As AWS continues to expand its services landscape, Threat Stack has made a commitment to keeping in step by crafting additional coverage that keeps your cloud environment secure. The latest additions we’ve made to Threat Stack’s CloudTrail rules are focused on giving more granular alerting and context to your interactions with the AWS control plane.
Threat Stack has significantly expanded the CloudTrail Base Ruleset in its Cloud Security Platform®. Not only have we increased the number of rules from 26 to 87 — we have also provided rules for five AWS Services that were not covered previously (DynamoDB, Elastic Container Service, Elastic Kubernetes Service, Security Token Service, and AWS Support). And don’t forget — the Cloud Security Platform still gives you the flexibility to create custom rules based on CloudTrail event data.
While we’re not going to comment on all 87 rules in this post, we are going to focus on important highlights, including:
- New rules to cover five additional AWS Services
- Expanded rules for Identity and Access Management (IAM)
- Expanded rules for Virtual Public Cloud (VPC)
The new rules for five additional AWS Services are discussed in Part 1 below, while Part 2 gives an overview of the expanded rules for AWS Services that we already support.
Part 1: New Rules for Five Additional AWS Services
We chose to write rules for the following five additional AWS Services in order to help Threat Stack customers tell the whole story of what is happening in their AWS control plane. As customers leverage different AWS Services, and as we learn about additional security-related control plane behaviors, we will continue to add rules.
DynamoDB is AWS’ fully managed NoSQL database service. One of the most attractive features of DynamoDB databases, and NoSQL databases in general, is their ease-of-use compared to traditional SQL databases. But they’re still databases and they still house data, so managing DynamoDB properly is critical from both an operational and a security perspective.
In light of this, Threat Stack has developed a core set of DynamoDB rules related to the creation and deletion of tables, backups, and informational discovery. (If you are interested in going further and alerting on DynamoDB encryption-related events, please see our blog post Creating Custom CloudTrail Rules in Threat Stack.)
2. Elastic Container Service (ECS)
ECS is AWS’ container management service that allows customers to manage Docker containers. It supports the launching of containers in both EC2 and Fargate infrastructures. Given the rapid adoption of containerization, the wide range of deployment methods, and the ever-evolving risks and lack of security best practices, it’s essential to receive alerts on critical functions related to your orchestration practices.
3. Elastic Kubernetes Service (EKS)
EKS is basically ECS for Kubernetes. Kubernetes is a container orchestration system that has seen wide adoption by companies wanting to manage their container clusters. AWS’ API to control EKS is limited at the moment, but we have you covered if you decide to leverage it. As the recently identified Kubernetes security flaw indicates, it’s important to have awareness of and take proactive measures to secure EKS and Kubernetes in general.
4. Security Token Service (STS)
STS provides temporary and limited credentials for IAM users or federated users who have been authenticated outside of AWS. Since this API allows people and processes to request temporary credentials, this service has obvious security implications. The new ruleset covers all components within STS and can give insight into what entities are requesting what access.
5. AWS Support
The AWS Support API exposes some aspects of the Amazon Support Center. It allows users to create, describe, and resolve support cases among other actions. Threat Stack has observed attackers that monitor support cases as an early warning that they are being detected in an environment.
To give you a taste of some of the specifics related to the newly covered AWS Services, we’ll now explore some of the additional rules available to your organization.
Elastic Container Service
The ECS Service is designed to help AWS customers manage their Docker containers and clusters. We decided to add rules for this service because a significant number of our customers have begun adopting Docker. The ruleset covers all ECS components, including the following API actions:
- Cluster Changes
- Service Changes
- Account Setting Changes
- Attribute Changes
- Container Instance Changes
- Task Definition Changes
- Task State Changes
- Resource Tag Changes
- Update Container Agent
For additional information about the other rules, please contact your dedicated Security Engineer if you are a current Threat Stack customer.
Part 2: Expanded Rules for Currently Supported AWS Services
To deliver even more security insights, we have created additional rules for the AWS Services that we have supported previously. In the following paragraphs, we will touch on two of these — Identity and Access Management (IAM) and Virtual Private Cloud (VPC) — since these represent two of the highest priority AWS security concerns.
Identity and Access Management
The IAM Service controls authentication to an AWS account for both people and processes. Any entity that can create, delete, and modify IAM components needs to be monitored, and CloudTrail logging is crucial in accomplishing this. The new CloudTrail ruleset can track and alert on the following IAM components:
- Access Key Changes
- Group Changes
- Instance Profile Changes
- Policy Changes
- Role Changes
- SAML Changes
- SSH Key Changes
- User Changes
We included these rules to help customers differentiate between normal business operations and those that might be the result of misconfigurations or malicious activity. These rules will provide a baseline of API activity for understanding what is normal for both people and processes. Once you have that baseline, additional tuning of rules is often necessary in order to highlight potential security incidents.
Virtual Private Cloud
Changes to VPC components is the cloud equivalent of changing firewalls and router settings in on-prem networks. This is the core of AWS virtual networking and controls network interfaces, routes, subnets, and access control lists. Our enhanced ruleset allows customers to monitor and audit changes to their VPC and will alert on critical security events. The enhanced CloudTrail ruleset applies to:
- ACL Changes
- Interface Changes
- Route Changes
- Subnet Changes
- Component Information Discovery
A Few Final Words . . .
Our latest ruleset update gives customers increased control plane visibility and more granular tracking of AWS API actions within their accounts. If there is any AWS service that is not covered within this update, you still have the flexibility of creating new CloudTrail rules and modifying existing rules as we have previously documented.
At Threat Stack we are committed to continuously improving cloud security. As AWS continues to expand its services, Threat Stack will continue to deliver the tools and services you need to uphold your part of the shared responsibility model. Having the ability to identify threats, receive alerts on cloud misconfigurations, and identify flaws in your internal security policies, enables you to operate securely in the AWS Cloud.
If you are a current Threat Stack customer, reach out to your dedicated Threat Stack security engineer to ask about deploying the new and enhanced CloudTrail rules. If you’d like to learn more about the Threat Stack Cloud Security Platform or our Threat Stack Cloud SecOps Program℠, contact us today.