Cloud Security Policy Set: Ensure Cloud Logging and Monitoring Is Setup The Right Way
Enabling logging for your cloud resources is a critical piece of cloud security, and is often required to meet many governance and compliance regulations. There are many benefits to turning on logging for your cloud resources. Logs can be used for both proactive and reactive security measures. In addition, logs can be a source for enhanced monitoring data.
Here are a few ways you can use logging and monitoring for your cloud resources:
- Proactive monitoring. Your teams can proactively monitor logs in real time to detect unauthorized access attempts and generate alerts or take action to isolate resources. You can use cloud native monitoring and metric tools to analyze incoming log files to spot malicious activities.
- Incident response. After a security incident, you can review logs for forensics. Resource audit logs will typically show the attacker’s IP/source address, what resource/objects they were accessing if they were successful or were denied, the date/time of the incident, and some additional resource-specific details. There will be many questions after a security incident and logs will help you answer a lot of them. If resource logging is not turned on and a security incident occurs, you will be in the dark as to what happened, what data might have been exposed, and how a similar attack can be prevented in the future.
- Troubleshooting resource connection issues. Resource logs can be a great tool for troubleshooting connectivity issues. These logs can be used to see if a connection is getting allowed, denied, or not coming through at all.
Every organization should have a comprehensive set of security or operational policies that ensure logs are collected and monitored, and that the right retention periods are set in order to meet budgetary and compliance needs.
Cloud Custodian is an open source cloud governance as code solution that makes it easy to implement security and operational policies. The solution enables you to ensure logging is turned on for your organization’s cloud resources. With a few simple Cloud Custodian policies, you can quickly bring your organization's cloud estate into compliance.
Cloud Custodian policies are expressed in YAML and specify a type of resource to run the policy against, filters to narrow down the set of resources, and actions to take on the filtered set of resources.
The example policies provided below are a great way to get started.
Using CloudWatch logs and metrics is an easy way to take your monitoring capabilities to a whole new level with rich data queries, dashboards, and customizable alarms.
- name: aws-cloudwatch-log-group-no-retention |
GCP Check Logging On DNS Policies
- name: gcp-dns-policies-logging-disabled |
Azure Check Logging On Storage Tables
- name: storage-tables-not-logging |
Enable Cloudwatch Logs for CloudTrail
- name: cloudtrail-enable-logging user API activity. |
Enable CloudFront Distribution Logs
- name: cloudfront-enable-logging |
Enabling Logs for Elastic Load Balancers
- name: app-elb-enable-logging |
Enabling VPC Flow Logs
- name: vpc-flow-logs-enable-logging |
How do you ensure your cloud resource logs are set up properly? If you can use help, you can get started with Cloud Custodian here.