Given that misconfigurations contribute to a fair share of cloud breaches, it is vital to keep tab on your cloud environments. Cloud environments are rarely static, especially given that most of us leverage cloud for the elasticity and flexibility it provides. Logging and monitoring provides an easy way to get insights into your ever changing cloud landscape.

Security teams need to keep an eye for various things ranging from new VM instances spun up in the cloud to VPC network changes and more. Some of these changes are runtime ones (like new VM instance) versus more fundamental ones (like VPC network changes). The latter are more from an audit angle to track configuration changes.

Most cloud providers provide capabilities for logging and monitoring. The Center for Internet Security (CIS) has already taken cognizance and included a battery of tests focused on “Logging and Monitoring” aspects in the CIS Benchmarks for cloud. 

Logging and Monitoring terms are used in tandem and hence it is good to understand what each of these mean. Logging is the practice of managing all of the log data produced by your cloud infrastructure. This comprises of the following: capturing the logs, log aggregation, storage and archival, security and privacy of logs, enrichment and analysis. Monitoring is process of observing and checking the progress or quality over a period of time. 

Let us consider “Logging and Monitoring” CIS benchmark tests for Google Cloud Platform. These are as follows:

Next you configure log metric filter and alerts for various aspects as below. 

Note that configuring log metrics filter and alert is essentially a two step process for Google Cloud Platform as below:

  1. Create a metric with required filter.
  2. Create the Alert Policy based on the metric defined above.

On similar lines, CIS Benchmarks tests includes following checks for Azure cloud:

For AWS, CIS Benchmark tests includes checks for proper logging configuration followed by monitoring as below:

Logging configuration checks include:

Monitoring checks ensure that a log metric filter and alarm exists for the following:

It is apparent that “logging and monitoring” checks are most detailed and elaborate for AWS cloud. This is perhaps given the maturity of AWS cloud from Infrastructure as a Service (IaaS) perspective.

CIS benchmarks provide an excellent means for organizations to ensure hygiene and measure their Cloud Security Posture. These checks are best automated and run at a desired cadence. ThreatWatch provides comprehensive coverage for CIS benchmarks for various clouds (AWS/Azure/GCP), containers and more.

Write to us to know more about how ThreatWatch can help secure your Cloud environments from IaaS to serverless functions without the need for agents nor scans, along with the ability to detect any misconfigurations (via CIS benchmark based compliance).

Leave a Reply

Your email address will not be published. Required fields are marked *