Detection control
In AWS, we can configure our account to analyze its behavior, alert changes in the configuration, track user actions to identify inappropriate behavior, and protect from deletion or misuse of data. This uses different services with the best practices that AWS recommends, which we will see below.
“When we have an AWS account, it’s necessary to monitor the environment to identify a threat or a failure.”
1.- Monitoring and Registration
Use the integrated AWS platform for monitoring and alerts.
CloudTrail
CloudTrail allows the analysis and gives us resources to track changes and security compliance of accounts, but it is necessary to enable logging for all accounts, services, and regions.
CloudTrail detective security best practices
Amazon CloudWatch
CloudWatch helps us monitor and ensure that all of our workloads are running smoothly by collecting operational and monitoring data that is delivered in the form of logs, metrics, and events.
In CloudWatch, we can analyze the behavior of our developments and send alerts when there are unexpected behaviors that require some action from us.
Analyzing AWS CloudTrail in Amazon CloudWatch
With CloudWatch, we can analyze different categories of logs that are infrastructure (VPC), host (NGINX/Apache/IIS), services (S3,ELB) and review additional security-related events, for example:
– Write to Amazon S3
– Send SNS.
Use a separate AWS account to obtain and store copies of all logs.
You must set up a secure account to copy logs to a separate repository. This ensures access to information that can be useful in security workflows and incident response.
2.- VPC monitoring
We can send logs directly to CloudWatch Logs or Amazon S3 and thus monitor the traffic carried on the account, making troubleshooting easier.
As best practices, we create alerts that notify us if any changes are made to the configuration. For example, creating an alarm that tells us when changes are made to a VPC configuration: Create alarm for VPC configuration changes
3.- S3 monitoring and detection
We can enable the logging of actions performed by users, roles, or AWS services on Amazon S3 resources and maintain logs for auditing and compliance purposes.
Enabling Amazon S3 server access logging
Avoid delivered or accidental bucket deletion.
We enabled MFA Delete so that when the user wants to delete a bucket, it is necessary to include the MFA code.
Deleting an object from an MFA delete-enabled bucket
S3 Alert
Create an alarm that alerts us when they want to upload or delete an object in a bucket.
Creating CloudWatch alarms for CloudTrail events: examples
4.- RDS detection
Have our RDS in a private VPC with a control on the EC2s that have access to the RDS through Security Groups. Use IAM policies with customized permissions for each user group that needs to manage RDS.
Use in Transit or in rest encryption. SSL and TLS.
RDS Security Best Practices
5.- Detection in Application Load Balancer
Enable the records in ELB. ELB Access Logs
6.- Detection in CloudFront
At CloudFront, we recommend encrypting data in Transit at Rest and restricting access to content appropriately. CloudFront Security
As the main recommendation, it is recommended to enable CloudFront logging to monitor the requests made to CloudFront on the account.Configure & Access CloudFront Logs
These are some of the different services with AWS’s best practices. In XalDigital we can advise you to be up to date with the best practices, knowledge, and technological solutions for your business. Contact us and get to know our solutions for your business.
