AWS Security
Whether you are monitoring CloudTrail events, EC2, EKS, or Fargate, Threat Stack is the perfect complement to integrating with and securing your AWS environment.
The Threat Stack Approach
Manage Across Accounts and Consolidate Tools
Threat Stack helps you pull important security information from your AWS services and accounts into a central location, allowing you to quickly understand your attack surface and manage risk.
Trust but Verify
Inconsistent or overly permissioned DevOps teams can spin up instances and use services that could generate unexpected costs or exposures. Threat Stack enables you to gain visibility into infrastructure changes and risky behavior without introducing blockers and permissions that unnecessarily slow down your team.
Detect Anomalous Behavior in the Cloud
Unlike cloud security solutions that only assess account misconfigurations, Threat Stack also monitors for risky and anomalous behavior — helping you understand whether you’re exposed and what happened if someone breached your environment.
Cover Your Portion of the Shared Responsibility Model
While AWS is responsible for protecting the infrastructure that runs its services, you’re responsible for securing your data and systems. Threat Stack helps you manage the security and compliance for your share of responsibility by collecting and analyzing data from your host and AWS infrastructure control plane, and alerting you of risky misconfigurations or behaviors.
Be Prepared if Your AWS Keys End up in the Wrong Hands
Mistakes happen. If someone gets ahold of your AWS keys, they have free reign over your infrastructure and could make changes to your configurations, spin up new instances, or traverse your infrastructure until they find an instance with admin privileges to access private data.
Threat Stack monitors both AWS CloudTrail and AWS workloads. As a result, you get visibility to the entire path of the attacker, even for increasingly sophisticated attacks.
Integration Points
CloudTrail Integration
Receive alerts on changes to your instances, security groups, S3 buckets, and access keys, and also see whether any of these changes had adverse effects on your systems.
EC2 Integration
See an inventory of all servers and instances across multiple AWS accounts and see key information like instance ID, region, type, IP, and more. See which servers have the Threat Stack Agent installed and assign Threat Stack rules by using EC2 tags.
ECS
Monitor all activity of Amazon ECS containers and the hosts these containers are running on.
EKS
Monitor all activity of Amazon EKS containers and the hosts these containers are running on.
How Threat Stack Works
Multiple Layers of Infrastructure. One Timeline to Follow.
Infrastructure Control Plane Monitoring
Threat Stack ingests data from services like AWS CloudTrail to alert you of changes made like instances spun up in unused regions.
Host-Based Monitoring
Threat Stack’s lightweight agent monitors system, user, and file behavior on the host to alert you to signs of compromise — from the inside or outside.
Container Monitoring
Threat Stack integrates with Docker to alert you to suspicious activity — like someone logging into a container.
Monitor Expanding Infrastructure Automatically
As your company grows, it can be difficult to keep track of new AWS accounts and instances — and adding an obtrusive security solution can lead to insecure workarounds and shadow IT. The Threat Stack Agent can be baked into your AMIs and popular configuration management tools, so instances are automatically monitored as they are added. Threat Stack also gives you visibility across multiple accounts, making it easier to manage your attack surface and risk.
Assign Security Rules to Servers by EC2 Tag
Normal behavior on one server may indicate compromise on another. Threat Stack automatically pulls in your EC2 tags so you can easily assign rules to subsets of your servers. This means your alerts are even more relevant and actionable.
Investigate Events, Even if the Server No Longer Exists
Autoscaling infrastructure is great for your infrastructure costs and availability, but presents challenges when it comes to security. Threat Stack allows you to view a history of activity, even on terminated servers, so you won’t have missing pieces when it comes time to investigate.
Security Built for Highly Scalable Cloud Infrastructure
Autoscaling technology
Easily deployed with pre-built runbooks and agent baked into base AMI
Ability to investigate events on terminated servers
Host-based technology