AWS Well Architected Framework - Security Pillar

Updated 5/28/2019

When I’m asked, "How should I monitor my Amazon Web Services infrastructure?” or, “What AWS products and features should I be using?", one of the first topics I focus on is security.

The AWS Well Architected Framework's Security Pillar defines cloud security best practices with five Design Principles and five focus areas. First, I'll describe the Security Design Principles, and some Sumo Logic capabilities that will help you adhere to them. Then, I'll list the five focus areas with corresponding, investigative questions you can ask to ensure your architecture is secure. A link to the next pillar in the framework, Reliability, is soon to come.

Design Principles

Apply security at all layers

“Rather than just running security appliances (e.g., firewalls) at the edge of your infrastructure, use firewalls and other security controls on all of your resources (e.g., every virtual server, load balancer, and network subnet)” ^[1]

• Most security events aren't detected until after the fact, so you'll need to capture all relevant logs to allow incident response teams to do their jobs
• You can stream data to Sumo Logic by installing a collector agent on an EC2 instance, using API calls to scan S3 buckets, or posting data in CloudWatch log groups to our endpoints
• Sumo Logic’s Integrated Threat Intelligence extracts all IPs, URLs, file names, email, domains, and hash values out of your logs, and compares them to Crowdstrike's Threat Intelligence feed to expose known bad actors in real time
• Sumo Logic's AWS GuardDuty App allows you to complete more security investigations and audits, faster, with links to navigate directly into your AWS console to remediate. The context of GuardDuty findings across all of your AWS accounts, and logs from your application, infrastructure, and 3rd party tools all in one place will increase the efficiency of your Security team.

• Sumo Logic offers an AWS Threat Intelligence App that scans CloudTrail, ELB, and VPC Flow logs to expose malicious activity across your AWS environment
• Sumo Logic’s VPC Flow Log integration allows you to visualize and alert on traffic across your custom or default virtual networking environment

Enable traceability

“Log and audit all actions and changes to your Environment” ^[1]

• Sumo Logic’s CloudTrail integration allows you to audit your AWS environment
• Create a trail and stream the logs to Sumo Logic in minutes, then visualize with our pre-built dashboards

Automate responses to security events

“Monitor and automatically trigger responses to event-driven, or condition-driven, alerts.” ^[1]

• Advanced operators like Outlier, LogReduce, and LogCompare can be used to proactively identify anomalies
• Once identified, push alerts to your Slack, HipChat, PagerDuty, email, and other alerting channels
• You can also take advantage of our new AWS Lambda Webhook or a Script Action to take programmatic actions in response to alerts and outages
• For example, when Outlier notices a spike in connections from a user, IP, or country, Lambda webhooks can automatically adjust your Network Access Control List to block this traffic

Focus on securing your system

“With the AWS Shared Responsibility Model you can focus on securing your application, data, and operating systems, while AWS provides secure infrastructure and services.” ^[1]

• Installing Sumo Logic’s Linux or Windows OS applications enable you to monitor and alert on your OS level security events

Automate security best practices

“Software-based security mechanisms improve your ability to securely scale more rapidly and cost effectively.” ^[1]

• Events from EC2s in an Autoscaling can be difficult to capture due to their ephemeral nature
• Ephemeral Sumo Logic collectors are designed for this use case
• They can be built into your Amazon Machine Images of your Launch Configuration so that you can automatically collect, analyze, and alert on data generated by all instances in your auto-scaling groups, whether they've just come online or have already terminated

Best Practice Areas

AWS defines the five security focused best practice areas as:

1. Identity and access management
2. Detective controls
3. Infrastructure protection
4. Data protection
5. Incident response

Does your architecture take each of these best practices into account? Here are the questions you can ask to find out:

Identity and access management (IAM)

• "How are you protecting access to and use of the AWS root account credentials?" ^[1]
• "How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?" ^[1]
• "How are you limiting automated access to AWS resources? (e.g., applications, scripts, and/or third-party tools or services)" ^[1]

Detective controls

• "How are you capturing and analyzing logs?" ^[1]

Infrastructure protection

• "How are you enforcing network and host-level boundary protection?" ^[1]
• "How are you leveraging AWS service level security features?" ^[1]
• "How are you protecting the integrity of the operating systems on your Amazon EC2 instances?" ^[1]

Data protection

• "How are you classifying your data?" ^[1]
• "How are you encrypting and protecting your data at rest?" ^[1]
• "How are you managing keys?" ^[1]
• "How are you encrypting and protecting your data in transit?" ^[1]

Incident response

• "How do you ensure you have the appropriate incident response?" ^[1]

In the next post, which will be linked here soon, we will cover the Design Principles and best practice areas for the Reliability Pillar. If you have questions or comments, please connect with me on LinkedIn here.

[1] AWS Well-Architected Framework (November 2016)