Last time we discussed how the shared responsibility model works to enhance your overall security. Using the shared responsibility model, your workloads can be more secure in the cloud than the data center, a concept further confirmed by the new IDC paper from Amazon Web Services this week.
Once you narrow down to the aspects of your responsibility, this is where visibility becomes very important.
First there is visibility ‘outside’ of your workloads. AWS CloudTrail, for instance, allows you to record all accesses to the AWS APIs. Activities like new instances being created, or virtual network configurations being changed. This gives you an important record of change that can be used for auditing, change control and diagnosing unintended misconfigurations.
AWS also provides AWS CloudWatch, an excellent service to monitor your overall system health. By setting alarms with thresholds, you can detect abnormal network activity, outages, or indicators of attacks like DDoS. Periods of intense usage may indicate heavy user demand or it could be in indicator of an attack under way. CloudWatch also allows you to set alarms to monitor for conditions out of the norm.
To achieve the next level of visibility you need to put a microscope on your instances with host-based security controls like Deep Security. Monitoring OS, application, and security logs can provide a lot of value in detecting man-in-the-middle SSL attacks, spoofing, scanning, intrusion attempts and other threats.
File Integrity Monitoring (FIM) can add further value by detecting unauthorized changes on your systems such as alteration of critical system files, or changes to your application as these may be symptoms of intrusions or unplanned activity. In many cases your applications are reading and writing data from S3, Glacier, RDS or other sources and the contents of the EBS volume should not change at all. Employing FIM allows you to detect any alteration to that secure AMI you so carefully built!
And finally all of your relevant AWS events are extracted and centralized to a tool for review. This ensures that you get a broad perspective of all of your resources which could help you troubleshoot problems across different regions and availability zones.
At the end of the day, it is important for a human to be involved in the ongoing monitoring of your workload security. Hardened preventative security has value, but to really elevate your game you need to keep an eye on the ball.
If you have questions or comments, please post them below or follow me on Twitter: @justin_foster.