A common practice when securing AWS infrastructure with a VPC is to employ the use of a jump host, also known as a bastion. A user can create a single access point into the network via this one host. The attack surface is greatly reduced by limiting which services and systems are exposed to the open internet.
While jumphosting can improve security dramatically, it can also lead to challenges in auditing and access control. For example, traditional authentication services like LDAP become difficult to configure because application services are now isolated behind a wall. A typical scenario might be that a user would first authenticate to the jumphost as themselves, then either use a shared application or root credentials to log into other machines. Despite user account management being done within the VPC, the actions of this user are often impossible to audit. The risks only escalate from this scenario; there could be 20 people logged into the jump host and if just one connected to a postgres instance as an application user, it would not be possible to know who it was.
Threat Stack provides a solution by gathering and remembering very detailed, host level audit data. It can answer the easy questions like, “Did this user spawn a root shell from ‘sudo vi’?” More importantly, it can a answer the hard questions like "What system, what user, and what commands did this user run after they SSH'd to an application server?".
Threat Stack allows the user to create intelligent rules to monitor the environment for these types of complex security risks, as well as provide an alerting system to notify of potentially nefarious activity in near-real-time.