The cloud computing on-demand model of compute power, database, storage, applications, and other IT resources accomplishes a variety of tasks. It reduces barriers, creates flexibility, and increases speed to market. The benefits of the cloud mean that organizations must seriously consider the cloud to perform business.
Whether your organization is new to the cloud or is an “old hand,” maintaining a secure cloud environment is key for any organization. In my experience, I have come across multiple cases where organizations have failed to implement controls to properly secure their cloud environment.
To this end, Amazon Web Services (AWS) provides many tools and services to help organizations secure their AWS environment. Unfortunately, many organizations do not use, are not aware of, or do not know the purpose of all the AWS tools and services available to them, which increases an organization’s security risk. In this article, I would like to provide you with an auditor’s perspective on several AWS security monitoring tools and services that organizations should consider using to secure their environment.
Shared Responsibility Model
Before diving into the various AWS security tools and services, we should first address and recognize the shared security model of the AWS environment. Responsibility for securing the AWS environment is not the sole responsibility of either the cloud user or AWS. Rather, responsibility is shared between the two.
Of course, this statement is a bit simplistic, but a way to think about who is responsible for securing the different parts of the AWS cloud environment is:
- Clients are responsible for securing what is IN AWS
- AWS is responsible for the security OF the AWS cloud.
AWS provides a great illustration differentiating AWS’s and the Customer’s shared security responsibilities.
If you’d like to learn more regarding the shared responsibility model as it pertains to security, check out this article The Shared Information Security Responsibility Model.
AWS Security Monitoring Tools
The AWS environment is massive with many solutions and services available to organizations. Without proper knowledge and skills, AWS can create complexity and ultimately confusion about how best to secure the AWS environment. When preparing clients who use the AWS cloud environment for a Service Organizations Control audit (SOC 1 or SOC 2), I often find control gaps in the client’s AWS security profile. Many of those clients are not using all the tools or services they should to properly secure their AWS environment.
What are Some of the Built-In AWS Security Monitoring Tools?
So, what are the AWS security monitoring tools and services that organizations should consider in securing their AWS environment? Following is a list and description of the tools and services organizations should consider when securing their AWS cloud environment. As many organizations look to security frameworks to secure their environment, following the description of each AWS tool or service is a control criterion from the AICPA Trust Services Criteria for Security that the AWS tool aligns to when securing the environment in support of performing a SOC 2 audit:
- AWS CloudTrail
- Amazon GuardDuty
- Amazon Inspector
- Amazon CloudWatch
Of course, there are many more AWS tools and services than what is listed here but these following items go a long way in securing IT resources within AWS.
What is AWS CloudTrail?
A key aspect of securing any environment is capturing, maintaining, and reviewing event logs. Event logs help organizations identify the who, what, where, and when of an event. AWS CloudTrail captures user activity and API calls throughout the AWS environment. AWS CloudTrail classifies events into three types of events: Management events, Data events, and Insight events. By default, when an Amazon account is created, Management events are recorded. Data events and insight events must be explicitly enabled and configured to record such activity.
Actions that are performed within the AWS account are recorded as an event. The action performed can be done by a user, role, or service. History within CloudTrail includes that of API and non-API made through the AWS console, AWS software development kit (SDK), command line, or other AWS services.
The use of CloudTrail aligns with the following AICPA Trust Service Criteria for Security:
CC7.1: “To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.”
CC7.2: “The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.”
What is Amazon GuardDuty?
Amazon GuardDuty is Amazon’s intelligent threat detection solution that gathers data from multiple sources. A few of the data sources are VPC flow logs, Amazon CloudTrail, DNS logs, and threat intelligence feeds. Using machine learning on the collected data, Amazon GuardDuty can identify malicious activity that otherwise might go unnoticed. Malicious activity findings are documented in detail with a classification from low to high. Additionally, AWS provides suggested actions to remediate the findings.
An additional feature of Amazon GuardDuty is that users can use additional AWS services to automatically respond to and remediate findings. Furthermore, Amazon GuardDuty can send findings to several popular event management and workflow systems, including Splunk, Sumo Logic, Pager duty, JIRA, ServiceNow, and Slack.
The use of Amazon GuardDuty aligns with CC7.1 and CC7.2 of the AICPA Trust Service Criteria for Security as well as:
CC6.8: “The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.”
What is Amazon Inspector?
Simply stated, Amazon Inspector is a vulnerability scanner for the AWS environment. Once enabled and running, Amazon Inspector automatically discovers resources (Amazon Elastic Compute Cloud (EC2) instances, container workloads, and Lambda functions) running within the AWS environment and begins scanning and assessing them continuously.
Amazon Inspector provides users with a list of findings that are rated using common vulnerabilities and exposures (CVE) factors. This allows users to prioritize, address, and remediate findings based on severity.
The AICPA Trust Services Criteria provide several points of focus that state vulnerability scanning of the Service Organization’s environment should be considered and performed periodically. However, we often see clients using AWS but not using Amazon Inspector or other solutions to regularly scan their environment for vulnerabilities. Turning on Amazon Inspector goes a long way in vulnerability management furthering organizations’ with compliance to the AICPA Trust Services Criteria.
The use of Amazon Inspector aligns with CC7.1 and CC7.2 of the AICPA Trust Service Criteria for Security.
What is Amazon CloudWatch?
Compliance with SOC and other security frameworks often requires organizations to monitor their environment for key metrics such as CPU utilization, memory, capacity, availability, and latency among other things. Many organizations use third-party tools (e.g., DataDog, New Relic, SolarWinds, etc.) to monitor their IT environment and alert IT personnel of issues. Once alerted, action can be taken to address or remediate the issues.
Amazon CloudWatch is a native tool within AWS that provides a means by which system health can be monitored. Amazon CloudWatch dashboards provide users with visuals, such as graphs, and metrics to easily understand the health of their AWS environments.
The use of Amazon CloudWatch aligns with CC7.1 and CC7.2 of the AICPA Trust Service Criteria for Security.
Many organizations use the AWS cloud environment believing they don’t have to focus on maintaining or running IT systems and resources, including the security of those resources. The reality is, the responsibility of securing IT resources within the AWS cloud is shared between both users and AWS. For example, AWS users don’t have to worry about securing data centers and implementing the associated physical and logical security controls. However, AWS users are responsible for ensuring administrator access to IT resources within their AWS environment is limited to authorized individuals.
Fortunately, Amazon provides tools and services for users to ease the burden of securing their environment. By using many of the tools and services native to AWS, AWS users can easily maintain compliance with a Service Organization Controls (SOC) audit and other security frameworks (e.g., HIPAA and HITRUST).
If you would like to learn more about AWS, the Cloud, or compliance automation tools, check out these additional articles:
- Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS
- Cloud Compliance Audits: What You Need to Know
- Cloud Services Agreements – Protecting Your Hosted Environment
- The Cloud Security Alliance (CSA) and the AICPA
- CSA CCM: Cloud Security Alliance Cloud Controls Matrix – Overview & CSA Offerings
- Understanding Compliance Automation Tools: Can You Automate SOC 2 Compliance?
Ben Burkett is an experienced auditor for Linford & Co. Starting his career at KPMG in 2002, Ben has extensive experience in the business of Information Technology (IT). As an auditor, he drove IT risk management and compliance efforts. As the head of an IT Project Management Office and a Technology Business Management (TBM) function, he sought to drive and maximize the value of IT.