AWS Monitoring and Auditing Your Cloud Environments - cloud computing security - summary CH6

• All services and security controls send their audit logs to → a central audit service for → alerts and further analysis.

Conducting security monitoring and audit trails

• Monitoring is a crucial part of security in the cloud

1. Logging Activities in Cloud Environments:
• User login events (both success and failure)
• Actions taken:
• Who performed the action
• When the action occurred
• What was the end result (success or failure)
• Documenting all actions (audit trail)
2. Centralized Repository:
• Storing events in a central repository
• Limited access to logs:
• According to the need-to-know concept
3. Alerts and Rules:
• Raising alerts according to pre-configured rules:
• Example rule: Alert on successful login of root account or administrator
• Alerting specific events based on configured criteria, and Being able to take actions in response to logged events

• all resources are based on APIs → which allows us to deploy the resources and make changes to them
• control cloud resources → using security controls → via security groups to Web Application Firewalls (WAF)
• Cloud resources send audit logs to a central logging service → for further analysis
• Logging may be automatic or manually enabled.

Security monitoring and audit trails using AWS Cloud Trail

• AWS provides several monitoring and auditing services :
1. AWS Cloud Trail: Amazon's managed audit trail service that tracks user activity based on AWS API usage, allowing analysis and correlation for management-related API events.
2. Amazon Cloud Watch: An Amazon-managed service for collecting events related to cloud endpoints, such as EC2 and Relational Database Service (RDS).
3. AWS Config: A service that monitors configuration changes across various AWS services.
4. DNS Logs: Enable the detection of DNS queries from your Virtual Private Cloud (VPC) to a Command and Control (C&C) server.
5. VPC Flow Logs: allows you to detect malicious traffic from your VPC to a C&C server

Best practices for using AWS Cloud Trail

1. Enable AWS Cloud Trail on all accounts and regions.
2. Log data events like S3 object activity, AWS Lambda executions, and DynamoDB events.
3. Activate Cloud Trail insights for detecting unusual write API events.
4. Restrict access to Cloud Trail logs to a few trusted employees, preferably in an AWS management account → outside the scope of your end users, to avoid possible deletion, changes on audit logs
5. Mandate Multi-Factor Authentication (MFA) for users accessing the Cloud Trail console.

Security monitoring using AWS Security Hub

• AWS Security Hub aggregates events and configurations from various sources (Amazon Guard Duty, Amazon Inspector, Amazon Macie, AWS IAM Access Analyzer, AWS Systems Manager, and AWS Firewall Manager) into a single console.

1. Amazon Guard Duty : continuously monitors Cloud Trail logs, VPC Flow Logs, and DNS logs using machine learning to detect malicious activities in the AWS environment.
2. Amazon Inspector : is a vulnerability assessment service for EC2 instances, identifying issues like misconfigurations and missing patches.
3. Amazon Macie : discovers and protects sensitive information, like Personally Identifiable Information (PII), in S3 buckets.
4. AWS IAM Access Analyzer : detects unnecessary IAM permissions, preventing over-privileges on resources by external entities.
5. AWS Systems Manager : enables automated tasks on EC2 or RDS instances centrally, including logging in and changing settings across a group of EC2 instances.
6. AWS Firewall Manager : configures WAF rules centrally for large environments.

Best practices for using AWS Security Hub

1. Activate AWS Security Hub across all accounts and regions using a single master AWS account.
2. Grant minimal privileges to the AWS Security Hub console, enforcing MFA for authorized users.
3. Enable AWS Config for tracking and forwarding configuration changes to AWS Security Hub.
4. Activate AWS Foundational Security → Best Practices in AWS Security Hub.
5. Use AWS Security Hub insights to review and decide on actions for findings.
6. Follow remediation instructions in the AWS Security Hub console for fix security events.

Using Amazon Detective for threat detection

• Amazon Detective
• is a cloud-native alternative to third-party tools like Splunk.
• It enables querying extensive logs and detecting security-related incidents.

1. Amazon Detective connects to services like AWS Cloud Trail and Amazon VPC Flow Logs to identify login events, API calls, and network traffic.
2. It employs machine learning to detect activities outside normal behavior, aiding in pinpointing the root cause of suspicious activities in your AWS environment.

Best practices for using Amazon Detective for threat detection

• Limit access to Amazon Detective findings to a select group of employees.
• Mandate MFA for employees accessing the Amazon Detective console and logs.
• Utilize Amazon Detective to analyze AWS IAM roles' activities and send results to Amazon Guard Duty.
• Log activities on the Amazon Detective console using AWS Cloud Trail.
• Leverage Amazon Detective in incident response threat hunting to detect security-related incidents in your AWS environment.

Using Amazon Guard Duty for threat detection

• Amazon Guard Duty monitors VPC Flow Logs, AWS Cloud Trail, Cloud Trail S3 data event logs, and DNS logs.
• Utilizes machine learning to review logs and alerts on events requiring further investigation or actions.
• Can be applied to a single AWS account or an entire AWS organization.
• To prevent blind spots, aggregate Guard Duty logs using Cloud Watch events to a central S3 bucket.

Best practices for using Amazon Guard Duty for threat detection

1. Utilize IAM roles with minimal access for Guard Duty console users.
2. Enforce MFA for users with access to the Guard Duty console.
3. Enable S3 protection at an organization level and on sensitive S3 buckets to let Guard Duty monitor and detect malicious activity.
4. Use Cloud Watch Events for Guard Duty findings notifications.
5. For remediation activities, choose one of the following alternatives:
• Use Cloud Watch to activate AWS Lambda functions for Guard Duty remediation.
• Send Security Hub events to AWS Systems Manager for actions on remote EC2 instances.
• Trigger AWS Lambda functions from Security Hub events for actions like closing ports on security groups.
6. Log Guard Duty console activities using AWS Cloud Trail.
7. Integrate Amazon Guard Duty with AWS Security Hub for a centralized view of compliance and security incidents.
8. Enable integration between Amazon Detective and Amazon Guard Duty to bring findings from Amazon Detective into the Guard Duty console.

Conducting incident response and digital forensics

• Incident response and forensics in cloud environments are challenging due to various factors:
1. The entire environment is stored at a physical location managed by an external service provider.
2. The environment might be split between on-premises and a cloud provider, known as a hybrid cloud environment.
3. The environment could be spread across multiple cloud providers, referred to as a multi-cloud environment.
4. Cloud resources may be distributed across multiple regions or accounts, leading to visibility challenges and a lack of information about ownership and management.
5. In the shared responsibility model, we may not have visibility for actions performed by the cloud provider, like changes to a managed database or SaaS application activities.
6. Our cloud environment may include services unknown or not aware to the central IT or security department, managed by business-division IT or third-party entities.
7. Virtual servers and containers are ephemeral, existing for short periods before decommissioning and erasure.

• National Institute of Standards and Technology (NIST) defines the following stages for conducting incident response
1. Preparation: Update contact information for incident response, set up documentation systems, and prepare a forensic workstation.
2. Detection and analysis: Collect audit and change management logs to spot anomalies. Analyze data from IDS/IPS logs for events like website defacement.
3. Containment, eradication, and recovery: Identify the attacking host, take removal actions (e.g., malware removal), and restore systems to normal activity.
4. Post-incident activity: Conduct lessons-learned and update procedures to reduce the likelihood of similar attacks.

Conducting incident response in AWS

• incident response life cycle:
• Detection phase:
1. Use AWS Cloud Trail to log API actions for future analysis.
2. Employ Amazon Cloud Watch logs to alert on unusual patterns, like a spike in failed logins.
3. Leverage Amazon Guard Duty to detect suspicious activity from AWS Cloud Trail logs, VPC Flow Logs, or DNS logs.
4. Utilize VPC Flow Logs to monitor network activity.
5. Use Amazon Macie to identify any leakage of sensitive information, such as credit card details, stored in S3 buckets.

• Respond phase:
1. Use AWS Config rules to automatically bring configuration settings back to the desired state.
2. Employ Amazon Cloud Watch Events to trigger AWS Lambda functions as guardrails for automated responses, such as blocking a security group rule or shutting down an EC2 instance.
3. Utilize AWS Systems Manager to execute commands on multiple remote EC2 instances.

• Recover phase:
1. Use AWS Backup to restore an EC2 instance from an older backup.
2. Utilize Elastic Block Store (EBS) snapshots to restore EBS volumes.
3. Employ Cloud Formation templates to rebuild an entire AWS environment from scratch.