Rich Monitoring and Logging
A cornerstone of detecting and protecting one’s environment and data is the ability to
granularly monitor configurations across an enterprise and robust logging of activities
occurring within an IT infrastructure. Visibility and traceability within IT environments is
often hard to achieve for large on-premises operations that focus on physical separation based
security controls. This design can result in fragmentation of operational views due to the
lack of integration across services. This situation makes threat detection and root cause
analysis challenging. AWS builds core security services that are highly integrated
throughout AWS services, including monitoring and logging. AWS CloudTrail
AWS CloudTrail provides the option to log AWS API requests for
customers, regardless of whether the requests were made through
the AWS Management Console
Amazon CloudWatch is used to monitor AWS resources and applications in near real-time. It can
collect, track, and alarm based on metrics that are accessible via customizable dashboards or
APIs. CloudWatch data are encrypted in transit and at rest. In addition, Amazon EventBridge
Configuration management is at the heart of controlling changes to an environment.
Configurations that drift from their intended state present a risk to a system’s security
posture. Managing and enforcing configuration states across an on-premises environment is
usually difficult because the tooling to measure a system’s present state often lacks enough
points of integration to offer a holistic view of the enterprise. In AWS, customers can
address configuration management in multiple ways. One of the best options is to move toward
an infrastructure as code (IaC) model for your environment. IaC allows you to provision,
de-provision, and maintain infrastructure configuration state in consistent, repeatable, and
automated manner using code. This includes being able to use secure code management practices
and test automation directly on infrastructure components. One way to accomplish this with AWS
is using AWS CloudFormation
AWS CloudFormation templates can create, configure, and manage resources through use JSON or YAML. You manage these resources declared in the templates in units called AWS CloudFormation Stacks. Stacks can be composed as StackSets to manage resources across regions and accounts from single templates or sets of templates. From a monitoring standpoint, CloudFormation is integrated with CloudTrail for recording actions performed by the service. Additionally, CloudFormation can detect configuration drift between the current resource configuration from a StackSets against the expected configuration declared in the StackSets. This level of configuration management can detect unmanaged changes and allow the user to reapply the template to return the resources to the declared state.
Often deeper and broader configuration management capabilities are needed by customers to handle the many ways AWS resources can be provisioned, changed, and managed. AWS Config fills this need by providing a detailed, continuous view of the configuration of AWS resources in a customer’s AWS accounts. This includes how the resources are related to one another and how they were configured in the past so that a customer can see how the configurations and relationships change over time. AWS Config provides an AWS resource inventory, configuration history, and configuration change notifications across regions and accounts. These capabilities, along with advanced querying and customizable rules, enables security and governance insights and workflow automation for AWS resources.
Another linchpin for deep monitoring and logging is traffic flow visibility. VPC Flow Logs are a feature whereby a customer can capture information about the IP traffic going to and from network interfaces in their VPC. Flow log data can be published as records to Amazon CloudWatch Logs and Amazon S3 for further analysis. A flow log can be created for an entire VPC, a subnet, or a single network interface. In addition to Flow Logs, VPC also allows full packet capture when useful or necessary using its Traffic Mirroring feature. These two features work well together, VPC Flow Logs for routine network logging, and temporarily enabling Traffic Mirroring when circumstances require it.
Dealing with the volumes of logging data can be cumbersome for some customers so many
choose to ease monitoring and analysis of logs by using Amazon GuardDuty