Jason Poley, profile picture
Uploaded byJason Poley
PPTX, PDF7,553 views

AWS Monitoring & Logging

The document discusses various AWS services for monitoring, logging, and security. It provides examples of AWS CloudTrail logs and best practices for CloudTrail such as enabling in all regions, log file validation, encryption, and integration with CloudWatch Logs. It also summarizes VPC flow logs, CloudWatch metrics and logs, and tools for automating compliance like Config rules, CloudWatch events, and Inspector.

Technology
In this document
Powered by AI

Overview of AWS Monitoring & Logging by Jason Poley from Barclaycard / Entech.

Various AWS log categories including Infrastructure, service, and host-based logs.

AWS CloudTrail records API calls and provides details such as user identity, event time, and resources.

Example of a CloudTrail event including details about API call, user, and source IP.

Best practices for AWS CloudTrail include enabling in all regions, log validation, encryption, and integration with CloudWatch.

Introduction to AWS Technology Partner solutions integrated with CloudTrail.

Introduction to Amazon VPC flow logs, which log network traffic information.

Details on agentless VPC flow logs, how to enable them, and integration with CloudWatch.

Real-time monitoring of logs from EC2 instances with Amazon CloudWatch capabilities.

Details on custom metrics in CloudWatch, frequency of logging, and data storage.

Managing and processing logs via CloudWatch Logs, AWS Lambda, and Amazon Kinesis.

Illustration of data flow direction among various AWS logging and monitoring services.

Overview of automation options in AWS for compliance checks using CloudTrail and CloudWatch.

AWS Config capabilities for tracking resources and configuration changes.

Importance of AWS Config for maintaining compliance records at arbitrary times.

Automation of responses to configuration changes through pre-built and custom AWS Config rules.

Usage of AWS CloudWatch Events to trigger actions based on various events.

Introduction to Amazon Inspector for automated security assessments of applications.

Key benefits of using Amazon Inspector for agility, security posture, and compliance.Overview of various AWS security and compliance tools and the importance of logging.

Recap of AWS services used for effective monitoring and compliance.

Emphasizes the balance between speed and security in AWS practices.

Embed presentation

Downloaded 445 times
AWS Monitoring & Logging Jason Poley Barclaycard / Entech jpoley@entech.com https://www.linkedin.com/in/jasonpoley
Different log categories AWS Infrastructure logs  AWS CloudTrail  Amazon VPC Flow Logs AWS service logs  Amazon S3  AWS Elastic Load Balancing  Amazon CloudFront  AWS Lambda  AWS Elastic Beanstalk  … Host based logs  Messages  Security  NGINX/Apache/IIS  Windows Event Logs  Windows Performance Counters  …
Different log categories AWS Infrastructure logs  AWS CloudTrail  Amazon VPC Flow Logs AWS service logs  Amazon S3  AWS Elastic Load Balancing  Amazon CloudFront  AWS Lambda  AWS Elastic Beanstalk  … Host based logs  Messages  Security  NGINX/Apache/IIS  Windows Event Logs  Windows Performance Counters  … Security related events
AWS CloudTrail Records AWS API calls for your account
What can you answer using a CloudTrail event?  Who made the API call?  When was the API call made?  What was the API call?  Which resources were acted up on in the API call?  Where was the API call made from and made to? Supported services: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
What does an event look like? { "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", // Who? "principalId": "AIDAJDPLRKLG7UEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", //Who? "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-03-18T14:29:23Z" } } }, "eventTime": "2014-03-18T14:30:07Z", //When? "eventSource": "cloudtrail.amazonaws.com", "eventName": "StartLogging", //What? "awsRegion": "us-west-2",//Where to? "sourceIPAddress": "72.21.198.64", // Where from? "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx", "requestParameters": { "name": "Default“ // Which resource? }, // more event details }
AWS CloudTrail Best Practices
AWS CloudTrail Best Practices 1. Enable in all regions Benefits  Also tracks unused regions  Can be done in single configuration step
AWS CloudTrail Best Practices 1. Enable in all regions 2. Enable log file validation Benefits  Ensure log file integrity  Validated log files are invaluable in security and forensic investigations  Built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing  AWS CloudTrail will start delivering digest files on an hourly basis  Digest files contain hash values of log files delivered and are signed by AWS CloudTrail
AWS CloudTrail Best Practices 1. Enable in all regions 2. Enable log file validation 3. Encrypted logs Benefits  By default, AWS CloudTrail encrypts log files using Amazon S3 server side encryption (SSE-S3)  You can choose to encrypt using AWS Key Management Service (SSE-KMS)  Amazon S3 will decrypt on your behalf if your credentials have decrypt permissions
AWS CloudTrail Best Practices 1. Enable in all regions 2. Enable log file validation 3. Encrypted logs 4. Integrate with Amazon CloudWatch Logs Benefits  Simple search  Configure alerting on events
AWS CloudTrail Best Practices 1. Enable in all regions 2. Enable log file validation 3. Encrypted logs 4. Integrate with Amazon CloudWatch Logs 5. Centralize logs from all accounts Benefits  Configure all accounts to send logs to a central security account  Reduce risk for log tampering  Can be combined with Amazon S3 CRR
AWS Technology Partner solutions integrated with CloudTrail
Amazon VPC Flow Logs Log network traffic for Amazon VPC, subnet or single interfaces
Amazon VPC Flow Logs  Stores log in AWS CloudWatch Logs  Can be enabled on • Amazon VPC, a subnet, or a network interface • Amazon VPC & Subnet enables logging for all interfaces in the VPC/subnet • Each network interface has a unique log stream  Flow logs do not capture real-time log streams for your network interfaces  Filter desired result based on need • All, Reject, Accept • Troubleshooting or security related with alerting needs? • Think before enabling All on VPC, will you use it?
VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
Amazon CloudWatch Monitor Logs from Amazon EC2 Instances in Real-time
Ubiquitous logging and monitoring Amazon CloudWatch Logs lets you grab everything and monitor activity  Managed service to collect and keep your logs  CloudWatch Logs Agent for Linux and Windows instances  Integration with Metrics and Alarms  Export data to S3 for analytics  Stream to Amazon ElasticSearch Service or AWS Lambda
CloudWatch Metrics  Supports custom metrics.  Memory is a custom parameter  5 minute interval by default, 1 minute available with detailed.  Can be used as a forensics tool because it keeps instance information for 2 weeks.  Information stored in time series format.  Provides dashboarding capabilities and an API for extraction.  Use as a foundational component of auto-scaling.
Managing, Monitoring & Processing Logs CloudWatch Logs - Near real-time, aggregate, monitor, store, and search Amazon Elasticsearch Service Integration (or ELK stack) - Analytics and Kibana interface AWS Lambda & Amazon Kinesis Integration - Custom processing with your code Export to S3 - SDK & CLI batch export of logs for analytics
Arrow direction indicates general direction of data flow EC2 instances Logstash cluster on EC2 DynamoDB Tables RDS Databases (via JDBC) SQS Queues Kinesis Streams VPC Flow Logs CloudTrail Audit Logs S3 Access Logs ELB Access Logs CloudFront Access Logs SNS Notifications DynamoDB Streams SES Inbound Email Cognito Events Kinesis Streams CloudWatch Events & Alarms Config Rules
Automating your compliance checks
Multiple levels of automation Self managed  AWS CloudTrail -> Amazon CloudWatch Logs -> Amazon CloudWatch Alerts  AWS CloudTrail -> Amazon SNS -> AWS Lambda Compliance validation  AWS Config Rules Host based Compliance validation  AWS Inspector Active Change Remediation  Amazon CloudWatch Events
AWS Config Resource and Configuration Tracking
What Resources exist? Get inventory of AWS resources Discover new and deleted resources Record configuration changes continuously Get notified when configurations change Know resource relationships dependencies
NormalizeRecordChanging Resources AWS Config Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History
Evidence for compliance Many compliance audits require access to the state of your systems at arbitrary times (i.e., PCI, HIPAA). A complete inventory of all resources and their configuration attributes is available for any point in time.
AWS Config Rules Automate Response to Changes
Automated Response to Change Set up rules to check configuration changes recorded Use pre-built rules provided by AWS Author custom rules using AWS Lambda Invoked automatically for continuous assessment Use dashboard for visualizing compliance and identifying changes
NormalizeRecordChanging Resources AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
AWS managed rules 1. All EC2 instances must be inside a VPC. 2. All attached EBS volumes must be encrypted, with KMS ID. 3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic and CloudWatch Logs. 4. All security groups in attached state should not have unrestricted access to port 22. 5. All EIPs allocated for use in the VPC are attached to instances. 6. All resources being monitored must be tagged with specified tag keys:values. 7. All security groups in attached state should not have unrestricted access to these specific ports.
AWS Config Rules Repository AWS Community repository of custom Config rules https://github.com/awslabs/aws-config-rules Contains Node and Python samples for Custom Rules for AWS Config
AWS CloudWatch Events The central nervous system for your AWS environment
Tools - Amazon CloudWatch Events Trigger on event  Amazon EC2 instance state change notification  AWS API call (very specific)  AWS console sign-in  Auto Scaling Or Schedule  Cron is in the cloud!  No more Unreliable Town Clock  Min 1 min Single event can have multiple targets
AWS Inspector Automated security assessment service
Why Amazon Inspector? Applications testing key to moving fast but staying safe Security assessment highly manual, resulting in delays or missed security checks Valuable security subject matter experts spending too much time on routine security assessment
Amazon Inspector features Configuration Scanning Engine Built-in content library Run-Time Behavior Analysis Automatable via API Fully auditable
Amazon Inspector rulesets CVE CIS OS Security Config Benchmark Network Security Best Practices Authentication Best Practices Operating System Best Practices Application Security Best Practices
Amazon Inspector benefits Increased agility Embedded expertise Improved security posture Streamlined compliance
AWS Security tools: What to use? AWS Security and Compliance Security of the cloud Services and tools to aid security in the cloud Service Type Use cases Continuous logging Records AWS API calls for your account and delivers log files to you Continuous evaluations Codified internal best practices, misconfigurations, security vulnerabilities, or actions on changes On-demand evaluations Security insights into your application deployments running inside your EC2 instance Periodic evaluations Cost, performance, reliability, and security checks that apply broadly Actions in response to APIs and state change AWS APIs use triggers custom Lambda actions AWS Inspector AWS Config Rules AWS Trusted Advisor AWS CloudTrail CloudWach Events
Don’t forget built-in reporting
AWS Trusted Advisor checks your account
IAM Credential Reports
Rounding up  Leverage built-in tools for monitoring and compliance  Storage is cheap, not knowing can be very expensive – Log if possible  Alerting is good, automating your security response is better  Use managed services and built-in reporting to offload and automate  See the Big Picture, what info do you want and what tool can give it to you
AWS Services  CloudWatch – Events, Logs, Metrics  VPC Flow Logs  CloudTrail  Config & Config Rules  Inspector  Trusted Advisor  IAM – credential report & policy simulator  Indirect tools – Elasticsearch, S3, Kinesis.
AND Move Fast Stay Secure

More Related Content

PPTX
AWS Cloud trail
byzekeLabs Technologies
 
PPTX
AWS core services
byNagesh Ramamoorthy
 
PDF
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
byEdureka!
 
PPTX
Aws config
byShagun Rathore
 
PDF
Cloudwatch: Monitoring your AWS services with Metrics and Alarms
byFelipe
 
PDF
AWS AutoScaling
byMahesh Raj
 
PDF
AWS Systems manager 2019
byJohn Varghese
 
PPTX
Introduction to AWS CloudWatch Presentation
byKnoldus Inc.
 
AWS Cloud trail
byzekeLabs Technologies
 
AWS core services
byNagesh Ramamoorthy
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
byEdureka!
 
Aws config
byShagun Rathore
 
Cloudwatch: Monitoring your AWS services with Metrics and Alarms
byFelipe
 
AWS AutoScaling
byMahesh Raj
 
AWS Systems manager 2019
byJohn Varghese
 
Introduction to AWS CloudWatch Presentation
byKnoldus Inc.
 

What's hot

PDF
AWS Cloud Practitioner Tutorial | Edureka
byEdureka!
 
PPTX
Aws VPC
byAbhishek Amralkar
 
PPTX
What is AWS?
byMartin Yan
 
PPTX
MicroServices at Netflix - challenges of scale
bySudhir Tonse
 
PPTX
Azure kubernetes service (aks)
byAkash Agrawal
 
PPTX
AWS Cloud Watch
byzekeLabs Technologies
 
PDF
세션 3: IT 담당자를 위한 Cloud 로의 전환
byAmazon Web Services Korea
 
PDF
Aws cloud watch
byMahesh Raj
 
PDF
천만사용자를 위한 AWS 클라우드 아키텍처 진화하기 – 문종민, AWS솔루션즈 아키텍트:: AWS Summit Online Korea 2020
byAmazon Web Services Korea
 
PDF
Introduction to AWS (Amazon Web Services)
byAlbert Suwandhi
 
PPTX
Basics AWS Presentation
byShyam Kumar
 
PPTX
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
bySimplilearn
 
PDF
Best Practices with Azure Kubernetes Services
byQAware GmbH
 
PPTX
Google cloud platform
byPiyumi Niwanthika Herath
 
PDF
Azure 101
byKorry Lavoie
 
PDF
Migrate to Microsoft Azure with Confidence
byDavid J Rosenthal
 
ODP
Monitoring With Prometheus
byKnoldus Inc.
 
PPTX
Azure security and Compliance
byKarina Matos
 
PPTX
AWS Introduction
byDimosthenis Botsaris
 
PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
AWS Cloud Practitioner Tutorial | Edureka
byEdureka!
 
Aws VPC
byAbhishek Amralkar
 
What is AWS?
byMartin Yan
 
MicroServices at Netflix - challenges of scale
bySudhir Tonse
 
Azure kubernetes service (aks)
byAkash Agrawal
 
AWS Cloud Watch
byzekeLabs Technologies
 
세션 3: IT 담당자를 위한 Cloud 로의 전환
byAmazon Web Services Korea
 
Aws cloud watch
byMahesh Raj
 
천만사용자를 위한 AWS 클라우드 아키텍처 진화하기 – 문종민, AWS솔루션즈 아키텍트:: AWS Summit Online Korea 2020
byAmazon Web Services Korea
 
Introduction to AWS (Amazon Web Services)
byAlbert Suwandhi
 
Basics AWS Presentation
byShyam Kumar
 
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
bySimplilearn
 
Best Practices with Azure Kubernetes Services
byQAware GmbH
 
Google cloud platform
byPiyumi Niwanthika Herath
 
Azure 101
byKorry Lavoie
 
Migrate to Microsoft Azure with Confidence
byDavid J Rosenthal
 
Monitoring With Prometheus
byKnoldus Inc.
 
Azure security and Compliance
byKarina Matos
 
AWS Introduction
byDimosthenis Botsaris
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 

Similar to AWS Monitoring & Logging

PPTX
Cloudifying your Security Operations on AWS
byCloudHesive
 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
 
PDF
So verarbeiten Sie AWS Sensordaten, um Anwendungen zu sichern - AWS Security ...
byAWS Germany
 
PPTX
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
byFelipe Prado
 
PDF
Analyzing your web and application logs on AWS. Utrecht AWS Dev Day
byjavier ramirez
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
PPTX
AWS Security and SecOps
byShiva Narayanaswamy
 
PPTX
Aws Atlanta meetup - Understanding AWS Config
byAdam Book
 
PDF
AWS security monitoring and compliance validation from Adobe.
bySplunk
 
PDF
Security @ (Cloud) Scale Deep Dive
byKristana Kane
 
PDF
Amazon Web Services Amazon: Amazon CloudWatch & CloudTrail.pdf
bymohammedjaefermj
 
PDF
Application & Account Monitoring in AWS
byBhuvaneswari Subramani
 
PDF
Hunter Lynne - Securing AWS with Event Driven Security
byAWS Chicago
 
PDF
"Analyzing your web and application logs", Javier Ramirez, AWS Dev Day Kyiv 2...
byProvectus
 
PPTX
Blue Chip Tek Connect and Protect Presentation #3
byKimberly Macias
 
PPTX
AWS on Splunk, Splunk on AWS
bySplunk
 
PDF
AWS モニタリングソリューションのご紹介
byTakanori Ohba
 
PDF
002 AWSSlides.pdf
byDrBashirMSaad
 
PPTX
5 minutes on security
byCloudHesive
 
Cloudifying your Security Operations on AWS
byCloudHesive
 
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
 
So verarbeiten Sie AWS Sensordaten, um Anwendungen zu sichern - AWS Security ...
byAWS Germany
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
byAlert Logic
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
byFelipe Prado
 
Analyzing your web and application logs on AWS. Utrecht AWS Dev Day
byjavier ramirez
 
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
AWS Security and SecOps
byShiva Narayanaswamy
 
Aws Atlanta meetup - Understanding AWS Config
byAdam Book
 
AWS security monitoring and compliance validation from Adobe.
bySplunk
 
Security @ (Cloud) Scale Deep Dive
byKristana Kane
 
Amazon Web Services Amazon: Amazon CloudWatch & CloudTrail.pdf
bymohammedjaefermj
 
Application & Account Monitoring in AWS
byBhuvaneswari Subramani
 
Hunter Lynne - Securing AWS with Event Driven Security
byAWS Chicago
 
"Analyzing your web and application logs", Javier Ramirez, AWS Dev Day Kyiv 2...
byProvectus
 
Blue Chip Tek Connect and Protect Presentation #3
byKimberly Macias
 
AWS on Splunk, Splunk on AWS
bySplunk
 
AWS モニタリングソリューションのご紹介
byTakanori Ohba
 
002 AWSSlides.pdf
byDrBashirMSaad
 
5 minutes on security
byCloudHesive
 

Recently uploaded

PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 

AWS Monitoring & Logging

  • 1.
    AWS Monitoring &Logging Jason Poley Barclaycard / Entech jpoley@entech.com https://www.linkedin.com/in/jasonpoley
  • 2.
    Different log categories AWSInfrastructure logs  AWS CloudTrail  Amazon VPC Flow Logs AWS service logs  Amazon S3  AWS Elastic Load Balancing  Amazon CloudFront  AWS Lambda  AWS Elastic Beanstalk  … Host based logs  Messages  Security  NGINX/Apache/IIS  Windows Event Logs  Windows Performance Counters  …
  • 3.
    Different log categories AWSInfrastructure logs  AWS CloudTrail  Amazon VPC Flow Logs AWS service logs  Amazon S3  AWS Elastic Load Balancing  Amazon CloudFront  AWS Lambda  AWS Elastic Beanstalk  … Host based logs  Messages  Security  NGINX/Apache/IIS  Windows Event Logs  Windows Performance Counters  … Security related events
  • 4.
    AWS CloudTrail Records AWSAPI calls for your account
  • 5.
    What can youanswer using a CloudTrail event?  Who made the API call?  When was the API call made?  What was the API call?  Which resources were acted up on in the API call?  Where was the API call made from and made to? Supported services: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
  • 6.
    What does anevent look like? { "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", // Who? "principalId": "AIDAJDPLRKLG7UEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", //Who? "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-03-18T14:29:23Z" } } }, "eventTime": "2014-03-18T14:30:07Z", //When? "eventSource": "cloudtrail.amazonaws.com", "eventName": "StartLogging", //What? "awsRegion": "us-west-2",//Where to? "sourceIPAddress": "72.21.198.64", // Where from? "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx", "requestParameters": { "name": "Default“ // Which resource? }, // more event details }
  • 7.
  • 8.
    AWS CloudTrail BestPractices 1. Enable in all regions Benefits  Also tracks unused regions  Can be done in single configuration step
  • 9.
    AWS CloudTrail BestPractices 1. Enable in all regions 2. Enable log file validation Benefits  Ensure log file integrity  Validated log files are invaluable in security and forensic investigations  Built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing  AWS CloudTrail will start delivering digest files on an hourly basis  Digest files contain hash values of log files delivered and are signed by AWS CloudTrail
  • 10.
    AWS CloudTrail BestPractices 1. Enable in all regions 2. Enable log file validation 3. Encrypted logs Benefits  By default, AWS CloudTrail encrypts log files using Amazon S3 server side encryption (SSE-S3)  You can choose to encrypt using AWS Key Management Service (SSE-KMS)  Amazon S3 will decrypt on your behalf if your credentials have decrypt permissions
  • 11.
    AWS CloudTrail BestPractices 1. Enable in all regions 2. Enable log file validation 3. Encrypted logs 4. Integrate with Amazon CloudWatch Logs Benefits  Simple search  Configure alerting on events
  • 12.
    AWS CloudTrail BestPractices 1. Enable in all regions 2. Enable log file validation 3. Encrypted logs 4. Integrate with Amazon CloudWatch Logs 5. Centralize logs from all accounts Benefits  Configure all accounts to send logs to a central security account  Reduce risk for log tampering  Can be combined with Amazon S3 CRR
  • 13.
    AWS Technology Partnersolutions integrated with CloudTrail
  • 14.
    Amazon VPC FlowLogs Log network traffic for Amazon VPC, subnet or single interfaces
  • 15.
    Amazon VPC FlowLogs  Stores log in AWS CloudWatch Logs  Can be enabled on • Amazon VPC, a subnet, or a network interface • Amazon VPC & Subnet enables logging for all interfaces in the VPC/subnet • Each network interface has a unique log stream  Flow logs do not capture real-time log streams for your network interfaces  Filter desired result based on need • All, Reject, Accept • Troubleshooting or security related with alerting needs? • Think before enabling All on VPC, will you use it?
  • 16.
    VPC Flow Logs •Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  • 17.
    VPC Flow Logs •Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
  • 18.
    Amazon CloudWatch Monitor Logsfrom Amazon EC2 Instances in Real-time
  • 19.
    Ubiquitous logging andmonitoring Amazon CloudWatch Logs lets you grab everything and monitor activity  Managed service to collect and keep your logs  CloudWatch Logs Agent for Linux and Windows instances  Integration with Metrics and Alarms  Export data to S3 for analytics  Stream to Amazon ElasticSearch Service or AWS Lambda
  • 20.
    CloudWatch Metrics  Supportscustom metrics.  Memory is a custom parameter  5 minute interval by default, 1 minute available with detailed.  Can be used as a forensics tool because it keeps instance information for 2 weeks.  Information stored in time series format.  Provides dashboarding capabilities and an API for extraction.  Use as a foundational component of auto-scaling.
  • 21.
    Managing, Monitoring &Processing Logs CloudWatch Logs - Near real-time, aggregate, monitor, store, and search Amazon Elasticsearch Service Integration (or ELK stack) - Analytics and Kibana interface AWS Lambda & Amazon Kinesis Integration - Custom processing with your code Export to S3 - SDK & CLI batch export of logs for analytics
  • 22.
    Arrow direction indicatesgeneral direction of data flow EC2 instances Logstash cluster on EC2 DynamoDB Tables RDS Databases (via JDBC) SQS Queues Kinesis Streams VPC Flow Logs CloudTrail Audit Logs S3 Access Logs ELB Access Logs CloudFront Access Logs SNS Notifications DynamoDB Streams SES Inbound Email Cognito Events Kinesis Streams CloudWatch Events & Alarms Config Rules
  • 23.
  • 24.
    Multiple levels ofautomation Self managed  AWS CloudTrail -> Amazon CloudWatch Logs -> Amazon CloudWatch Alerts  AWS CloudTrail -> Amazon SNS -> AWS Lambda Compliance validation  AWS Config Rules Host based Compliance validation  AWS Inspector Active Change Remediation  Amazon CloudWatch Events
  • 25.
    AWS Config Resource andConfiguration Tracking
  • 26.
    What Resources exist? Getinventory of AWS resources Discover new and deleted resources Record configuration changes continuously Get notified when configurations change Know resource relationships dependencies
  • 27.
  • 29.
    Evidence for compliance Manycompliance audits require access to the state of your systems at arbitrary times (i.e., PCI, HIPAA). A complete inventory of all resources and their configuration attributes is available for any point in time.
  • 30.
    AWS Config Rules AutomateResponse to Changes
  • 31.
    Automated Response toChange Set up rules to check configuration changes recorded Use pre-built rules provided by AWS Author custom rules using AWS Lambda Invoked automatically for continuous assessment Use dashboard for visualizing compliance and identifying changes
  • 32.
    NormalizeRecordChanging Resources AWS Config &Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
  • 33.
    AWS managed rules 1.All EC2 instances must be inside a VPC. 2. All attached EBS volumes must be encrypted, with KMS ID. 3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic and CloudWatch Logs. 4. All security groups in attached state should not have unrestricted access to port 22. 5. All EIPs allocated for use in the VPC are attached to instances. 6. All resources being monitored must be tagged with specified tag keys:values. 7. All security groups in attached state should not have unrestricted access to these specific ports.
  • 34.
    AWS Config RulesRepository AWS Community repository of custom Config rules https://github.com/awslabs/aws-config-rules Contains Node and Python samples for Custom Rules for AWS Config
  • 35.
    AWS CloudWatch Events Thecentral nervous system for your AWS environment
  • 36.
    Tools - AmazonCloudWatch Events Trigger on event  Amazon EC2 instance state change notification  AWS API call (very specific)  AWS console sign-in  Auto Scaling Or Schedule  Cron is in the cloud!  No more Unreliable Town Clock  Min 1 min Single event can have multiple targets
  • 37.
  • 38.
    Why Amazon Inspector? Applicationstesting key to moving fast but staying safe Security assessment highly manual, resulting in delays or missed security checks Valuable security subject matter experts spending too much time on routine security assessment
  • 39.
    Amazon Inspector features ConfigurationScanning Engine Built-in content library Run-Time Behavior Analysis Automatable via API Fully auditable
  • 40.
    Amazon Inspector rulesets CVE CISOS Security Config Benchmark Network Security Best Practices Authentication Best Practices Operating System Best Practices Application Security Best Practices
  • 41.
    Amazon Inspector benefits Increasedagility Embedded expertise Improved security posture Streamlined compliance
  • 42.
    AWS Security tools:What to use? AWS Security and Compliance Security of the cloud Services and tools to aid security in the cloud Service Type Use cases Continuous logging Records AWS API calls for your account and delivers log files to you Continuous evaluations Codified internal best practices, misconfigurations, security vulnerabilities, or actions on changes On-demand evaluations Security insights into your application deployments running inside your EC2 instance Periodic evaluations Cost, performance, reliability, and security checks that apply broadly Actions in response to APIs and state change AWS APIs use triggers custom Lambda actions AWS Inspector AWS Config Rules AWS Trusted Advisor AWS CloudTrail CloudWach Events
  • 43.
  • 44.
    AWS Trusted Advisorchecks your account
  • 45.
  • 46.
    Rounding up  Leveragebuilt-in tools for monitoring and compliance  Storage is cheap, not knowing can be very expensive – Log if possible  Alerting is good, automating your security response is better  Use managed services and built-in reporting to offload and automate  See the Big Picture, what info do you want and what tool can give it to you
  • 47.
    AWS Services  CloudWatch– Events, Logs, Metrics  VPC Flow Logs  CloudTrail  Config & Config Rules  Inspector  Trusted Advisor  IAM – credential report & policy simulator  Indirect tools – Elasticsearch, S3, Kinesis.
  • 48.

Editor's Notes

  • #6 Now that you know what CloudTrail does, lets see what questions you can answer using a CloudTrail event: Five important questions/W’s Turn on CloudTrail for your accounts Monitor and alarm for API activity with high blast radius Use Lookup Events to troubleshoot your operational issues
  • #7 Lets see a sample, Walk through..
  • #17 No Agents! Just Turn it on. No really, Ill wait. Enable per ENI, per Subnet or per VPC All network traffic data is logged to CloudWatch logs so you get durable storage but also all the analysis features such as filter queries and metric creation And then Create Alarms on those metrics Collected, processed and stored in ~10 minute capture windows into Cloudwatch Logs
  • #18 Or roll your own real time network dashboard with the new Amazon Elasticsearch Service Also based on a CloudWatch Logs Subscription filter that tees Flow Log data into a Kinesis stream and a stream reader then takes data and puts it into Elasticsearch See Jeff’s blog post where he details how to setup this VPC Flow Dashboard in a few clicks
  • #27 AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
  • #32  Will discuss the awesomeness of AWS Config All EC2 Instances must be inside a VPC. All attached EBS volumes must be encrypted, with KMS ID. CloudTrail must be enabled, optionally with S3 bucket, SNS Topic and CloudWatch Logs. All security groups in attached state should not have unrestricted access to Port 22. All EIPs allocated for use in VPC are attached to instances. All resources being monitored must be tagged with specified tag keys:values. All security groups in attached state should not have unrestricted access to these specific ports.
  • #41 Each Inspector rule is assigned a severity level. This simplifies the decision of prioritizing one rule over another in your assessments and can help you decide what your reaction and corrective steps should be in the event of the rule highlighting a potential problem. The following are the severity levels for the Inspector rules: High – this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you treat this security issue as an emergency and implement an immediate remediation. Medium – this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you fix this issue at the next possible opportunity, for example, during your next service update. Low - this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you fix this issue as part of one of your future service updates. Informational – this severity level describes a particular security configuration detail of your application. Based on your business and organization goals, you can either simply make note of this information or use it to improve the security of your application. https://alpha-docs-aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html
  • #46 I want evidence that my users are following security best practices, such as requiring MFA for administrative-level users. You can generate a credential report that lists your IAM users and the status of their AWS security credentials and download it as a CSV file. These reports contain details such as whether MFA is activated, when their password was last rotated, and more. You can generate a new report as often as every 4 hours. You can download reports interactively via the console or programmatically using the IAM API. (Support is coming soon for downloading the reports using the AWS CLI.)
  • #49 For a long time, most organizations have had to make a choice between moving fast or maintaining a high degree of security However, one of the fundamental benefits of the cloud is that it let’s you do both.