So far in this series, we have shared tips for securing access to your AWS resources, hardening your system and protecting with a firewall and IPS combination. At this point, your applications running on Amazon Web Services are resilient to attack, but it is critical that ongoing monitoring be a part of your overall security strategy. Monitoring ensures that you are aware of intrusions that have made it past your lines of defense, and that your application continues to operate correctly.
Start With Statistics
AWS provides CloudWatch, an excellent service to monitor your overall system health. By setting alarms with thresholds, you can detect abnormal network activity, outages, or indicators of attacks like DDoS.
Logs, Logs and More Logs
Looking deeper than statistics, logs play a big part of monitoring the state of your AWS resources. Monitoring OS, application, and security logs can provide a lot of value in detecting man-in-the-middle SSL attacks, spoofing, scanning, and intrusion attempts. Third party tools are often required to analyze and ship these logs.
Putting metrics around events can help understand uptime and track your overall security posture over time.
Put a Microscope on Your Instances
File Integrity Monitoring is a special type of monitoring that can add further value. FIM can be used to detect unautorized changes on your systems such as alteration of critical system files, or changes to your application. These may be symptoms of intrusions or unplanned activity.
In many cases your applications are reading and writing data from S3, Glacier, RDS or other sources and the contents of the EBS volume should not change at all. Employing FIM allows you to detect any alteration to that secure AMI you so carefully built!
Integrity monitoring is a critical part of compliance as well, if you are using AWS to process credit card or sensitive data. Some integrity monitoring software even watches for changes in the registry, ports, processes, or other indicators of compromise.
Watching the Watcher
Ideally all of your relevant events are extracted and centralized to a tool for review. This ensures that you get a broad perspective of all of your resources and could help you troubleshoot problems across different regions and availability zones.
File Integrity Monitoring, Log Management, and SIEM systems all produce a lot of results! Any system worth it’s salt will help filter these down to the relevant set of events however, at the end of the day it important for a human to be involved in the ongoing monitoring of the system. If you have a DevOps team, automating the process of escalating important events into notifications is critical.
What do you do to maintain integrity and monitor your instances? Please share them in the comments! And if you’re interested in securing your EC2 or VPC instances, check out our new Deep Security as a Service for cloud servers, currently in free Beta.