Basic cloud auditing tools within AWS
In the sections that follow, as a prerequisite, you may require a minimum level of view or read access to obtain the test evidence independently. Depending upon your specific organization’s configuration and any additional customizations, you may require additional access rights or group memberships to directly access specific content, or you may be required to work with an administrative point of contact for your organization as you observe them pulling control evidence. For reference, any screenshots in the following sections are based on a user with administrative privileges to the cloud environment. In addition, some of the tools may need to be enabled by the cloud customer, if they have not yet been.
We will begin with the basic cloud auditing tools within the AWS platform.
Amazon CloudWatch
The first tool an IT auditor can leverage in AWS is Amazon CloudWatch. Amazon CloudWatch is an AWS native monitoring and management service, which is designed for the purpose of maintaining the services and resources that are used. Amazon CloudWatch can be used to collect and track metrics, monitor log files, and set alarms, among many other functions. To navigate to Amazon Cloudwatch, you can simply search for it on the AWS console, as seen in Figure 7.1:
Figure 7.1 – Searching for Amazon CloudWatch
Once you launch Amazon CloudWatch, you have several options you can configure. These vary from creating alarms to custom dashboards, monitoring logs and creating events, and so on, as seen in Figure 7.2:
Figure 7.2 – Features
One useful feature for the IT auditor in Amazon CloudWatch is Events . In the Events tab, you can create a CloudWatch event that triggers an event. To create a rule, you need to navigate to Events, and click on the Rules tab, which will take you to EventBridge (formerly known as AWS CloudWatch Events), as seen in Figure 7.3:
Figure 7.3 – EventBridge main page
An event indicates a change in the AWS environment. An IT auditor can create an event that is triggered when a certain state changes. I will provide examples of two rules an IT auditor can create. For detailed instructions on creating a rule that triggers an event from an AWS resource, go to https://docs. aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html.
To create a rule, you have to define the rule detail, as seen in Figure 7.4:
Figure 7.4 – Define rule detail
Next, we have to define the AWS event. We will also need to define an output to where events will be sent to. In our first example, we will select an event that triggers when an AWS Elastic Compute Cloud (EC2) instance state changes. Abnormal changes to EC2 instances may indicate malicious activity.
Figure 7.5 – Event source
In our second example, we will select an event that triggers when an AWS Simple Storage Service (S3) object Access Control List (ACL) is updated. We could use this rule to monitor objects whose access changes in S3 buckets. An IT auditor could use this rule to look for misconfigured S3 buckets allowing public access. This is one of the most common security misconfiguration risks within AWS.
Figure 7.6 – Object ACL Updated
Another useful feature in Amazon CloudWatch is Alarms. The Alarms feature allows you to watch Amazon CloudWatch metrics and to receive notifications when the metrics fall outside of the thresholds defined. To create an alarm, go to the Alarms tab, as seen in Figure 7.7:
Figure 7.7 – The Alarms tab
You can create alarms using thousands of predefined metrics, as seen in Figure 7.8:
Figure 7.8 – Metrics
Once you create your alarms, you will get a dashboard like the one seen in Figure 7.9:
Figure 7.9 – Dashboards
In our example, we have received two alarms for metrics outside their thresholds, as seen in Figure 7.10:
Figure 7.10 – Example alarms
This can giveyou an idea of the flexibility of the Alarms functionality in Amazon CloudWatch.
Next, we will look at another AWS tool called Amazon Inspector.