Leveraging Threat Stack’s Out-of-the-Box Rulesets and Single View for Managing Multiple AWS Accounts

Increasingly, AWS users are leveraging multiple accounts to manage their infrastructure. While doing so is a recommended best practice that enables users to achieve the highest levels of resource and security isolation and to optimize operational costs, it can also increase the amount of time and effort required for effective administration and remediation.

As a remedy to this problem (and “account sprawl” in general), and as a means of providing more granular alerting and actionable data, Threat Stack has built two key functionalities into its Cloud Security Platform®:

  • The ability to view multiple AWS accounts from one central location: Our unified view reduces admin time and provides significant convenience because end users no longer need to gather information and alerts from multiple accounts. This means you can focus on business issues and not administration!
  • Rulesets that are focused on giving more granular alerting and context to your interactions with the AWS control plane: Our extensive out-of-the-box rulesets give customers increased control plane visibility and more granular tracking of AWS API actions within their accounts, and you still have the flexibility of creating new rules and modifying existing rules (as we have previously documented.)

Read on for more details. Read more “Leveraging Threat Stack’s Out-of-the-Box Rulesets and Single View for Managing Multiple AWS Accounts”

Creating Custom CloudTrail Rules in Threat Stack

The Threat Stack CloudTrail Base Ruleset has several out-of-the-box rules that alert users on activity within some of  AWS’s most popular services (also the ones most prone to attack), including S3, IAM, Glacier, and Lambda. Given that AWS has over 100 services, we want to arm you with the ability to create custom CloudTrail rules in the Threat Stack Cloud Security Platform® based on the specific AWS services you leverage.

In this post, we cover three examples of one of Threat Stack’s most powerful capabilities — the ability to create, clone, and edit CloudTrail-specific rules. We briefly discuss the scenario that explains why we’re crafting the rule and why it’s important to our organization; we also look at the methodology for creating the rule; and finally we test the rule to make sure it works.

In the three examples that follow, we explain how to create custom rules for Route53, DynamoDB, and EBS Volumes. Read more “Creating Custom CloudTrail Rules in Threat Stack”