Given that misconfigurations contribute to a fair share of cloud breaches, it is vital to keep tab on your cloud environments. Cloud environments are rarely static, especially given that most of us leverage cloud for the elasticity and flexibility it provides. Logging and monitoring provides an easy way to get insights into your ever changing cloud landscape.
Security teams need to keep an eye for various things ranging from new VM instances spun up in the cloud to VPC network changes and more. Some of these changes are runtime ones (like new VM instance) versus more fundamental ones (like VPC network changes). The latter are more from an audit angle to track configuration changes.
Most cloud providers provide capabilities for logging and monitoring. The Center for Internet Security (CIS) has already taken cognizance and included a battery of tests focused on “Logging and Monitoring” aspects in the CIS Benchmarks for cloud.
Logging and Monitoring terms are used in tandem and hence it is good to understand what each of these mean. Logging is the practice of managing all of the log data produced by your cloud infrastructure. This comprises of the following: capturing the logs, log aggregation, storage and archival, security and privacy of logs, enrichment and analysis. Monitoring is process of observing and checking the progress or quality over a period of time.
Let us consider “Logging and Monitoring” CIS benchmark tests for Google Cloud Platform. These are as follows:
- First and foremost is to ensure that Cloud Audit Logging is configured properly for all services and all users in a project. It is recommended to track all admin activities and read, write access to user data.
- In GCP environment, a sink is responsible to export copies of log entries. It is recommended to ensure that sinks are configured for all log entries. These log entries can be exported to SIEM solution.
- Log buckets hold logs and these log buckets should have retention policies to safeguard logs stored in these storage buckets.
Next you configure log metric filter and alerts for various aspects as below.
- Project ownership assignments / changes.
- Audit Configuration changes.
- Custom Role changes.
- VPC Network Firewall rule changes.
- VPC Network route changes.
- VPC Network changes.
- Cloud Storage IAM Permission changes.
- SQL Instance Configuration changes.
Note that configuring log metrics filter and alert is essentially a two step process for Google Cloud Platform as below:
- Create a metric with required filter.
- Create the Alert Policy based on the metric defined above.
On similar lines, CIS Benchmarks tests includes following checks for Azure cloud:
- Create Policy Assignment
- Create or Update Network Security Group
- Delete Network Security Group
- Create or Update Network Security Group Rule
- Delete Network Security Group Rule
- Create or Update Security Solution
- Delete Security Solution
- Create or Update or Delete SQL Server Firewall Rule
- Update Security Policy
For AWS, CIS Benchmark tests includes checks for proper logging configuration followed by monitoring as below:
Logging configuration checks include:
- CloudTrail is enabled for all regions
- CloudTrail log file validation is enabled
- S3 bucket used to store CloudTrail logs is not publicly accessible
- CloudTrail logs are integrated with CloudWatch Logs
- AWS Config is enabled in all regions
- S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CloudTrail logs are encrypted at rest using KMS CMKs
- Rotation is enabled for customer created CMKs
- VPC flow logging is enabled in all VPCs
Monitoring checks ensure that a log metric filter and alarm exists for the following:
- Unauthorized API calls
- Management Console Sign-in without MFA
- Usage of “root” account
- IAM Policy changes
- CloudTrail Configuration changes
- AWS Management Console authentication failures
- Disabling or scheduled deletion of customer created CMKs
- S3 bucket policy changes
- AWS Config configuration changes
- Security group changes
- Changes to Network Access Control Lists (NACL)
- Changes to Network Gateways
- Route table changes
- VPC changes
It is apparent that “logging and monitoring” checks are most detailed and elaborate for AWS cloud. This is perhaps given the maturity of AWS cloud from Infrastructure as a Service (IaaS) perspective.
CIS benchmarks provide an excellent means for organizations to ensure hygiene and measure their Cloud Security Posture. These checks are best automated and run at a desired cadence. ThreatWatch provides comprehensive coverage for CIS benchmarks for various clouds (AWS/Azure/GCP), containers and more.
Write to us to know more about how ThreatWatch can help secure your Cloud environments from IaaS to serverless functions without the need for agents nor scans, along with the ability to detect any misconfigurations (via CIS benchmark based compliance).