Get demo
    Get demo

    hero-jobbies-7

    Cloud Security Policy Set: Ensure Cloud Logging and Monitoring Is Setup The Right Way

    10/29/21 1:47 PM | Jamison Roberts

     

    PROTESTING Test 1

    Enabling logging for your cloud resources is a critical piece of cloud security, and is often required to meet many governance and compliance regulations. There are many benefits to turning on logging for your cloud resources. Logs can be used for both proactive and reactive security measures. In addition, logs can be a source for enhanced monitoring data.

    Here are a few ways you can use logging and monitoring for your cloud resources:  

    • Proactive monitoring. Your teams can proactively monitor logs in real time to detect unauthorized access attempts and generate alerts or take action to isolate resources. You can use cloud native monitoring and metric tools to analyze incoming log files to spot malicious activities.  
    • Incident response. After a security incident, you can review logs for forensics. Resource audit logs will typically show the attacker’s IP/source address, what resource/objects they were accessing if they were successful or were denied, the date/time of the incident, and some additional resource-specific details. There will be many questions after a security incident and logs will help you answer a lot of them. If resource logging is not turned on and a security incident occurs, you will be in the dark as to what happened, what data might have been exposed, and how a similar attack can be prevented in the future.
    • Troubleshooting resource connection issues. Resource logs can be a great tool for troubleshooting connectivity issues. These logs can be used to see if a connection is getting allowed, denied, or not coming through at all.

     

    Every organization should have a comprehensive set of security or operational policies that ensure logs are collected and monitored, and that the right retention periods are set in order to meet budgetary and compliance needs. 

    Cloud Custodian is an open source cloud governance as code solution that makes it easy to implement security and operational policies. The solution enables you to ensure logging is turned on for your organization’s cloud resources. With a few simple Cloud Custodian policies, you can quickly bring your organization's cloud estate into compliance. 

    Cloud Custodian policies are expressed in YAML and specify a type of resource to run the policy against, filters to narrow down the set of resources, and actions to take on the filtered set of resources. 

    The example policies provided below are a great way to get started.

    Using CloudWatch logs and metrics is an easy way to take your monitoring capabilities to a whole new level with rich data queries, dashboards, and customizable alarms.

    - name: aws-cloudwatch-log-group-no-retention
      resource: aws.log-group
      description: |
     This policy will identify AWS CloudWatch Log Groups which have no retention period set, and enable retention. Setting a log group retention period helps save on costs by removing old logs and helps you meet organization data retention standards.
      filters:
        - or:
          - "retentionInDays": absent
          - "retentionInDays": null
      actions:
        - type: retention
          days: 90


    GCP Check Logging On DNS Policies

    - name: gcp-dns-policies-logging-disabled
      description: |
        This policy will find GCP DNS policies which do not have
        logging enabled. Per security best practices, logging should
        be enabled on all used and supported services.
      resource: gcp.dns-policy
      filters:
            - type: value
              key: enableLogging
              value: false


    Azure Check Logging On Storage Tables

    - name: storage-tables-not-logging
      description: |
        This policy will identify storage tables which do not have
        logging enabled. Per security best practices, logging should
        be enabled on all used and supported services.
      resource: azure.storage
      filters:
           - type: storage-diagnostic-settings
             storage-type: table

    Enable Cloudwatch Logs for CloudTrail

    - name: cloudtrail-enable-logging
      resource: aws.cloudtrail
      description: |
     This policy will identify CloudTrail Trails that are not currently setup for CloudWatch     Logs integration. Per AWS  security best practices, CloudTrail should be logging to CloudWatch Logs to enable real-time and historic logging of all events. This allows setting up alarms based on

        user API activity.
      filters:
          - type: status
            key: IsLogging
            value: False
      actions:
          - type: set-logging
            enabled: True

    Enable CloudFront Distribution Logs

    - name: cloudfront-enable-logging
      resource: aws.distribution
      description: |
     Identifies CloudFront Distributions which do not have logging enabled. The policy will then enable logging.
      filters:
        - type: distribution-config
          key: Logging.Enabled
          value: false
      actions:
        - type: set-attributes
          attributes:
            Comment: "Logging Enabled By Cloud Custodian"
            Enabled: true
            Logging:
               Enabled: true
               IncludeCookies: false
               Bucket: "{account_id}-{region}-s3-logs.s3.amazonaws.com"
               Prefix: 'CloudFrontLogs'

    Enabling Logs for Elastic Load Balancers

    - name: app-elb-enable-logging
      resource: aws.app-elb
      description: |
         Identifies Application ELBs which do not have logging enabled and then the policy enables it.
      filters:
        - type: is-not-logging
      actions:
        - type: set-s3-logging
          bucket: "{account_id}-{region}-s3-logs"
          prefix: "APP_ELB_LOGS"
          state: enabled

    - name: elb-enable-logging
      resource: aws.elb
      description: |
         Identifies Classic ELBs which do not have logging  enabled and then the policy enables it.
      filters:
        - type: is-not-logging
      actions:
        - type: enable-s3-logging
          bucket: "{account_id}-{region}-s3-logs"
          prefix: "ELB_LOGS"
          emit_interval: 60

    Enabling VPC Flow Logs

    - name: vpc-flow-logs-enable-logging
      resource: aws.vpc
      description: |
    Identify VPCs which don't have flow logs set up and enable them. Flow logs should be enabled and monitored for suspicious or unauthorized activities.
      filters:
        - type: flow-logs
          enabled: false
      actions:
        - type: set-flow-log
          DeliverLogsPermissionArn: arn:iam:role
          LogGroupName: /custodian/vpc/flowlogs/

    How do you ensure your cloud resource logs are set up properly? If you can use help, you can get started with Cloud Custodian here. 

     

     


     
    Cloud Security, Cybersecurity, Cybersecurity Awareness Month 2021