As part of managing the risk in working with public clouds, we need to configure an ongoing monitoring solution for our cloud environments.
Monitoring provides us with visibility of our cloud environments (in most cases IaaS / PaaS), while keeping compliance with regulation and security standards.
The main topics we should be monitoring, from a security point of view are:
- Activity monitoring
- Data Leakage
- Attack detection
- Compliance
This post summarizes some of the main tools and services provided by the main Cloud vendors for security monitoring related to the above 4 categories. These are a good starting point and the focus of this article but it should be noted that there are a wide variety of third-party tools available in the marketplace which may also be useful or relevant depending on the needs of your organization.
Activity monitoring
For activity monitoring, we need to include:
- Login attempts (both success and failure)
- Activity performed (who accessed what, when was an activity was performed, what action was performed)
Common services provided by cloud vendors in this category include:
- AWS:
- AWS CloudTrail – Audit all API activities
- Amazon CloudWatch – Monitor and receive alerts about multiple failed logins
- Azure:
- Azure Monitor – Monitor and receive alerts about multiple failed logins
- GCP:
- Google Cloud Logging – Monitor and receive alerts about multiple failed logins
- Google Cloud Audit Logs – Monitor administrative activities
- Google Access Transparency – Near real-time logs and approval controls for Google support activities
Data Leakage
For data leakage, we need to include:
- Data discovery and classification (detect sensitive data such as PII, credit card numbers, etc.)
- Data leakage detection (and sometimes even prevention)
Common services provided by cloud vendors to help us in this category include:
- AWS:
- Amazon Macie – Discover, classify and protect sensitive data
- Azure:
- Azure Information Protection – Discover, classify and protect sensitive data
- GCP:
- Google Cloud Data Loss Prevention – Discover, classify and protect sensitive data
Attack Detection
For attack detection, we need to include:
- Analyzing logs and detecting potential attacks
- Network attack detection
Common services provided by cloud vendors in this category include:
- AWS:
- Amazon GuardDuty – Detect malicious behavior from multiple AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs
- Amazon Detective – Analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities
- AWS Shield – Visibility for network layer DDoS attacks
- Azure:
- Azure Sentinel – Fully managed SIEM solution for detecting and investigating attacks
- Azure DDoS Protection – Visibility for network layer DDoS attacks
- GCP:
- Google Incident Response and Management – Produce insights on security incidents
- Google Security Command Center – Prevent, detect, and respond to threats
- Google Cloud Armor – Visibility for network layer DDoS attacks
Compliance
For compliance, we need to include:
- Detecting configuration mistakes
- Missing security patches against organizational standard
- Checking hardening settings against known industry standards (such as CIS, NIST, etc.)
Common services provided by cloud vendors in this category include:
- AWS:
- AWS Artifact – Produce compliance reports against industry standards (SOC, PCI, etc.)
- Amazon Inspector – Automated security assessment service
- AWS Security Hub – Manage security alerts and automate security checks
- AWS Trusted Advisor – Examine permissions and configuration settings
- AWS Control Tower – Enforce policy over multiple AWS accounts
- Azure:
- Azure Security Center – Automated security assessment service
- Azure Advisor – Examine permissions and configuration settings
- GCP:
- Google Cloud Security Scanner – Automated vulnerability scanning
About the author
Eyal Estrin, cloud architect.