This post offers valuable tips on how to easily assess how well your AWS environment is configured using Configuration Auditing. So, let’s get started…
What is a Cloud Security Baseline?
The phrase is bandied about a lot, so let’s get to it: What is a security baseline?
One of the problems that many organizations run into, especially when they are starting out in cloud security, is not knowing where to start and not having specific data to help them define and improve the status of their cloud security.
That’s where a baseline proves critical. CERN Computer Security defines a security baseline as “a set of basic security objectives which must be met by any given service or system.”
If you put this in the context of cloud security, a baseline will show you how closely a snapshot of your current cloud environment conforms to industry best practices and benchmarks.
This sounds a bit academic, so let’s get down to specifics by taking a look at Threat Stack Audit— the new product we are offering to help you establish and maintain a baseline.
How Do You Establish a Baseline for Your Organization?
Any cloud environment, no matter what its maturity level, is complex, and without an automated means of managing it, it can be difficult or impossible to gather and act on pertinent information.
To help you create your organization’s baseline and use it to improve your cloud security, Threat Stack has built the following critical capabilities to help:
- Configuration Auditing. This new feature of the Threat Stack intrusion detection platform (IDP) enables AWS customers to establish an accurate baseline of security across their AWS infrastructure. Threat Stack Audit scans account configurations and compares them against best practices and policies for AWS and Center for Internet Security (CIS) benchmarks.
- CloudTrail Alerting.This feature enables you to receive automatic alerts about changes to your instances, security groups, S3 buckets, access keys, and other changes to your AWS infrastructure that could represent a threat or lead to non-compliance.
Using the Audit Package, you immediately receive an assessment score as well as clear guidance on improvements. Services included are EC2, IAM, RDS, S3, and CloudTrail alerting. Following an initial scan, you can set up automated, daily scans.
How Does Configuration Auditing Work?
Whether you’re a seasoned security professional or an operations engineer who has been tasked with cloud security, Threat Stack Audit assesses your AWS configurations and provides recommendations on how to enhance your AWS environment by enabling you to:
- Audit your AWS configuration for violations
- View a summary of violations
- View details of each violation
- Suppress specific resources for further configuration checks
Once the first scan is complete, as shown below, you will immediately see what percent of each resource type does not comply with security best practices as well as an overall score for your AWS environment:
Each policy shows how many resources passed and failed the policy and provides access to a full description of the policy, the rationale for the policy, recommended remediation for violations, and a link to the CIS benchmark that is the source of the policy:
For each resource type that has violations, you can drill in to see which resources are not compliant, and either remediate or suppress the violation:
How Does CloudTrail Alerting Work?
Once you have established a baseline using Configuration Audit, the CloudTrail alerting capability will let you know when there is suspicious activity or activity that could result in non-compliance.
As shown below, CloudTrail alerting comes with 24 rules designed to detect suspicious activity in your AWS environment:
When a rule is triggered, an alert will be generated similar to the following:
Ask for a Demo . . .
If you are an AWS customer, sign up for a free demo of our intrusion detection platform, and be sure to ask for details on how to audit your environment using Threat Stack’s Configuration Auditing capability.
See Threat Stack in Action
Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.