With the launch of the new Threat Stack free cloud security Audit trial, we wanted to provide some tips on how to easily assess how well your AWS environment is configured. So, let's get started.
What is a Cloud Security Baseline?
The phrase is bandied about a lot, so let’s get to it: what is a security baseline?
One of the problems that many organizations run into, especially when they are starting out in cloud security, is not knowing where to start and not having specific data to help them define and improve the status of their cloud security.
That’s where a baseline proves critical. CERN Computer Security defines a security baseline as “a set of basic security objectives which must be met by any given service or system.”
If you put this in the context of cloud security, a baseline will show you how closely a snapshot of your current cloud environment conforms to industry best practices and benchmarks.
This sounds a bit academic, so let’s get down to specifics by taking a look at the new product and free trial we are offering to help you establish and maintain a baseline — Threat Stack Audit.
How Do You Establish a Baseline for Your Organization?
Any cloud environment, no matter what its maturity level, is complex, and without an automated means of managing it, it can be difficult or impossible to gather and act on pertinent information.
To help you create your organization’s baseline and use it to improve your cloud security, Threat Stack has built the following critical capabilities to help:
- Configuration Auditing. This new feature of the Threat Stack Cloud Security Platform® (CSP) enables AWS customers to establish an accurate baseline of security across their AWS infrastructure. Threat Stack Audit scans account configurations and compares them to best practices and policies for AWS and Center for Internet Security (CIS) benchmarks.
- CloudTrail Alerting. This feature enables you to receive automatic alerts about changes to your instances, security groups, S3 buckets, access keys, and other changes to your AWS infrastructure that could represent a threat or lead to non-compliance.
Using the Audit Package, you immediately receive an assessment score as well as clear guidance on improvements. Services included are EC2, IAM, RDS, S3, and CloudTrail alerting. Following an initial scan, you can set up automated, daily scans.
How Does Configuration Auditing Work?
Whether you’re a seasoned security professional or an operations engineer who has been tasked with cloud security, Threat Stack Audit assesses your AWS configurations and provides recommendations on how to enhance your AWS environment by enabling you to:
- Audit your AWS configuration for violations.
- View a summary of violations.
- View details of each violation.
- Suppress specific resources for further configuration checks.
Once the first scan is complete, as shown below, you will immediately see what percent of each resource type does not comply with security best practices as well as an overall score for your AWS environment:
Each policy shows how many resources passed and failed the policy and provides access to a full description of the policy, the rationale for the policy, recommended remediation for violations, and a link to the CIS benchmark that is the source of the policy:
For each resource type that has violations, you can drill in to see which resources are not compliant, and either remediate or suppress the violation:
How Does CloudTrail Alerting Work?
Once you have established a baseline using Configuration Audit, the CloudTrail alerting capability will let you know when there is suspicious activity or activity that could result in non-compliance.
As shown below, CloudTrail alerting comes with 24 rules designed to detect suspicious activity in your AWS environment:
When a rule is triggered, an alert will be generated similar to the following: