Are you monitoring Security Group changes? If not, know how

CloudWatch-Alarm-for-Security-Group-Changes

Security Group is the firewall of your cloud infrastructure. It provides security to your instances, applications and resources at protocol and port access levels. You can define the security rules to control the traffic of your VPC and change them at any point in time. Updated rules will be applied to all the instances with which this security group is associated.

Basics of Security groups:

  1. You can create a limited number of security groups in a VPC with a limited set of rules in a security group.
  2. Only Deny rule cannot be specified by you. However, allow rules can be.
  3. You can specify inbound and outbound traffic.
  4. When you create a security group, it contains only outbound rules which allow all the outbound traffic.
  5. And security groups are stateful- means if you send a request from your instance, the response traffic for that request can flow in regardless of inbound security group rules.

Any intentional or unintentional change in the rules or adding a hostile IP address to your security group can be a security catastrophe. With so much at risk, it becomes important to keep track of security group changes.

How you can keep track of security group changes with minimal effort?

You can use AWS CloudTrail and CloudWatch events for monitoring and identifying API call that changes the configuration of the security group in your VPC. It becomes easier to identify the potential security threat in real-time.

CloudTrail keeps a check on the changes and registers them in a log and store that log into your S3 bucket. It also delivers this log to CloudWatch. CloudWatch matches that change with a filter that you have applied. If CloudWatch finds any change, it will trigger an alarm and send it to SNS (Simple Notification Service), else won’t trigger. As soon as SNS receive the alarm it notifies you on SMS or with the help of an e-mail.

How Centilytics helps you resolve this problem?

Centilytics ensures that a CloudWatch alarm and CloudTrail should be created into your AWS Account. This will ensure that if any security group configuration change is made you will be notified. This practice of implementing CloudWatch alarms for monitoring any configuration changes in the security group can prevent unexpected modification that may lead to hazardous effects.

Insight Description:

OK
 Ok: CloudTrail has CloudWatch logs groups configured with metric filter, alarm, SNS topic with at least one subscriber.
Warning
Warning: For your CloudWatch alarms, either no SNS topic is created or no individual is present in the list of topic subscribers to receive the alerts.
Critical
Critical: Delivery to CloudWatch logs not configured.

 

Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Account ID

Account Name: Shows the account name corresponding to the user’s account.

Account Name

Region: This column shows the region of your instance where it has been used.

Region

Identifier: Shows you the service with its trail name.

Identifier

Log Group Name: It represents the name of the group which has permission to use the service.

Log Group Name

Metric Filter Name: Shows you the name that you have given to the metric filter.

Metric Filter Name

Alarm Name: Shows you the name of the alarm which you have assigned.

Alarm Name

SNS Topic Name: SNS refers to the Simple Notification Service group. A group of individuals who receive the alert message.

SNS Topic Name

Custom Severity Description: Shows the severity of your metric filter and its functions’ custom description.

Custom Severity Discription-Virtual Private Network Alarm

Filters Applicable:

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying the region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For e.g., If a user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources which are tagged as “environment: production”. The user can use the tag value filter only when a tag name has been provided.
Compliance Applying Compliance filter, you can further refine your security and health checks.

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here