author photo
By Bruce Sussman
Wed | Dec 18, 2019 | 9:30 AM PST

You can stand up a global cloud infrastructure with a few clicks, but how do you adapt security processes to proactively decrease risk in the AWS Cloud? 

We just attended a webinar on how to perform security investigations in the AWS Cloud led by SANS instructor Kyle Dickinson.

Enabling AWS Cloud security investigations

"AWS Cloud Trail is what I call the flight recorder of your AWS account: the who, what, where, when, and how did they do it," Dickinson said.

This is one of the key tools for security investigations in the cloud. We explore others below, including a use case.

As you prepare for incident response in the cloud, Dickinson suggests doing the following: "You can create a security group which helps with containment, by telling that group to not allow outbound traffic."

You can then apply that security group where needed for rapid short-term containment. And you can scale up if needed. "If you see you need an investigation on an entire VPC, you can create a network ACL that would disallow all outbound traffic."  

Those are a couple of the basics the webinar covered, but let's get into a use case, which reveals much more.

AWS security investigation use case

In the webinar, the presenters talked about this AWS scenario: An Amazon EC2 instance is communicating to unusual destinations.

How do you investigate what is happening here? You turn to tools which are built into the AWS Cloud: 

  • AWS Cloud Trail: this allows you to see if something was modified to permit this traffic. Was a security group modified? Did the instance get modified so it has a direct access connection? Cloud Trail answers these questions.
  • Amazon VPC Flow Logs/Amazon Traffic Mirroring. "These give us details of network communication. What data was leaving our environment?"
  • Amazon EC2 Snapshot: this provides additional insights that help reveal if additional review is required of this instance.

Leveraging AWS Marketplace to help in security investigations

David Aiken, Solutions Architect with AWS Marketplace, then looked at ways products at AWS Marketplace can integrate into the cloud and make security investigations even simpler.

"Palo Alto created Prisma Cloud to bring all these things together and identify the risk. This is going to be really valuable and save your security team a great deal of time," Aiken said.

There is much more, including an additional use case in the webinar and a white paper below. This includes how to set prerequisites, evaluate services/technologies, and plan for and execute investigations into incidents in cloud operations. Here are the resources:

Webinar: How to Perform a Security Investigation in AWS
White paper: Enabling a Security Investigation in AWS

Cloud Security Posture Management in AWS Cloud

Cloud Security Posture Management (CSPM) is a class of security tools that allow for constant improvement in cloud security and continuous compliance.

CSPM reduces the risk of misconfiguration and also enables efficient investigations by centralizing data sources that provide operational and security insight.

We just finished reviewing the related webinar and white paper on Cloud Security Posture Management in AWS; it covers a sweeping range of topics, including:

• How to select data sources, investigation tools, and use CSPM in your cyber investigative processes

• How to combine these two disciplines to identify security misconfigurations, risky associations, and who's making changes

• Methodology for evaluating CSPM to work with your investigative programs

• Building a business case for CSPM

And the white paper reveals that key considerations around using CSPM should be viewed through your reporting needs, third-party integrations, ability to customize alerts, deployment, scaling, and vendor support models. It dives into details on each of these.

CSPM in AWS use case

How can CSPM aid in security investigations? There are several ways: 

  1. Allows you to query all AWS accounts owned by the organization
  2. Provides Asset Inventory (CIS critical control)
  3. Contextualizes VPC flow log data
  4. Visualizes user administrative activity

"It is hard to say, as a blanket statement, what is normal activity across the enterprise, especially if you have different business units that utilize AWS," Dickinson said. "Having a CSPM can help classify what is normal activity for your accounts, and then raise an alert if there is something abnormal."

Clearly, there are some impressive tools to help with security investigations in the AWS Cloud. For more on making CSPM a part of what your organization does, check out these resources:

White paper: JumpStart Guide to Investigations and Cloud Security Posture Management in AWS

Webinar: JumpStart Guide to Security Investigations and Posture Management in AWS