Securing AWS using a SIEM tool

AWS security considerations

Rapidly increasing cloud adoption over the last decade has transformed IT. Amazon Web Services (AWS) is the most widely used cloud computing platform; organizations rely on AWS for a wide range of cloud-based services that are essential for their day-to-day operations. While cloud infrastructures such as AWS provide tremendous benefits, they also pose new security challenges that IT teams have to deal with.

For starters, it's more challenging to monitor security incidents on the cloud than on the corporate network. It's particularly difficult to effectively track user activities on the cloud. Just as they do in on-premises environments, users in your organization interact with sensitive data and resources on the cloud. However, security monitoring on cloud platforms is often overlooked, putting organizations at risk for breaches and downtime. What if a malicious actor tampers with your AWS infrastructure? What if they modify or delete an S3 bucket?

The importance of AWS logs and SIEM

Logs generated by your AWS infrastructure provide crucial details about the various activities occurring on the platform; these include login activity, S3 bucket changes, security group changes, and more. The audit trail helps you identify security events of interest at an early stage to ensure swift mitigation of incidents.

Maintaining the audit trail is an integral component of IT compliance. By keeping track of the audit trail, you will not only gain visibility into what is occurring in your AWS platform, but also spot suspicious events that might indicate a possible attack. If an incident is detected, you can go through the logs in order to backtrack the incident and uncover its root cause.

A security information and event management (SIEM) solution can centralize and analyze logs from your AWS platform along with logs from other components in your network. Using a SIEM solution, you can gain actionable intelligence from your logs. This is why a SIEM solution is the preferred way to monitor and secure your on-premises and cloud infrastructures from a single console.

Areas to monitor

Identify the services in your AWS account that need to be monitored and secured. Below is a non-exhaustive list of events you need to watch out for. Track these events by scheduling reports, and meet compliance requirements. In addition to this, you can set up alerts when indicators of compromise (IoCs) are detected.

  • EC2 activities: Monitor activities such as addresses assigned/unassigned, and important changes such as those made to network interface configurations.
  • User actions: Track actions performed by individual users such as logons and configuration changes. Be sure to track both successful and failed events.

  • IAM activity: Report on users and groups. Trigger alerts for unauthorized actions.

  • Virtual private cloud (VPC) activities and changes: These help in quickly troubleshooting issues.

  • File changes: Keep tabs on file requests, including accesses, creations, deletions, and modifications to ensure that the integrity of data is not compromised.

  • Traffic analysis: Track traffic based on the IP address, file, and method. Focus on Elastic Load Balancing (ELB) traffic to monitor access and latency trends.

  • Web application firewall (WAF): Validate critical changes made to WAF settings such as rules, IP sets, and ACLs. Unchecked changes can jeopardize your security policy.

ManageEngine Log360: A comprehensive SIEM solution

ManageEngine Log360 is a comprehensive SIEM solution that provides out-of-the-box log support for the AWS platform. You can easily configure the solution to start processing logs from AWS in just a few clicks.

  • Get access to intuitive dashboards that provide a high-level overview of security events happening on AWS.
  • Generate and schedule granular, out-of-the-box reports to track a wide range of security events, including the ones mentioned in the above section.
  • Set up alerts for a wide range of indicators of compromise (IoCs) to detect attacks at an early stage.
  • Use the robust search engine to extract important information during a forensic investigation.

Interested in securing your AWS platform with a SIEM solution? Try Log360 now for free!
Download now

resources-banner