When it comes to security, Cloud operates on a shared responsibility model and when an organization is planning their cloud adoption roadmap, security is a key part of discussion. Security is always critical for companies and it is not only a technology issue, but also a business problem.
Security is not only about encrypting the data at rest and data in flight, but there are many other layers to consider like network layer design security, users who are going to admin/develop on cloud their permission levels, securing the Application from bad bots, SQL Injection at scale etc. – all these are a part of the overall security posture.
Shared security model – in which security of the Cloud is the Cloud Provider’s responsibility and security in the Cloud is user’s responsibility. What I mean is that physical hardware, geography, Infrastructure, Authorised Employee access etc. are the responsibility of the Cloud Provider, and there are services, which need to be enabled in the Design Architecture to achieve Security in the Cloud.
AWS Event-Driven Security
In this post, I would like to share about how AWS is driving security at different layers and how the innovative security services are shifting toward event-driven calls to action. Before diving deeper, I would like to share more about a few services from AWS – combining which – we can build an Event-Driven Security posture for your AWS Account.
- CloudTrail – Repository for logging All API’s Call W.
- CloudWatch- especially Cloud Watch Events
- Event bridge – Cloud Watch Events V2
- Guard Duty – A Cloud based IDS
- Macie- ML bases Data Leak Protection
- AWS Config – Assets history Manager
- WAF – Serverless Layer 7 Firewall Service
- Security Hub – One-stop shop for Entire Account Security.
All the above have play a role at different levels and a few of them may be combined to make a cloud native event-driven security architecture.
One of the most important layer, which can also be one of the weakest links in any organization are ‘Users’. AWS provides IAM Services which is User/Group/Permission store place. IAM provides Managed Policies – a set of permissions assigned to a User or Group. One concern can be that it could be very wide which may expose certain services to a user who is not supposed to take action or when the infrastructure belongs to another department of an organization.
I recommend using Cloudtrail along with Cloudwatch Events to strengthen the security of IAM access in real time.
Let us cover each service in detail:
Whatever we do in Cloud, under-the-hood, it is calling API’s of that service to perform the action. CloudTrail is the AWS service that records all the calls and can be queried to review actions. Logs can be stored in S3 for long-term retention, which helps for Audit and compliance purposes.
Cloudtrail integrates with CloudWatch Events to enable Event-driven security and quick calls to action, which may only be notification to relevant stakeholders or auto remediation of that action which can triggered by Lambda function.
Important thing to note is that Cloudtrail does not publish logs in real time so using CloudWatch Events, it is now possible to monitor specific API calls that occurred in account to take action.
Cloud Watch Events and Event Bridge
I want to cover both because although the underlying API is the same, Event Bridge is a new version of CloudWatch events. The idea of this service is to become a bridge between internal and external services to get data and take action according to the intelligent rule engine.
One limitation with Cloudwatch Events was that it supports fewer services and was restricted to only AWS services but with Event Bridge, it supports external services as well.
This is one of the easiest service to enable and it is highly recommended. Setting up any IDS (Intrustion Detection System) can be a daunting task but with Guard Duty Service, your entire AWS Account will be covered to detect any bad actor trying to crack into your infrastructure by detecting ping flood, SSH Brute force etc.
This service also works well with multiple AWS accounts – so if you are planning to setup a landing zone kind of architecture, then enable Guard Duty in your Central security account.
Handling PII data is always a tough task in the past and it can turn out be very expensive to handle. With services like AWS Macie, which is Machine Learning based, it can scan the AWS S3 buckets to give you information about anything related to Personal Information, Payment Information or other sensitive information which can be defined via rules.
This service will deliver a report and we can select the criticality level of Data. Right now, Macie only works with S3 and the API comes under the category of Data Leak Protection.
Cloud provides flexibility to change the infrastructure sizing at any point of time that is where the elasticity and real value of cloud lies. However, businesses need to follow their industry compliance standards under which, managing the entire history of infrastructure assets can be complex.
AWS Config released by AWS a few years ago, continuously checks the Infrastructure running in your account and monitors any change that takes place even in its supporting components. It records the entire lifecycle details of Infrastructure and can be integrated with AWS Lambda very well to achieve event-driven security.
Web Application Firewall (WAF)
Internet is open and vulnerable and so are web-facing applications. There are millions of web attacks happening every day and it may affect our business revenue if our applications and infrastructure are not ready to mitigate such attacks. WAF is a managed serverless service in AWS Portfolio. WAF can integrate with Application Load Balancer and can even work “on-the edge” when integrated with AWS Cloudfront (CDN service) which is implemented on https://aussielowdepositcasino.com/raging-bull-casino/.
It is capable to handle millions of hits per second with its intelligent rule engine to scan and block malicious traffic. OWASP top 10 attacks can be mitigated by using WAF in your Web facing application.
This service is relatively new but it is gaining maturity with time. The idea is to test you AWS Account against industry specific compliances. For example, if you want to build your Infrastructure for following PCI (Payment Card Industry), then this can be a one-stop scan to check if you are missing any critical points.
Security Hub is integrated with AWS Inspector which checks the CVE’s of OS and Applications (few tech stacks) and gives us central view of our account.
Security is everyone’s responsibility and regardless of the scale of the organization, it should be considered seriously. There are many other services, which can be used to secure your AWS environment.
I hope this article helped you to understand the idea of event-driven security services offered by AWS and all can be utilized with a ‘pay-as-you-go’ cloud pricing model.
So don’t wait! Let us start implementing the required security protocols in your account. Contact Us and our team at Cloud Kinetics will be happy to perform a Security Assessment of your account and recommend the optimal security approach.
Follow us on LinkedIn for more updates.