Cloud Security Policy Set: Ensure Cloud Logging and Monitoring Is Setup The Right Way
Enabling logging for your cloud resources is a critical piece of cloud security, and is often required to meet many governance and compliance regulations. There are many benefits to turning on logging for your cloud resources. Logs can be used for both proactive and reactive security measures. In addition, logs can be a source for enhanced monitoring data.
Here are a few ways you can use logging and monitoring for your cloud resources:
- Proactive monitoring. Your teams can proactively monitor logs in real time to detect unauthorized access attempts and generate alerts or take action to isolate resources. You can use cloud native monitoring and metric tools to analyze incoming log files to spot malicious activities.
- Incident response. After a security incident, you can review logs for forensics. Resource audit logs will typically show the attacker’s IP/source address, what resource/objects they were accessing if they were successful or were denied, the date/time of the incident, and some additional resource-specific details. There will be many questions after a security incident and logs will help you answer a lot of them. If resource logging is not turned on and a security incident occurs, you will be in the dark as to what happened, what data might have been exposed, and how a similar attack can be prevented in the future.
- Troubleshooting resource connection issues. Resource logs can be a great tool for troubleshooting connectivity issues. These logs can be used to see if a connection is getting allowed, denied, or not coming through at all.
Every organization should have a comprehensive set of security or operational policies that ensure logs are collected and monitored, and that the right retention periods are set in order to meet budgetary and compliance needs.
Cloud Custodian is an open source cloud governance as code solution that makes it easy to implement security and operational policies. The solution enables you to ensure logging is turned on for your organization’s cloud resources. With a few simple Cloud Custodian policies, you can quickly bring your organization’s cloud estate into compliance.
Cloud Custodian policies are expressed in YAML and specify a type of resource to run the policy against, filters to narrow down the set of resources, and actions to take on the filtered set of resources.
The example policies provided below are a great way to get started.
Using CloudWatch logs and metrics is an easy way to take your monitoring capabilities to a whole new level with rich data queries, dashboards, and customizable alarms.
– name: aws-cloudwatch-log-group-no-retention resource: aws.log-group description: | This policy will identify AWS CloudWatch Log Groups which have no retention period set, and enable retention. Setting a log group retention period helps save on costs by removing old logs and helps you meet organization data retention standards. filters: – or: – “retentionInDays”: absent – “retentionInDays”: null actions: – type: retention days: 90 |
GCP Check Logging On DNS Policies
– name: gcp-dns-policies-logging-disabled description: | This policy will find GCP DNS policies which do not have logging enabled. Per security best practices, logging should be enabled on all used and supported services. resource: gcp.dns-policy filters: – type: value key: enableLogging value: false |
Azure Check Logging On Storage Tables
– name: storage-tables-not-logging description: | This policy will identify storage tables which do not have logging enabled. Per security best practices, logging should be enabled on all used and supported services. resource: azure.storage filters: – type: storage-diagnostic-settings storage-type: table |
Enable Cloudwatch Logs for CloudTrail
– name: cloudtrail-enable-logging resource: aws.cloudtrail description: | This policy will identify CloudTrail Trails that are not currently setup for CloudWatch Logs integration. Per AWS security best practices, CloudTrail should be logging to CloudWatch Logs to enable real-time and historic logging of all events. This allows setting up alarms based on user API activity. |
Enable CloudFront Distribution Logs
– name: cloudfront-enable-logging resource: aws.distribution description: | Identifies CloudFront Distributions which do not have logging enabled. The policy will then enable logging. filters: – type: distribution-config key: Logging.Enabled value: false actions: – type: set-attributes attributes: Comment: “Logging Enabled By Cloud Custodian” Enabled: true Logging: Enabled: true IncludeCookies: false Bucket: “{account_id}-{region}-s3-logs.s3.amazonaws.com” Prefix: ‘CloudFrontLogs’ |
Enabling Logs for Elastic Load Balancers
– name: app-elb-enable-logging resource: aws.app-elb description: | Identifies Application ELBs which do not have logging enabled and then the policy enables it. filters: – type: is-not-logging actions: – type: set-s3-logging bucket: “{account_id}-{region}-s3-logs” prefix: “APP_ELB_LOGS” state: enabled – name: elb-enable-logging resource: aws.elb description: | Identifies Classic ELBs which do not have logging enabled and then the policy enables it. filters: – type: is-not-logging actions: – type: enable-s3-logging bucket: “{account_id}-{region}-s3-logs” prefix: “ELB_LOGS” emit_interval: 60 |
Enabling VPC Flow Logs
– name: vpc-flow-logs-enable-logging resource: aws.vpc description: | Identify VPCs which don’t have flow logs set up and enable them. Flow logs should be enabled and monitored for suspicious or unauthorized activities. filters: – type: flow-logs enabled: false actions: – type: set-flow-log DeliverLogsPermissionArn: arn:iam:role LogGroupName: /custodian/vpc/flowlogs/ |
How do you ensure your cloud resource logs are set up properly? If you can use help, you can get started with Cloud Custodian here.
Categories
- Cloud Security
- Cybersecurity
- Cybersecurity Awareness Month 2021