Sign up for a live Kubernetes or DevSecOps demo

Click here
Back to blog results

January 18, 2017 By Graham Watts

AWS Well Architected Framework - Security Pillar

Updated 5/28/2019

When I’m asked, "How should I monitor my Amazon Web Services infrastructure?” or, “What AWS products and features should I be using?", one of the first topics I focus on is security.

The AWS Well Architected Framework's Security Pillar defines cloud security best practices with five Design Principles and five focus areas. First, I'll describe the Security Design Principles, and some Sumo Logic capabilities that will help you adhere to them. Then, I'll list the five focus areas with corresponding, investigative questions you can ask to ensure your architecture is secure. A link to the next pillar in the framework, Reliability, is soon to come.

Design Principles

Apply security at all layers

“Rather than just running security appliances (e.g., firewalls) at the edge of your infrastructure, use firewalls and other security controls on all of your resources (e.g., every virtual server, load balancer, and network subnet)” [1]

  • Most security events aren't detected until after the fact, so you'll need to capture all relevant logs to allow incident response teams to do their jobs
  • You can stream data to Sumo Logic by installing a collector agent on an EC2 instance, using API calls to scan S3 buckets, or posting data in CloudWatch log groups to our endpoints
  • Sumo Logic’s Integrated Threat Intelligence extracts all IPs, URLs, file names, email, domains, and hash values out of your logs, and compares them to Crowdstrike's Threat Intelligence feed to expose known bad actors in real time
  • Sumo Logic's AWS GuardDuty App allows you to complete more security investigations and audits, faster, with links to navigate directly into your AWS console to remediate. The context of GuardDuty findings across all of your AWS accounts, and logs from your application, infrastructure, and 3rd party tools all in one place will increase the efficiency of your Security team.
AWS GuardDuty App for Sumo Logic
  • Sumo Logic offers an AWS Threat Intelligence App that scans CloudTrail, ELB, and VPC Flow logs to expose malicious activity across your AWS environment
  • Sumo Logic’s VPC Flow Log integration allows you to visualize and alert on traffic across your custom or default virtual networking environment

Enable traceability

“Log and audit all actions and changes to your Environment” [1]

aws-cloudtrail-console-logins

Automate responses to security events

“Monitor and automatically trigger responses to event-driven, or condition-driven, alerts.” [1]

  • Advanced operators like Outlier, LogReduce, and LogCompare can be used to proactively identify anomalies
  • Once identified, push alerts to your Slack, HipChat, PagerDuty, email, and other alerting channels
  • You can also take advantage of our new AWS Lambda Webhook or a Script Action to take programmatic actions in response to alerts and outages
  • For example, when Outlier notices a spike in connections from a user, IP, or country, Lambda webhooks can automatically adjust your Network Access Control List to block this traffic
Webhooks

Focus on securing your system

“With the AWS Shared Responsibility Model you can focus on securing your application, data, and operating systems, while AWS provides secure infrastructure and services.” [1]

  • Installing Sumo Logic’s Linux or Windows OS applications enable you to monitor and alert on your OS level security events
linux_overview
windows_overview

Automate security best practices

“Software-based security mechanisms improve your ability to securely scale more rapidly and cost effectively.” [1]

Best Practice Areas

AWS defines the five security focused best practice areas as:

  1. Identity and access management
  2. Detective controls
  3. Infrastructure protection
  4. Data protection
  5. Incident response

Does your architecture take each of these best practices into account? Here are the questions you can ask to find out:

Identity and access management (IAM)

  • "How are you protecting access to and use of the AWS root account credentials?" [1]
  • "How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?" [1]
  • "How are you limiting automated access to AWS resources? (e.g., applications, scripts, and/or third-party tools or services)" [1]

Detective controls

  • "How are you capturing and analyzing logs?" [1]

Infrastructure protection

  • "How are you enforcing network and host-level boundary protection?" [1]
  • "How are you leveraging AWS service level security features?" [1]
  • "How are you protecting the integrity of the operating systems on your Amazon EC2 instances?" [1]

Data protection

  • "How are you classifying your data?" [1]
  • "How are you encrypting and protecting your data at rest?" [1]
  • "How are you managing keys?" [1]
  • "How are you encrypting and protecting your data in transit?" [1]

Incident response

  • "How do you ensure you have the appropriate incident response?" [1]

In the next post, which will be linked here soon, we will cover the Design Principles and best practice areas for the Reliability Pillar. If you have questions or comments, please connect with me on LinkedIn here.

[1] AWS Well-Architected Framework (November 2016)

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Graham Watts

Graham Watts

Graham Watts is an AWS Certified Solutions Architect and Sales Engineer at Sumo Logic.

More posts by Graham Watts.

People who read this also enjoyed