Skip to content

PROTESTING Test 1

Enabling logging for your cloud resources is a critical piece of cloud security, and is often required to meet many governance and compliance regulations. There are many benefits to turning on logging for your cloud resources. Logs can be used for both proactive and reactive security measures. In addition, logs can be a source for enhanced monitoring data.

Here are a few ways you can use logging and monitoring for your cloud resources:

  • Proactive monitoring. Your teams can proactively monitor logs in real time to detect unauthorized access attempts and generate alerts or take action to isolate resources. You can use cloud native monitoring and metric tools to analyze incoming log files to spot malicious activities.
  • Incident response. After a security incident, you can review logs for forensics. Resource audit logs will typically show the attacker’s IP/source address, what resource/objects they were accessing if they were successful or were denied, the date/time of the incident, and some additional resource-specific details. There will be many questions after a security incident and logs will help you answer a lot of them. If resource logging is not turned on and a security incident occurs, you will be in the dark as to what happened, what data might have been exposed, and how a similar attack can be prevented in the future.
  • Troubleshooting resource connection issues. Resource logs can be a great tool for troubleshooting connectivity issues. These logs can be used to see if a connection is getting allowed, denied, or not coming through at all.

Every organization should have a comprehensive set of security or operational policies that ensure logs are collected and monitored, and that the right retention periods are set in order to meet budgetary and compliance needs.

Cloud Custodian is an open source cloud governance as code solution that makes it easy to implement security and operational policies. The solution enables you to ensure logging is turned on for your organization’s cloud resources. With a few simple Cloud Custodian policies, you can quickly bring your organization’s cloud estate into compliance.

Cloud Custodian policies are expressed in YAML and specify a type of resource to run the policy against, filters to narrow down the set of resources, and actions to take on the filtered set of resources.

The example policies provided below are a great way to get started.

Using CloudWatch logs and metrics is an easy way to take your monitoring capabilities to a whole new level with rich data queries, dashboards, and customizable alarms.

– name: aws-cloudwatch-log-group-no-retention
resource: aws.log-group
description: |
This policy will identify AWS CloudWatch Log Groups which have no retention period set, and enable retention. Setting a log group retention period helps save on costs by removing old logs and helps you meet organization data retention standards.
filters:
– or:
– “retentionInDays”: absent
– “retentionInDays”: null
actions:
– type: retention
days: 90

GCP Check Logging On DNS Policies

– name: gcp-dns-policies-logging-disabled
description: |
This policy will find GCP DNS policies which do not have
logging enabled. Per security best practices, logging should
be enabled on all used and supported services.
resource: gcp.dns-policy
filters:
– type: value
key: enableLogging
value: false

Azure Check Logging On Storage Tables

– name: storage-tables-not-logging
description: |
This policy will identify storage tables which do not have
logging enabled. Per security best practices, logging should
be enabled on all used and supported services.
resource: azure.storage
filters:
– type: storage-diagnostic-settings
storage-type: table

Enable Cloudwatch Logs for CloudTrail

– name: cloudtrail-enable-logging
resource: aws.cloudtrail
description: |
This policy will identify CloudTrail Trails that are not currently setup for CloudWatch Logs integration. Per AWS security best practices, CloudTrail should be logging to CloudWatch Logs to enable real-time and historic logging of all events. This allows setting up alarms based on

user API activity.
filters:
– type: status
key: IsLogging
value: False
actions:
– type: set-logging
enabled: True

Enable CloudFront Distribution Logs

– name: cloudfront-enable-logging
resource: aws.distribution
description: |
Identifies CloudFront Distributions which do not have logging enabled. The policy will then enable logging.
filters:
– type: distribution-config
key: Logging.Enabled
value: false
actions:
– type: set-attributes
attributes:
Comment: “Logging Enabled By Cloud Custodian”
Enabled: true
Logging:
Enabled: true
IncludeCookies: false
Bucket: “{account_id}-{region}-s3-logs.s3.amazonaws.com”
Prefix: ‘CloudFrontLogs’

Enabling Logs for Elastic Load Balancers

– name: app-elb-enable-logging
resource: aws.app-elb
description: |
Identifies Application ELBs which do not have logging enabled and then the policy enables it.
filters:
– type: is-not-logging
actions:
– type: set-s3-logging
bucket: “{account_id}-{region}-s3-logs”
prefix: “APP_ELB_LOGS”
state: enabled

– name: elb-enable-logging
resource: aws.elb
description: |
Identifies Classic ELBs which do not have logging enabled and then the policy enables it.
filters:
– type: is-not-logging
actions:
– type: enable-s3-logging
bucket: “{account_id}-{region}-s3-logs”
prefix: “ELB_LOGS”
emit_interval: 60

Enabling VPC Flow Logs

– name: vpc-flow-logs-enable-logging
resource: aws.vpc
description: |
Identify VPCs which don’t have flow logs set up and enable them. Flow logs should be enabled and monitored for suspicious or unauthorized activities.
filters:
– type: flow-logs
enabled: false
actions:
– type: set-flow-log
DeliverLogsPermissionArn: arn:iam:role
LogGroupName: /custodian/vpc/flowlogs/

How do you ensure your cloud resource logs are set up properly? If you can use help, you can get started with Cloud Custodian here.

 

Categories

  • Cloud Security
  • Cybersecurity
  • Cybersecurity Awareness Month 2021