AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix – Your Partner in Cloud Security Excellence

CloudTrail, CloudWatch, Splunk, Custom logs solution. How do you make sense of these?

  • Sujay Maheshwari Sujay Maheshwari

  • Sunday, Jul 12, 2020

Introduction

To understand what is going on in the AWS environment, your Cloud Operations team member (or your engineering team member) needs a defined and robust system for ingesting logs and then analyzing & reacting. This is not an easy task with today’s strict compliance rules, security, and law standards. With Amazon Web Services’ native or hybrid environments, torrents of data are moving in and out of their network at all times. Hence, by hook or by crook, a DevOps developer will need AWS logs.

The Ops team can face the challenges of mining this data. On the other hand, the operations team can also transform the logging data into tremendous golden opportunities to improve application ops support and reduce costs.

CloudTrail and CloudWatch, both help a developer in analyzing data collected from their AWS environment. Splunk is basically an application that makes machine data accessible across an enterprise by identifying data patterns, providing metrics, diagnosing problems, and also providing intelligence for business operations. It is mainly used for business and web analytics for logging. Some might use Amazon CloudWatch, some use AWS CloudTrail, and some prefer custom logging solutions, in which each has equal importance for the productive and efficient management of logs.

What is CloudTrail?

AWS CloudTrail is an application that gathers all pertinent information about API calls made within a DevOps developer’s AWS environment. It also reveals the caller’s identity, IP address, call request, and other related data. CloudTrail logs contain information critical for audits and intrusion response, and it is a service that enables governance, compliance, operational auditing, and risk auditing of their account.

CloudTrail can easily log, continuously monitor, and store account activity-related actions across an account throughout the AWS infrastructure. It even provides event history of their AWS account activity, including actions taken through the AWS management console, AWS SDK’s, command-line tools, and other services. Hence, developers can use CloudTrail to detect unusual activity in their AWS accounts.

All these capabilities help simplify operational analysis and troubleshooting. CloudTrail provides excellent visibility into a user’s activity by recording AWS console actions and API calls that were made, including who made that call and from which IP address that call was made. It even shows when the call was made. AWS CloudTrail logs very high volume activity events on other services, such as AWS Lambda, S3, and EC2. It could be turned on from the moment developers create and activate their AWS account.

Read more about AWS CloudTrail here.

  • An example of now AWS CloudTrail looks like
{
  "version": "0",
  "id": "5f4648fa-5be4-cdec-e7fc-114539d13474",
  "detail-type": "AWS Console Sign In via CloudTrail",
  "source": "aws.signin",
  "account": "xxxxxxxxxxx",
  "time": "2020-06-30T08:53:15Z",
  "region": "us-east-1",
  "resources": [],
  "detail": {
    "eventVersion": "1.05",
    "userIdentity": {
      "type": "Root",
      "principalId": "017653914175",
      "arn": "arn:aws:iam::017653914175:root",
      "accountId": "017653914175"
    },
    "eventTime": "2020-06-30T08:53:15Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "global",
    "sourceIPAddress": "102.112.10.2",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36",
    "requestParameters": null,
    "responseElements": { "ConsoleLogin": "Success" },
    "additionalEventData": {
      "LoginTo": "https://console.aws.amazon.com/console/home?nc2=h_ct&src=header-signin&state=hashArgs%23&isauthcode=true",
      "MobileVersion": "No",
      "MFAUsed": "Yes"
    },
    "eventID": "d8d8c991-e46f-4992-b4fc-892ec50217fe",
    "eventType": "AwsConsoleSignIn"
  }
}

What is CloudWatch?

CloudWatch is an application that monitors and manages an enterprise’s data and provides actionable insights to monitor their applications. It also understands and responds to system-wide performance changes while optimizing the enterprise’s resource utilization and getting a unified view of operational health. CloudWatch also collects monitoring and operational data in the form of logs, metrics, and events. It can also set high-resolution alarms and automate actions. AWS CloudWatch is mainly used to understand what is happening in the AWS environment and for logging all the events for a particular service or application.

CloudWatch can collect logs from far more resources and native logs and also from services. It can also collect optional published logs from over 38 services and custom logs from other applications or on-premise resources. It also provides operators with the ability to go deeper into the metrics and pull out only those relevant data.

It covers over 70 services and also provides a variety of built-in metrics to make them understand how well their resources are and for running of services, including latency errors or any other changes in state. Going further into their analysis of the process, CloudWatch provides up to 15 months of metric data and CloudWatch metrics math usage. Developers can also perform calculations across multiple metrics to understand and find utilization performance and the operational health of their enterprise. CloudWatch logs metrics and alarms work, and it helps developers find, diagnose, and rectify issues to increase the efficiency of the cloud environment.

This way, it provides a highly efficient and reliable cloud environment, and it is more of a real-time function that looks after their resources. It also records historical logs and keep their infrastructure healthy and secure, lays its values in extensive integration with other AWS services, and also ongoing live, actionable insights. CloudWatch Event rule can recognize the change in logs and then trigger a Lambda function to open a ticket for investigation for the same. By default, the Lambda function blueprint logs the decoded data batch from CloudWatch logs. Developers can get started with Amazon CloudWatch at no extra charge, and most AWS services like EC2, S3, Kinesis, etc., vend metrics automatically for free to CloudWatch.

What is Splunk?

Splunk is a third-party tool that helps in fields like big data and machine-generated data. Splunk makes machine data accessible across an enterprise by identifying data patterns and also by providing metrics. It diagnoses problems and also provides intelligence for business operations. It is a horizontal technology developers use for application management, security, and compliance and also in business and web analytics. It is a powerful alternative for the applications, tools, and systems that developers use every day to build, test, and ship products that can help run DevOps practices like continuous integration and continuous deployment.

It empowers developers to quickly trace and identify errors anywhere in the code base with real-time search engines and monitoring of applications. It delivers application intelligence from logs and provides real-time insights from the system and processes that drive the application life cycle. Bugs and errors that take days to track and fix, take minutes to track using Splunk. With the Splunk platform, developers can collect, index, and correlate data from various sources. Once data is inside, you can quickly search, explore, and visualize the data to provide insight into data in any environment like testing, staging, and production.

Custom logging solution

Developers and CloudOps teams can transform the right approach with big data partners and challenges of mining all data from the enterprise to improve user performance and reduce costs.

Three of such best practices to complete control for developers AWS log data are:

  1. Know your logging responsibilities
  2. Secure Your Logging Environment
  3. In AWS, Always Be Watching

I will briefly explain each point, respectively

Know Your Logging Responsibilities

A developer must understand one’s role in log data management. Public cloud usage works on the shared responsibility principle. It means that AWS protects developers/enterprises against intruders and any other threats. Still, it’s the developers and operators who are always responsible for the code, data, and credentials of users who they allow into their environment. They must always be sure to analyze their native or hybrid cloud structure. AWS customers (developers + operators) must also identify the applications and data hand-off points that might eventually lead to vulnerabilities and attacks.

Secure Your Logging Environment

As a developer, you must always protect yourself and keep your log data clean by maintaining some security practices such as

  1. Restrictive access permissions
  2. Multi-factor user authentication
  3. Update security certificates
  4. Audit your AWS logs

I will briefly describe each point, respectively.

Restrictive access permissions

Access restrictions in essential transactions must have minimal access to resources, and frequent audits and update access control lists must occur.

Multi-factor user authentication

To ensure that intruders can not sneak through any vulnerability on security gaps, developers must use multi-factor authentication.

Update security certificates

According to the latest requirements outlined by PCI Security Standards Organization, developers must keep the Secure Socket Layer (SSL) and Transport Layer Security (TLS) certificates in a network up to date all the time to most recent and secured versions. Most logged security breaches are because of weaknesses in this compliance area.

Audit your AWS logs

The PCI Security Standards Organisation also stipulates annual audits to be performed internally, at least one audit per year by any third-party security firm. These tests help to identify gaps that will prepare enterprises for any audit eventually and give the operators practice in dealing with critical incidents. With these steps at an early stage, in the log management approach, as a developer, you will ensure that the data you are logging in and using to keep things secure, will be secure.

In AWS, Always Be Watching

As a DevOps developer in the Amazon Web Services platform, you must always watch log data and users in the system.

Amazon CloudWatch tracks your AWS resources and applications. It also collects and tracks metrics, monitors log files, and deploy automated responses to everyday events in your AWS environment.

AWS CloudTrail gathers information about API calls within your AWS environment. It also reveals the caller’s identity, IP address, call request, and other data.

AWS Inspector is also a great automated tool that probes your AWS environment for vulnerabilities and provides a complete log report with the most common fixes and also with improvements for better security. Familiarity with all these tools and other key data sources and applications gives any developer a head start developing comprehensive logging practices in AWS.

Conclusion

Hence I can conclude by saying that CloudTrail, CloudWatch, and Splunk or any other custom logging solution and even AWS Inspector are all needed for a DevOps developer. Not just one of them is enough for the completion of any cloud environment. Together, all of these provide metrics, logging data, and security to the cloud environment of an enterprise and help the DevOps developer to gain experience, also making their life more comfortable.

Bonus

If you are a busy and small DevOps team, a product like Cloudanix can help you make sense of these logs in a much efficient way. We have to build Cloudanix, which abstracts some of these nuances and fosters productivity for your busy team. Give it a spin with its free trial and see how it can improve your security posture.

People Also Read

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo