When it comes to security, the cloud operates on a shared responsibility model. In fact, when an organization is planning their cloud adoption roadmap, security is a key part of discussion. Security is always critical for companies and it is not only a technology issue, but also a business problem.
Security is not only about encrypting the data at rest and data in flight. There are many other layers to consider – network layer design security, users who are going to admin/develop on cloud their permission levels, securing the application from bad bots, SQL injection at scale etc. All these are a part of the overall security posture.
A shared security model is one in which security of the cloud is the cloud provider’s responsibility and security in the cloud is the user’s responsibility. That is, physical hardware, geography, Infrastructure, authorized employee access etc. are the responsibility of the cloud provider. On the other hand, there are services which need to be enabled in the design architecture to achieve security in the cloud.
Cloud Infrastructure with AWS Event-Driven Security
AWS is driving security at different layers, with innovative security services that are shifting toward event-driven calls to action. Combining a few services from AWS, an event-driven security posture can be built for your AWS account. These services include:
- CloudTrail: Repository for logging All API’s Call W
- CloudWatch: Especially Cloud Watch Events
- Event Bridge: Cloud Watch Events V2
- Guard Duty: A Cloud-based IDS
- Macie: ML based Data Leak Protection
- AWS Config: Assets History Manager
- WAF: Serverless Layer 7 Firewall Service
- Security Hub: One-stop shop for Entire Account Security
All the above have play a role at different levels and a few of them may be combined to make a cloud native event-driven security architecture.
One of the most important layer, which can also be one of the weakest links in any organization, is “Users”. AWS provides IAM Services which is a User/Group/Permission store place. IAM provides Managed Policies, a set of permissions assigned to a User or Group. One concern can be that it could be very wide, exposing certain services to a user who is not supposed to take action or when the infrastructure belongs to another department of an organization. We recommend using Cloudtrail along with Cloudwatch Events to strengthen the security of IAM access in real time.
Let us cover each service in detail:
Whatever we do in Cloud, under-the-hood, it is calling APIs of that service to perform the action. CloudTrail is the AWS service that records all the calls and can be queried to review actions. Logs can be stored in S3 for long-term retention, which helps for Audit and compliance purposes.
Cloudtrail integrates with CloudWatch Events to enable Event-driven security and quick calls to action, which may only be notification to relevant stakeholders or auto remediation of that action which can triggered by Lambda function.
Important thing to note is that Cloudtrail does not publish logs in real time so using CloudWatch Events, it is now possible to monitor specific API calls that occurred in account to take action.
Cloud Watch Events and Event Bridge
I want to cover both because although the underlying API is the same, Event Bridge is a new version of CloudWatch events. The idea of this service is to become a bridge between internal and external services to get data and take action according to the intelligent rule engine.
One limitation with Cloudwatch Events was that it supports fewer services and was restricted to only AWS services but with Event Bridge, it supports external services as well.
This is one of the easiest service to enable and it is highly recommended. Setting up any IDS (Intrustion Detection System) can be a daunting task but with Guard Duty Service, your entire AWS Account will be covered to detect any bad actor trying to crack into your cloud infrastructure by detecting ping flood, SSH Brute force etc.
This service also works well with multiple AWS accounts – so if you are planning to setup a landing zone kind of architecture, then enable Guard Duty in your Central security account.
Handling PII data is always a tough task in the past and it can turn out be very expensive to handle. With services like AWS Macie, which is Machine Learning based, it can scan the AWS S3 buckets to give you information about anything related to Personal Information, Payment Information or other sensitive information which can be defined via rules.
This service will deliver a report and we can select the criticality level of Data. Right now, Macie only works with S3 and the API comes under the category of Data Leak Protection.
Cloud provides flexibility to change the infrastructure sizing at any point of time that is where the elasticity and real value of cloud lies. However, businesses need to follow their industry compliance standards under which, managing the entire history of infrastructure assets can be complex.
AWS Config released by AWS a few years ago, continuously checks the Infrastructure running in your account and monitors any change that takes place even in its supporting components. It records the entire lifecycle details of Infrastructure and can be integrated with AWS Lambda very well to achieve event-driven security.
Web Application Firewall (WAF)
Internet is open and vulnerable and so are web-facing applications. There are millions of web attacks happening every day and it may affect our business revenue if our applications and infrastructure are not ready to mitigate such attacks. WAF is a managed serverless service in AWS Portfolio. WAF can integrate with Application Load Balancer and can even work “on-the edge” when integrated with AWS Cloudfront (CDN service)
It can handle millions of hits per second with its intelligent rule engine to scan and block malicious traffic. OWASP top 10 attacks can be mitigated by using WAF in your Web facing application.
This service is relatively new but it is gaining maturity with time. The idea is to test you AWS Account against industry specific compliances. For example, if you want to build your Infrastructure for following PCI (Payment Card Industry), then this can be a one-stop scan to check if you are missing any critical points.
Security Hub is integrated with AWS Inspector which checks the CVE’s of OS and Applications (few tech stacks) and gives us central view of our account.
The Bottom Line on Cloud Infrastructure with AWS Event-Driven Security
Security is everyone’s responsibility and regardless of the scale of the organization, it should be considered seriously. Many services can be used to secure your AWS environment. We hope this article has helped you understand Cloud Infrastructure with AWS Event-Driven Security and how these can all be utilized with a “pay-as-you-go” cloud pricing model.
Need help to implement the required security protocols in your account? Contact our team at Cloud Kinetics for Cloud Infrastructure with AWS. We’ll be happy to perform a security assessment of your account and recommend the optimal security approach.