Cloud Security Policy Set: Ensure Cloud Logging and Monitoring Is Setup The Right Way

 

PROTESTING Test 1

Enabling logging for your cloud resources is a critical piece of cloud security, and is often required to meet many governance and compliance regulations. There are many benefits to turning on logging for your cloud resources. Logs can be used for both proactive and reactive security measures. In addition, logs can be a source for enhanced monitoring data.

Here are a few ways you can use logging and monitoring for your cloud resources:  

  • Proactive monitoring. Your teams can proactively monitor logs in real time to detect unauthorized access attempts and generate alerts or take action to isolate resources. You can use cloud native monitoring and metric tools to analyze incoming log files to spot malicious activities.  
  • Incident response. After a security incident, you can review logs for forensics. Resource audit logs will typically show the attacker’s IP/source address, what resource/objects they were accessing if they were successful or were denied, the date/time of the incident, and some additional resource-specific details. There will be many questions after a security incident and logs will help you answer a lot of them. If resource logging is not turned on and a security incident occurs, you will be in the dark as to what happened, what data might have been exposed, and how a similar attack can be prevented in the future.
  • Troubleshooting resource connection issues. Resource logs can be a great tool for troubleshooting connectivity issues. These logs can be used to see if a connection is getting allowed, denied, or not coming through at all.

 

Every organization should have a comprehensive set of security or operational policies that ensure logs are collected and monitored, and that the right retention periods are set in order to meet budgetary and compliance needs. 

Cloud Custodian is an open source cloud governance as code solution that makes it easy to implement security and operational policies. The solution enables you to ensure logging is turned on for your organization’s cloud resources. With a few simple Cloud Custodian policies, you can quickly bring your organization's cloud estate into compliance. 

Cloud Custodian policies are expressed in YAML and specify a type of resource to run the policy against, filters to narrow down the set of resources, and actions to take on the filtered set of resources. 

The example policies provided below are a great way to get started.

Using CloudWatch logs and metrics is an easy way to take your monitoring capabilities to a whole new level with rich data queries, dashboards, and customizable alarms.

- name: aws-cloudwatch-log-group-no-retention
  resource: aws.log-group
  description: |
 This policy will identify AWS CloudWatch Log Groups which have no retention period set, and enable retention. Setting a log group retention period helps save on costs by removing old logs and helps you meet organization data retention standards.
  filters:
    - or:
      - "retentionInDays": absent
      - "retentionInDays": null
  actions:
    - type: retention
      days: 90


GCP Check Logging On DNS Policies

- name: gcp-dns-policies-logging-disabled
  description: |
    This policy will find GCP DNS policies which do not have
    logging enabled. Per security best practices, logging should
    be enabled on all used and supported services.
  resource: gcp.dns-policy
  filters:
        - type: value
          key: enableLogging
          value: false


Azure Check Logging On Storage Tables

- name: storage-tables-not-logging
  description: |
    This policy will identify storage tables which do not have
    logging enabled. Per security best practices, logging should
    be enabled on all used and supported services.
  resource: azure.storage
  filters:
      - type: storage-diagnostic-settings
        storage-type: table

Enable Cloudwatch Logs for CloudTrail

- name: cloudtrail-enable-logging
  resource: aws.cloudtrail
  description: |
 This policy will identify CloudTrail Trails that are not currently setup for CloudWatch     Logs integration. Per AWS  security best practices, CloudTrail should be logging to CloudWatch Logs to enable real-time and historic logging of all events. This allows setting up alarms based on

    user API activity.
  filters:
      - type: status
        key: IsLogging
        value: False
  actions:
      - type: set-logging
        enabled: True

Enable CloudFront Distribution Logs

- name: cloudfront-enable-logging
  resource: aws.distribution
  description: |
 Identifies CloudFront Distributions which do not have logging enabled. The policy will then enable logging.
  filters:
    - type: distribution-config
      key: Logging.Enabled
      value: false
  actions:
    - type: set-attributes
      attributes:
        Comment: "Logging Enabled By Cloud Custodian"
        Enabled: true
        Logging:
          Enabled: true
          IncludeCookies: false
          Bucket: "{account_id}-{region}-s3-logs.s3.amazonaws.com"
          Prefix: 'CloudFrontLogs'

Enabling Logs for Elastic Load Balancers

- name: app-elb-enable-logging
  resource: aws.app-elb
  description: |
    Identifies Application ELBs which do not have logging enabled and then the policy enables it.
  filters:
    - type: is-not-logging
  actions:
    - type: set-s3-logging
      bucket: "{account_id}-{region}-s3-logs"
      prefix: "APP_ELB_LOGS"
      state: enabled

- name: elb-enable-logging
  resource: aws.elb
  description: |
    Identifies Classic ELBs which do not have logging  enabled and then the policy enables it.
  filters:
    - type: is-not-logging
  actions:
    - type: enable-s3-logging
      bucket: "{account_id}-{region}-s3-logs"
      prefix: "ELB_LOGS"
      emit_interval: 60

Enabling VPC Flow Logs

- name: vpc-flow-logs-enable-logging
  resource: aws.vpc
  description: |
Identify VPCs which don't have flow logs set up and enable them. Flow logs should be enabled and monitored for suspicious or unauthorized activities.
  filters:
    - type: flow-logs
      enabled: false
  actions:
    - type: set-flow-log
      DeliverLogsPermissionArn: arn:iam:role
      LogGroupName: /custodian/vpc/flowlogs/

How do you ensure your cloud resource logs are set up properly? If you can use help, you can get started with Cloud Custodian here.