AWS Cloud: Proactive Security and Forensic Readiness – Part 4
Blog Article Published: 11/16/2018
Part 4: Detective Controls in AWS
By Neha Thethi, Information Security Analyst, BH Consulting
Security controls can be either technical or administrative. A layered security approach to protecting an organization’s information assets and infrastructure should include preventative controls, detective controls and corrective controls.
Preventative controls exist to prevent the threat from coming in contact with the weakness. Detective controls exist to identify that the threat has landed in our systems. Corrective controls exist to mitigate or lessen the effects of the threat being manifested.
This post relates to detective controls within AWS Cloud. It’s the fourth in a five-part series that provides a checklist for proactive security and forensic readiness in the AWS Cloud environment.
Detective controls in AWS Cloud
AWS detective controls include processing of logs and monitoring of events that allow for auditing, automated analysis, and alarming.
These controls can be implemented using AWS CloudTrail logs to record AWS API calls, Service-specific logs (for Amazon S3, Amazon CloudFront, CloudWatch logs, VPC flow logs, ELB logs, etc) and AWS Config to maintain a detailed inventory of AWS resources and configuration. Amazon CloudWatch is a monitoring service for AWS resources and can be used to trigger CloudWatch events to automate security responses. Another useful tool is Amazon GuardDuty which is a managed threat detection service in AWS and continuously monitors for malicious or unauthorized.
Security event logging is crucial for detecting security threats or incidents. Security teams should produce, keep and regularly review event logs that record user activities, exceptions, faults and information security events. They should collect logs centrally and automatically analysed to detect suspicious behavior. Automated alerts can monitor key metrics and events related to security. It is critical to analyse logs in a timely manner to identify and respond to potential security incidents. In addition, logs are indispensable for forensic investigations.
The challenge of managing logs
However, managing logs can be a challenge. AWS makes log management easier to implement by providing the ability to deﬁne a data-retention lifecycle or deﬁne where data will be preserved, archived, or eventually deleted. This makes predictable and reliable data handling simpler and more cost-eﬀective.
The following list recommends use of AWS Trusted Advisor for detecting security threats within the AWS environment. It covers collection, aggregation, analysis, monitoring and retention of logs, and, monitoring security events and billing to detect unusual activity.
- Are you using Trusted Advisor?
- How are you capturing and storing logs?
- How are you analyzing logs?
- How are you retaining logs?
- How are you receiving notification and alerts?
- How are you monitoring billing in your AWS account(s)?
Best-practice checklist1. Are you using Trusted Advisor?
- Use AWS Trusted Advisor to check for security compliance. Back to List
- Activate AWS Cloud Trail.
- Collect logs from various locations/services including AWS APIs and user-related logs (e.g. AWS CloudTrail), AWS service-specific logs (e.g. Amazon S3, Amazon CloudFront, CloudWatch logs, VPC flow logs, ELB logs, etc.), operating system-generated logs, IDS/IPS logs and third-party application-specific logs
- Use services and features such as AWS CloudFormation, AWS OpsWorks, or Amazon Elastic Compute Cloud (EC2) user data, to ensure that instances have agents installed for log collection
- Move logs periodically from the source either directly into a log processing system (e.g., CloudWatch Logs) or stored in an Amazon S3 bucket for later processing based on business needs.Back to List
- Parse and analyse security data using solutions such as AWS Config, AWS CloudWatch, Amazon EMR, Amazon Elasticsearch Service, etc.
- Perform analysis and visualization with Kibana. Back to List
- Store data centrally using Amazon S3, and, for long-term archiving if required, using Amazon Glacier
- Define data-retention lifecycle for logs. By default, CloudWatch logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day
- Manage log retention automatically using AWS Lambda. Back to List
- Use Amazon CloudWatch Events for routing events of interest and information reflecting potentially unwanted changes into a proper workflow
- Use Amazon GuardDuty to continuously monitor for malicious or unauthorized behavior
- Send events to targets like an AWS Lambda function, Amazon SNS, or other targets for alerts and notifications. Back to List
- Use detailed billing to monitor your monthly usage regularly
- Use consolidated billing for multiple accounts. Back to List
Refer to the following AWS resources for more details:
- AWS Well-Architected Framework
- What is Amazon CloudWatch Logs?
- Definition of Preventative Controls, Detective Controls and Corrective Controls – Fundamentals of Information Systems Security (David Kim, Michael G. Solomon)
Next up in the blog series, is Part 5 – Incident Response in AWS – best practice checklist. Stay tuned. Let us know in the comments below if we have missed anything in our checklist!
DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only.