I am a AWS Data Services User. What do I need to Monitor ?

Monitoring AWS Data Services For Security

 

AWS data services provide an easy way for cloud customers to store, analyze large amounts of data and many of our customers use them quite a bit. The common question they ask is : how can I monitor the access to the data .

 

The following are the data services provided by AWS :

                                                        

  1. S3
  2. Dynamo
  3. Redshift

 

Cloudtrail offers a very good way to monitor whats going on with the data . Threat Stack recommends three ways to monitor alerts –

 

  1. Sev 1 : urgent : You need to attend to it right away
  2. Sev 2: Warning : You need to review it every 2 weeks
  3. Sev 3 :Info : You need to review

 

 

The following are the cloudtrail events that the above data services generate and Threat Stack recommended severity. Our customers get the corresponding rule sets by default in our product through CloudTrail Base Rule Set

 

Service

CloudTrail Event Name

Description

Monitor Method

 

 

 

 

S3

 

 

 

 

DeleteBucket

DELETE operation deletes the bucket named in the URI. All objects (including all object versions and delete markers) in the bucket must be deleted before the bucket itself can be deleted.

 

Warn (sev 2)

 

DeleteBucketLifeCycle

DeleteBucketLifeCycle deletes the life cycle of the bucket

Info (sev 3)

 

DeleteBucketTagging

Deletes tags from the bucket

Info (sev 3)

 

PutBucketAcl

set the permissions on an existing bucket using access control lists (ACL). 

 

Warn (sev 2)

 

PutBucketLifecycle

 

 

 

PutBucketPolicy

 

Warn (sev 2)

 

PutBucketReplication

 

 

 

PutBucketLogging

specify permissions for who can view and modify the logging parameters

 

Warn (sev 2)

 

 

 

 

CloudTrail

 

 

 

 

CreateTrail

Start CloudTrail

Warn (sev 2)

 

DeleteTrail

Delete CLoudTrail

Urgent (sev1)

 

UpdateTrail

UpdateTrail

Warn (sev 2)

 

StopLogging

Stop logging

Urgent (sev1)

 

 

 

 

RDS

 

 

 

 

AuthorizeDBSecurityGroupIngress

Enable access to RDS from IP/Port

Warn (sev 2) when ip = 0.0.0.0/0

 

CreateDBSecurityGroup

Creates a new DB security group. DB security groups control access to a DB instance.

 

 

 

CopyDBSnapshot

Copies the specified DBSnapshot.

 

Warn (sev 2)

 

CreateDBSnapshot

 

Warn (sev 2)

 

DeleteDBSnapshot

 

Warn (sev 2)

 

DeleteDBSnapshot

 

Warn (sev 2)

 

DeleteDBInstance

 

Warn (sev 2)

 

ModifyDBInstance

 

Warn (sev 2)

 

CreateDNClusterSnapshot

Databackusp

 

 

 

 

 

RedShit

ConnectionLogging

Start Connection Logging

Warn (sev 2)

 

QueryTextLogging

 

Warn (sev 2)

 

AuthorizeDBSecurityGroupIngress

 

Warn (sev 2)

 

CopyClusterSnapshot

 

Warn (sev 2)

 

CreateClusterSnapshot

 

Warn (sev 2)

 

DeleteCluster

 

Warn (sev 2)

 

DeleteClusterSnapshot

 

 

 

DisableLogging

 

Urgent (sev 1)

 

 

 

 

Dynamo

 

 

 

 

BatchGetItem

NA

 

 

BatchWriteItem

NA

 

 

GetItem

NA

 

 

PutItem

NA

 

 

UpdateItem

NA

 

 

DeleteTable

NA

 

 

UpdateTable

NA

 

 

 

 

 

 

RootLogin

 

 

 

 

 

 

 

 

 

 

 

DeleteArchive

 

 

Glacier

DeleteVault

Delete Glacier Vault

 

 

 

 

Urgent (sev 1)

 

 

 

Urgent (sev 1)

 

 

 

 

 

 

 

 

EC2

AuthorizeDBSecurityGroupIngress

 

 

 

CopySnapshot

 

 

 

CreateNetworkAclEntry

 

Warn (sev 2) when ip = 0.0.0.0/0

 

CreateSnapshot

 

 

 

DeleteSnapshot

 

 

 

DeleteTags

 

 

 

DeleteVolume

 

 

 

TerminateInstance

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.