Comprehensive AWS monitoring and security with EventLog Analyzer

Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon. It offers a wide range of services including computing power, storage options, and networking, which are essential for running various applications and websites.

ManageEngine EventLog Analyzer, a robust log management tool , audits AWS logs to help ensure the platform's optimal performance, health, and security.

This tutorial outlines various use cases for monitoring and securing AWS environments using EventLog Analyzer. To effectively monitor and secure your AWS infrastructure with Eventlog Analyzer, you must enable logging and add AWS logs for monitoring.

AWS performance and health monitoring using EventLog Analyzer: Use cases

EventLog Analyzer addresses the following AWS monitoring use cases with its security auditing reports. These reports are predefined and can be scheduled to be generated at specific times and distributed over email.

AWS component Use case Description Why implement? Available reports
EC2 EC2 Instance State Monitoring Monitor the state changes of EC2 instances and track key pair activities. Ensure the optimal performance and operational status of EC2 instances.
  • Recent EC2 Instance State Changes
  • Recent Key Pair Activity
  • Recently Assigned Addresses
  • Recently Unassigned Addresses
  • Recent Network Interface Configuration Changes
  • Recent Elastic IP Address Activity
S3 S3 Bucket Activity Monitoring Track all activities related to AWS S3 buckets, including accesses, modifications, and deletions. Prevent unauthorized access and ensure data integrity and security.
  • All S3 Bucket Activity
  • Recently Modified Buckets
  • Recently Deleted Buckets
  • Recently Accessed Files
  • Recently Deleted Files
  • Recently Created Or Modified Files
IAM IAM User Activity Monitoring Audit IAM activities including user logins, authorization failures, and policy changes. Ensure compliance with security policies and detect unauthorized changes.
  • Recent IAM User Activities
  • Recent IAM Unauthorized Activities
  • IAM User Report
  • IAM Group Report
  • IAM Role Report
  • IAM Policy Report
Auto Scaling Auto Scaling Activity Monitoring Track the activity and performance of Auto Scaling groups, including instance and load balancer attachments. Ensure efficient scaling and resource utilization.
  • Recent Auto Scaling Error Events
  • Recently Attached Auto Scaling Instances
  • Recently Detached Auto Scaling Instances
  • Recently Attached Load Balancers
  • Recently Detached Load Balancers.
Route 53 Route 53 DNS Activity Monitoring Track changes and activities in Route 53, including hosted zone and resource record set changes. Ensure DNS configuration is managed correctly and changes are tracked.
  • Recently Failed Route 53 Events
  • Route 53 Activity
  • Recent Hosted Zone Configuration Changes
  • Recently Changed Resource Record Sets
  • Recent Traffic Policy Configuration Changes
  • Recent Traffic Policy Instance Configuration Changes
  • Recent Domain Configuration Changes

Securing an AWS environment using EventLog Analyzer: Use cases

The following table provides details on the threat detection scenarios available for an AWS environment in EventLog Analyzer. Moreover, our solution offers a flexible correlation rule builder, enabling users to create their own detection rules.

Use case Description Why implement? Available detection alerts and correlation rules
Unauthorized access attempts Detect and prevent unauthorized access attempts to AWS resources by monitoring failed logins and authorization failures. Protect sensitive data and prevent compromised accounts from causing security incidents.
  • Failed Access Requests: Identifies users attempting to access AWS resources without sufficient permissions, signaling potential brute-force attacks or misconfiguration issues.
  • Authorization Failures: Highlights actions explicitly denied due to insufficient permissions, helping detect privilege escalation attempts or compromised accounts.
  • Login Failures: Tracks repeated failed logins to identify brute-force attacks or unusual login behavior, like access attempts during odd hours.
Insider threats Keeps track of user activities to uncover deliberate or accidental actions compromising cloud security. Detects and mitigates risks from insider threats before they escalate.
  • User Activity: Tracks all user actions to identify suspicious behavior, such as unauthorized access or unusual modifications, indicating potential insider threats.
  • Failed Events by User: Monitors failed user operations, helping detect malicious attempts or errors that could signal insider risks.
  • IAM User Activities: Captures IAM user actions like policy changes or key usage, uncovering unauthorized activities or deviations from normal behavior linked to insider threats.
Account hijacking Detects attempts to compromise accounts. Protects against account takeovers that could compromise cloud resources.
  • Failed Logins & Login Failures: Detect repeated or abnormal login failures, indicating brute force attacks or unauthorized access attempts.
  • Access Key Report: Monitors unusual usage of access keys, identifying potential compromise through unauthorized activity.
  • AssumeRole Requests & Federation Token Requests: Tracks abnormal role assumption and token requests, revealing privilege escalation attempts or misuse of federated access.
  • These profiles help with detecting attempts at account hijacking by monitoring failed access attempts, misuse of credentials, and anomalous role or token usage.
Privilege escalation Monitors activities attempting to escalate privileges. Prevents unauthorized access to critical resources and mitigates insider threats.
  • IAM Unauthorized Activities: Tracks attempts to perform actions without sufficient permissions, signaling potential privilege escalation.
  • IAM User Report: Monitors user activities to identify unauthorized actions or unusual behavior indicating privilege misuse.
  • IAM Role Report: Highlights role modifications or unauthorized role assignments that could escalate privileges.
  • MFA Report: Detects suspicious changes to MFA configurations, often targeted during privilege escalation attempts.
  • These alert profiles help with providing a comprehensive view of activities that could lead to unauthorized privilege escalation, enabling swift detection and response.

Compliance

Ensuring compliance with data security and privacy regulations is a critical priority for organizations leveraging AWS. This section explores how robust monitoring practices can be implemented for your AWS environment, allowing you to address specific compliance requirements and maintain a secure cloud infrastructure.

Compliance requirement: Solution mapping for AWS environments
EventLog Analyzer Reports and Alerts Detection rules Regulatory mandates Requirements
  • IAM Errors
  • IAM User Activities
  • IAM Unauthorized Activities
  • IAM User Report
  • IAM Group Report
  • IAM Role Report
  • IAM Policy Report
  • MFA Report
  • Access Key Report
  • IAM Errors
  • IAM User Activities
  • IAM Unauthorized Activities
  • AWS IAM User Report
  • IAM Group Report
  • IAM Role Report
  • IAM Policy Report
 FISMA
  • Access Control (AC)
  • Identification and Authentication (IA)
PCI DSS PCI DSS requirements 10.1
SOX SEC 302 (a) (4) (D)
HIPAA 164.308 (a) (1) (ii) (D)
GLBA
  • Section 314.4(b)(3)
  • Section 314.4(c)
  • Section 501B (1)
  • Section 501B (2) & (3)
ISO 27001:2013 Control A 12.4.2
GPG
  • Business Traffic Crossing a Boundary (PMC Rule 2)
  • Suspicious Internal Network Activity (PMC Rule 5)
ISLP
  • ARTICLE 16.3
  • ARTICLE 20.2
  • ARTICLE 20.3
  • ARTICLE 30.6
GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (2)
NRC
  • ACT B.1.2
  • ACT C.2.2
  • ACT C.11.6
Cyber Essentials
  • Secure Configuration
  • User Access Control
COCO Authentication and Access Control
CCPA and CPRA Section 1798.150.(a)
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
CMMC
  • C001 - AC.1.001
  • C007 - AU.2.041
  • C013 - CM.2.061
  • C015 - IA.1.076
  • AWS Error events
  • AWS Login Failures
  • AWS Authorization Failures
 AWS Config Errors PCI DSS
  • PCI DSS requirements 10.2.1
  • PCI DSS requirements 10.2.2
  • PCI DSS requirements 10.2.3
SOX SEC 302 (a) (4) (D)
HIPAA 164.308 (a) (3) (ii) (A)
GLBA
  • Section 314.4(b)(1)
  • Section 314.4(b)(3)
  • Section 314.4(c)
  • Section 501B (1)
  • Section 501B (2) & (3)
ISO 27001:2013 Control A 9.4
GPG
  • Business Traffic Crossing a Boundary (PMC Rule 2)
  • Suspicious Internal Network Activity (PMC Rule 5)
  • Reporting on The Status of The Audit System (PMC Rule 10)
ISLP
  • ARTICLE 16.3
  • ARTICLE 20.3
GDPR GDPR ARTICLE 5 (1B)
Cyber Essentials Secure Configuration
COCO 2.Authentication and Access Control
CCPA and CPRA Section 1798.150.(a)
NERC CIP 005-6 R1.3
  • Security Group Configuration Changes
  • Network ACL Changes
  • Network ACL Changes
  • Web ACL Configuration Changes
 FISMA Configuration Management (CM)
PCI DSS PCI DSS requirements 10.2.3
SOX SEC 302 (a) (6)
  • VPC Changes
  • Network Gateway Changes
  • VPC Endpoint Changes
  • VPC Route Table Changes
  • VPC Route Changes
  • VPC Changes
  • VPC Endpoint Changes
  • VPC Route Table Changes
  • VPC Route Changes
 SOX SEC 302 (a) (4) (C)
HIPAA
  • 164.306 (a) (1) (i)
  • 164.308 (a) (1) (ii) (D)
ISO 27001:2013
  • Control A 12.4.1
  • Control A 12.4.2
GPG
  • Suspicious Internal Network Activity (PMC Rule 5)
  • Reporting on The Status of The Audit System (PMC Rule 10)
ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
GDPR GDPR ARTICLE 32 (2)
  • WAF Error Events
  • WAF Rule Changes
  • IP Set Configuration Changes
  • SQL Injection Match Set Changes
  • Web ACL Configuration Changes
  • WAF Error Events
  • WAF Rule Changes
 FISMA Configuration Management (CM)
PCI DSS
  • PCI DSS requirements 1.1
  • PCI DSS requirements 10.1
  • PCI DSS requirements 10.2.3
SOX SEC 302 (a) (4) (C)
HIPAA 164.306 (a) (1) (i)
GLBA Section 314.4(c)
ISO 27001:2013
  • Control A 12.4.1
  • Control A 13.1.1
  • Control A 13.1.3
GPG
  • Recording on Internal Workstation, Server or Device Status (PMC Rule 4)
  • Suspicious Internal Network Activity (PMC Rule 5)
  • Reporting on The Status of The Audit System (PMC Rule 10)
ISLP
  • ARTICLE 18.1
  • ARTICLE 20.1
  • STS Error Events
  • AssumeRole Requests
  • Federation Token Requests
  • Session Token Requests
 SOX SEC 302 (a) (4) (D)
  • AWS Config Errors
  • AWS Config Rules Changes
  • AWS Configuration Recorder Activity
 AWS Config Errors FISMA Configuration Management (CM)
PCI DSS PCI DSS requirements 10.2.3
  • EC2 Instance State Changes
  • Key Pair Activity
  • AWS Assigned Addresses
  • AWS Unassigned Addresses
  • Network Interface Configuration Changes
  • Elastic IP Address Activity
 EC2 Instance State Changes FISMA PCI DSS requirements 10.1
PCI DSS Configuration Management (CM)
  • RDS Error Events
  • DB Security Group Configuration Changes
  • RDS Instance Activity
  • DB Cluster ActivityDB Snapshot Activity
  • RDS Error Events
  • RDS Instance Activity
 FISMA
  • Audit and Accountability (AU)
  • Configuration Management (CM)
HIPAA
  • 164.306 (a) (1) (i)
  • 164.308 (a) (1) (ii) (D)
GLBA
  • Section 314.4(c)
  • Section 501B (1)
ISO 27001:2013
  • Control A 12.4.1
  • Control A 13.1.1
  • Control A 13.1.3
GPG Recording on Internal Workstation, Server or Device Status (PMC Rule 4)
ISLP ARTICLE 18.1
GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1D)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1B)
Cyber Essentials Secure Configuration
COCO 1.B.Secure Configuration
  • Failed Route 53 Events
  • Route 53 Activity
  • Hosted Zone Configuration Changes
  • Changed Resource Record Sets
  • Traffic Policy Configuration Changes
  • Traffic Policy Instance Configuration Changes
  • AWS Domain Configuration Changes
  • Failed Route 53 Events
  • Route 53 Activity
 FISMA Configuration Management (CM)
PCI DSS PCI DSS requirements 10.1
HIPAA 164.306 (a) (1) (i)
GLBA Section 314.4(c)
ISO 27001:2013
  • Control A 12.4.1
  • Control A 13.1.1
  • Control A 13.1.3
GPG
  • Business Traffic Crossing a Boundary (PMC Rule 2)
  • Suspicious Internal Network Activity (PMC Rule 5)
  • Reporting on The Status of The Audit System (PMC Rule 10)
ISLP
  • ARTICLE 18.1
  • ARTICLE 20.1
GDPR GDPR ARTICLE 32 (2)
NRC
  • ACT B.1.7
  • ACT B.1.11
  • ACT B.1.15
Cyber Essentials Secure Configuration
NERC
  • 1.B.Secure Configuration
  • 1.D.Protective monitoring and intrusion detection
CCPA and CPRA Section 1798.105 (c) (2)