluate the configuration of your network access and security controls. Otherwise, you could inadvertently deploy insecure configurations, putting your instances and assets at risk. 01 Understand the Shared Responsibility Model
  • 8. To avoid common cloud configuration errors and credential mismanagement, follow these key guidelines: ›› Lock down your root, domain, and administrator-level account credentials. Treat user accounts (especially privileged ones) like toothbrushes… it’s never healthy to share them. In fact, it can be dangerous. In addition, periodically reset passwords for privileged accounts and consider using password managers or other tools to protect these credentials. Another goal of locking down privileged account use is to always follow the model of principle of least privilege - only use root or administrator level account access when it’s absolutely necessary for the job at hand. That way, any mistakes are much more easily contained. ›› Use IAM Roles and Temporary Credentials: IAM roles can be used to define permission levels for different resources and applications that run on EC2 instances. When you launch an EC2 instance, you can assign an IAM role to it, eliminating the need for your applications to use AWS credentials to make API requests. This is one of the best tools when it comes to security in AWS. First of all, IAM roles can be very granular; you can control access at a resource level and for actions that can be performed. And when using IAM roles, if your EC2 instance gets compromised, you do not need to revoke credentials. ›› Enable MFA (multi-factor authentication). By using more than one factor to prove that you are who you say you are (something you have + something you know + time of day/location), it becomes much more difficult for a cyber attacker to impersonate you. ›› Limit administrative access with AWS Security Groups. Functioning much like gateway firewalls, Security Groups enable you to manage and apply access policies to instances that have similar functions and security requirements. For example, by restricting administrative access to only specific IP addresses, Security Groups helps block attackers who may try to probe your AWS environment. ›› Use VPCs (virtual private clouds). An Amazon Virtual Private Cloud (or VPC) is a virtual network that runs in your AWS account. This virtual network presents some key advantages from a security point of view: the network is isolated from other resources, it is not routable to the Internet by default, and you can apply security groups and access control lists to reduce the attack surface. ›› Activate native AWS monitoring tools. AWS monitoring tools such as CloudTrail, CloudWatch and VPC Flow Logs provide baseline information about how data flows in and out of your AWS environment. These also store rich data that can be correlated with other event log data from your critical assets to spot intrusions, identify suspicious behavior as well as collect indicators of compromise. 02 Identify the most common cloud configuration errors and make sure to avoid them
  • 9. Unfortunately, cyber attackers don’t always use the same tools or techniques in every attack. But, there are enough common characteristics in AWS attacks to draw some instructive conclusions. Here are some specific warning signs to watch our for to detect an attack in progress: 1. AWS Temporary security credentials with long duration - Attackers will use temporary credentials with long lives to maintain connection persistence. 2. New AWS user account starting a high number of instances - Malicious actors will do this in an attempt to disrupt incident response efforts. 3. New user account used to delete multiple users - Once an attacker has created a new user account for themselves, they can use it to lock out legitimate users (en masse). 4. New AWS user account starting a high number of instances - While this activity could be a rookie user making an honest mistake, it could also be an attacker cryptojacking your valuable AWS resources. 5. Multiple instances being started or shut down programmatically - Attackers like to automate their exploits, and this is a clear signal one is in process. 6. CloudTrail log deleted - This could be an indication that an attacker is erasing traces of their malicious activity by deleting logs. 03 Know the prevailing types of AWS attacks and what activities attackers perform (so you can thwart them if/when they happen)
  • 10. AWS logs to enable for EFFECTIVE SECURITY MONITORING Type of AWS Logs Description Security Relevance CloudWatch AWS CloudWatch logs let you monitor and troubleshoot your systems and applications using your existing system, application and custom log files. By using CloudWatch logs, you can monitor activity, in near real time, for specific phrases, values or patterns. Alarms can be triggered if certain suspicious patterns are found. In addition, security analysts can access the original log data for in-depth forensic investigations. CloudTrail AWS CloudTrail service enables logging of all account activities on different AWS resources (e.g. IAM console logins). Once enabled, AWS CloudTrail logs are delivered to your AWS S3 bucket. CloudTrail records important details about all AWS activity, including user accounts making requests, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. With this information, you can easily track changes made to AWS resources to verify compliance, mitigate operational issues, and reduce risks. VPC Flow Logs / Virtual Private Cloud VPC or Virtual Private Cloud flow logs capture network-level activity and connections among all the nodes on a VPC. Network flow data provides essential forensic clues for security incident and data breach investigations. Central to your AWS security monitoring program, VPC flow logs empower you to examine and monitor network flow data to verify compliance and detect threats. This network flow data includes: ●● Inbound network connections from external IP addresses ●● Traffic produced by traditional services (such as NFS file shares) on the internal network ●● Connections between microservices and APIs S3 Server Access / Simple Storage Service S3 is Amazon’s Simple Storage Service, which acts as a central database for your AWS environment. S3 server access logging provides detailed records for the requests that are made to a bucket, enabling security teams to track down whether API calls are authorized and verify that these access requests don’t put sensitive data at risk. ELB / Elastic Load Balancing ELB or Elastic Load Balancing provides access logs containing details of requests sent to your load balancer. You can use ELB access logs to analyze traffic patterns, troubleshoot issues, and investigate any suspicious activity. Because each log contains information such as the time the load balancing request was received, the client’s IP address, latencies, request paths, and server responses, you can use these details to build comprehensive security incident timelines. Fortunately, AWS provides extensive logging, giving you detailed visibility into what is happening in your environment. Here’s a summary of the different types of AWS logs and the purpose each can serve from a security perspective.
  • 11. AWS provides a wealth of logging features and raw audit log data to help you monitor the overall security and compliance posture of your AWS assets. The next challenge is deriving actionable and relevant information from those mountains of event logs. Third party log analysis and event correlation tools apply correlation logic to AWS log data to alert you when emerging threats, as well as AWS misconfiguration and policy violations, expose your AWS assets to risk. Some of these tools can also integrate your on-premises event log data with your AWS log data for a complete picture of your security and compliance posture. That said, not all log analysis and event correlation tools are the same. Make sure you verify that they will work with your AWS environment as easily as they do within your on-premises environment. A consistent and unified security monitoring program across your environments will drive rapid and targeted incident response. Use the following questions to inform your log analysis tool evaluation process. 1. Questions to ask your AWS Security Monitoring Partner: 2. How do you detect cryptojacking or cryptomining activities in the cloud? 3. How do you detect AWS misconfigurations or other security exposures? 4. Which of the native AWS log file types do you support? 5. Which cloud-based enterprise apps can you collect logs for? (e.g. G Suite, Office 365, etc.) 6. What type of alarms does your tool generate? 7. How does your tool correlate events across disparate data sources and environments? 8. What are your capabilities for long term event log data storage? 9. What type of compliance reports does your tool generate? 10. What other security controls does your tool offer or integrate with (e.g. security automation and orchestration, file integrity monitoring, etc.)? 11. How does your tool automate threat hunting? 12. From what sources do you get your threat intelligence and security research? 04 Integrate native AWS Security Monitoring Tools with third-party apps
  • 12. AlienVault® USM Anywhere is an all-in-one platform that delivers powerful threat detection, incident response, and compliance management across cloud, on-premises, and hybrid environments. Unlike traditional security approaches that try to retrofit their network-centric approach to AWS, USM Anywhere is optimized for AWS with support for: ›› CloudTrail monitoring & alerting ›› S3 access log monitoring & alerting ›› ELB access log monitoring & alerting ›› AWS API asset discovery ›› AWS-native cloud intrusion detection ›› AWS vulnerability assessment ›› AWS infrastructure assessment USM Anywhere provides an integrated security monitoring platform, saving you time and money so you can fully benefit from the speed and agility advantages of AWS. You can deploy USM Anywhere within minutes, and start detecting threats the same day. Learn more: AWS Security Monitoring with AlienVault USM Anywhere Watch a 2-minute Overview Video Explore the Online Demo Environment How AlienVault Can Help