AWS offers a variety of built-in security features that users can take advantage of, but it’s easy for users of all experience levels to get lost in the sea of options and metrics. In fact, in a November 2017 survey, we found that 73% of companies have critical AWS cloud security misconfigurations, and more than one-fourth (27%) were not taking advantage of AWS-native security services like CloudTrail. (Misconfigurations are considered critical if they reduce or eliminate visibility for security or compliance, if they can be leveraged in a direct or complex attack, or if they enable trivial attacks on an AWS console.)
As an AWS Advanced Security Competency Partner , Threat Stack integrates deeply into AWS to provide its customers with unprecedented visibility, more advanced security capabilities, and a cloud-native user experience. Threat Stack’s CloudTrail integration , for instance, bridges the visibility gap between your AWS services and the core systems running in your cloud, giving you automatic alerts about changes to your instances, security groups, S3 buckets, and access keys.
Visibility is essential for sound AWS security, and continuously monitoring your security metrics is a must. Still, while many users understand the importance of ongoing monitoring, many AWS security metrics go underutilized (or ignored). To gain more insight into these important, yet often overlooked security metrics, we reached out to a panel of AWS security experts and asked them to answer this question:
“What’s the most under-used / under-appreciated metric when it comes to AWS security?”
Meet Our Panel of AWS Security Experts: Paul Ivanivsky Cris Daniluk Sherry Wei Davy Hua Brian Zambrano Lenny Liebmann Andrei Anisimov Kumar Sambhav Singh Ryan Kroonenburg Mike Baker Marty Burolla Peter Ayedun Uwe Weinkauf Vivek Chugh Marcus Turner Fraser Gough Marcus Bastian Paul McGough Lindsey Havens Jamie Shields Gregory Morawietz Stacy CaprioRead on to find out what our panel had to say about the important AWS security metrics you might be overlooking.
Paul Ivanivsky
@ivanivsky
Paul Ivanivsky is a Security Engineer at Threat Stack . Paul has extensive experience in pentesting, blue teaming, and DevSecOps. Prior to his days in security, he held a variety of engineering positions in website and network operations, and in aerospace as a satellite operations engineer.
“AWS CloudTrail can be used for much more than mere auditing and logging purposes to conduct forensic investigations and operationalize cloud security.”
Many cloud companies use AWS leverage CloudTrail in some capacity, but it’s rare they’re taking advantage of its full capabilities. Popular use cases for using CloudTrail include using it as a compliance aid and performing general auditing of the AWS Management Console and API calls. But it can also be leveraged as a powerful security tool. From a security perspective, it can be used to perform security analysis and automation, and highlight operational security issues. The events logs are very comprehensive, and the visibility CloudTrail provides can even help organizations investigate signs of malicious activity, such as data exfiltration and insider threats.
Cris Daniluk
@RhythmicTech
@crisdaniluk
Cris Daniluk leads Rhythmic Technologies , an innovative, compliance-oriented managed cloud and security services firm based in the Washington, D.C. area. Before founding Rhythmic, Cris was responsible for project management and business development at Claraview, where his work in securing projects worth over $100 million helped key the company’s acquisition by Teradata.
“The most underused metrics are CloudWatch metrics for tracking changes reported through CloudTrail…”
CloudWatch metrics on infrequently changing security-related configurations are simple to set up. Unlike most security events that are more often than not false positives, these are high-quality events that are always worth investigating.
We recommend everyone set up metric filters to alert on changes to account and IAM configuration at a minimum. It can also be helpful to set up metrics for changes to VPC configs, security groups, and ACLs when they’re made outside of your team’s business hours.
Sherry Wei
@PMEssentials_US
Sherry Wei started Aviatrix in 2013 and has raised $25 million. Aviatrix’s goal is to make cloud networking as dynamic and easy as cloud computing and cloud storage. Prior to starting Aviatrix, she was senior architect at Huawei. She spent 13 years at Cisco as engineering manager. Sherry holds a Ph.D. from Purdue.
“The most under-used and under-appreciated metric in AWS security is…”
The amount of egress traffic leaving AWS VPCs that’s headed for unauthorized internet sites. The reason this metric is under used is that internet-bound VPC egress traffic has been a blind spot for organizations with more than a few VPCs, typically due to restrictions on how that egress traffic could be managed. Filtering traffic based on specified IP addresses provided limited visibility or involved potentially costly deployment of a separate firewall for each VPC. However, networking solutions such as software-defined cloud routers that are purpose-built for AWS can help organizations gain visibility over this traffic, effectively eliminating the blind spot ― and allowing organizations to actually control their VPC egress traffic for the first time.
Davy Hua
@RealDavyHua
Davy Hua, Head of DevOps for ShiftLeft , has spent the past 17 years designing, building, and managing complex infrastructures and distributed systems architectures for both Fortune 500 enterprises and venture-backed startups. As an early adopter of the DevOps movement, his specialty is at the forefront and intersection of CI/CD and security.
“Proper attention given to the network I/O metric will add another effective tool in your AWS security practices…”
Monitoring the network I/O over a period of time will allow you to establish a baseline in order to gain a better understanding of the normal behavior of your application. This will help to isolate any anomalous spikes in network I/O traffic as an active and/or attempted attack when it cannot be correlated with a spike in normal visitor traffic.
Brian Zambrano
@brianzambrano
@very_possible
As a Senior Engineer & Cloud Architecture Practice Lead at Very , Brian Zambrano works with clients to build products that leverage serverless architecture and blockchain technologies. Brian holds two patents for his work in social event recommendations systems and authored the book Serverless Design Patterns and Best Practices , which was published by Packt Publications.
“The most under-appreciated metric in AWS security is…”
The number of stale IAM credentials/users with admin access. That’s the most concerning thing I’ve noticed outside of security groups ― the number of IAM users/credentials that are just floating out there unused, potentially there for bad actors to find and exploit. Once a person has admin access, they can do a lot of damage.
Lenny Liebmann
@lennyliebmann
Lenny Liebmann has been living at the intersection of business and technology for more than 30 years. After graduating Yale in 1979, he worked for AT&T Bell Laboratories during its heyday as a hotbed of innovation. He then began an independent practice that sucked him into the vortex of every successive revolution in IT ― from distributed computing, the internet and convergence to mobile, social, Big Data, and cloud. Nowadays, he stays busy writing, moderating, speaking, consulting, and doing research for a diverse clientele.
“SecOps leaders generally don’t pay enough attention to…”
The risk associated with the morale of their staff. We tend to think of metric as narrowly referring to numbers we can easily capture from our existing instrumentation. But of course that just means you’re managing to what’s easy to measure ― not to what most affects your desired outcome. However, if your people are unhappy, it’s not going to matter much what kinds of tools and processes you have in place. They won’t be used correctly or with the necessary passion.
Andrei Anisimov
@8baseinc
Andrei Anisimov is the Vice President of Technology at 8base , an application development platform and ecosystem that leverages blockchain technology to allow software teams to collaborate all over the world. Andrei is an experienced tech leader with a background in development for several industries and international markets. He wrote his first code at the age of 9 and won the Regional Programming Olympics in Russia at 15.
“Surprisingly, from our experience, many attack vectors don’t come from sophisticated zero-day vulnerabilities…”
Rather, they have to do with basic mismanagement of logins and API keys. For example, it is not uncommon for developers to accidentally commit secret API keys into an open source GitHub repository. Hackers run automated scripts, routinely scraping AWS keys from GitHub repos in order to execute malicious activities inside captive AWS accounts. It became so common that AWS had to implement a mechanism to notify users when their keys were exposed in a public GitHub repository. When it comes to logins, admins often fail to enable multi-factor authentication and password expiration/complexity requirements. These are well-known security practices. As such, API keys lifecycle management, password complexity, and mandatory multi-factor authentication are all important metrics to consider when evaluating AWS security.
Kumar Sambhav Singh
@Mantra_Labs
Kumar, CTO at Mantra Labs , is an expert on latest technologies like cloud computing (using AWS and Azure), blockchain, and artificial intelligence.
“Protection of data at rest is one of the most ignored aspects of security…”
AWS ensures the security of data centers, but data encryption safeguards any risk of data theft. AWS always said that it is responsible for security of the cloud, but that security in the cloud is the user’s responsibility. Data in motion is already protected by AWS, but protecting data at rest ― RDS, EBS, S3, Amazon Glacier, Amazon DynamoDB, Amazon EMR ― with data encryption is one of the most under-used capabilities. One of the main reasons for this ignorance is because a different mechanism or methodology has to be followed for data security.
Ryan Kroonenburg
@KroonenburgRyan
Ryan Kroonenburg is the Founder and Chairman of the Board at A Cloud Guru , the place to go and learn AWS. They have over 50,000 students and tons of courses including all 5 certification courses.
“The most under-observed security metric is…”
Your number of publicly accessible S3 buckets: That number should be zero. S3 buckets are private by default, and you have to take explicit steps to allow public, unauthenticated access. If you have questions about the security of your S3 buckets, you should run AWS Trusted Advisor’s free S3 Bucket Permissions Check, which identifies S3 buckets that are publicly accessible due to Access Control Lists or policies that allow read/write access for any user.
Mike Baker
@Mosaic451
Mike Baker is the Founder and Managing Partner at Mosaic451 , a managed cyber security service provider (MSSP) with expertise in building, operating, and defending some of the most secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure.
“Keeping your AWS environment safe from hackers is entirely manageable…”
Barely a day goes by without news of yet another breach of an AWS S3 bucket, but these breaches are preventable. AWS is a powerful and highly secure cloud environment, but it must be configured and maintained properly. The most careless of mistakes that many companies make is not knowing what they are doing with default settings and not knowing what d