Cloud Governance is Tough
Cloud Governance can be difficult to translate into technical objectives, and even more challenging to implement and scale.
Amazon Web Services’ (AWS) Cloud Adoption Framework includes 6 different perspectives:
- Governance
- People
- Business
- Platform
- Security
- Operations
Cloud Governance could be considered a combination of these business and technical capabilities.
In this blog, we’ll look at a solution for monitoring & alerting events that deviate from the company’s configuration baseline.
We’ll first take a look at a solution using AWS native tools and compare it to Hyperglance’s solution to the same problem.
The Scenario
The security team has identified several bastion hosts allowing port 22 (SSH) inbound from anywhere despite the company’s best practice of using AWS Session Manager over port 443.
A policy is created enforcing that port 443 must be used to access all systems and port 22 inbound traffic must be denied.
You're charged with ensuring this policy is adhered to and reporting violations to the security team.
There are 10 AWS accounts used by the company. Each requires monitoring, and alerts should be aggregated within a single account. Furthermore, non-compliance notifications should be posted to the security slack channel for increased awareness.
AWS Native Solution
AWS Config is the appropriate cloud-native tool to assess the configuration of our resources.
1. If it’s your first time using AWS config, you’ll have to enable the service on your AWS account.
2. Next, click add a rule and search for restricted-ssh, luckily AWS Config already has this as one of the 200+ managed rules. For other ports, you may need to create a custom rule & Lambda function.
3. Then apply this to all EC2 security groups and add the rule.
4. Kick-off an evaluation, and verify that all security groups are compliant in the Config Dashboard.
5. If you’re using Terraform or Cloud Formation, you can apply the changes to the other accounts, otherwise repeat steps 1-4 in the console for each account.
6. Now we need to aggregate the AWS Config data in a single account, this is done by creating an “Aggregator”!
7. After creating the aggregator, an IAM Role, and adding your organization’s accounts. AWS Config will display the results from all of your accounts.
8. Lastly, we need to post the alerts to the slack channel by doing the following:
a) Create a Slack webhook
b) Create an SNS topic for the webhook
c) Use either AWS Chatbot or a build a Lambda function to post the config events to SNS
9. Mission Accomplished! We are now notifying the security team on port 22 usage across all of our AWS accounts.
AWS Native Solution
Estimated Completion Time
5-10 hours
Complexity
4/5
Requires Scripting?
Yes
Hyperglance Solution
Hyperglance is an all-in-one, container-based cloud management platform deployed inside an instance, EKS or ECS that uses the AWS, Azure, and Kubernetes APIs to gather data on your resources.
It can be deployed directly from the AWS or Azure Marketplace or via Terraform into your own infrastructure, visit hyperglance.com to start a free trial and initiate the deployment.
After the setup is complete, you’ll be able to access your personal dashboard and continue following along with the steps below.
1. Search for 'ssh' on your Hyperglance dashboard
2. Click the first result, which will be the start of our new config check. As you can see, the results are already aggregated from all of the AWS accounts here.
3. We want to change this rule so that we’re looking for all instances with port 22 inbound enabled, to do that click the X next to “Source:0.0.0.0/0” in the security group attributes block to remove that condition.
4. Now that we have the conditions we want, click “Save Rule As”.
5. Enable notifications and then click the “Settings page > Alert Notifications tab” link to add the Slack webhook URL.
6. After adding the webhook in your settings, go back to the rule, select the hook you’ve just created and add the rule.
7. Mission accomplished!
Hyperglance Solution
Estimated Completion Time
15-20 minutes
Complexity
1/5
Requires Scripting?
No
Conclusion
During this exercise we proved that AWS Config and Hyperglance are both viable options for configuration monitoring across multiple accounts.
However, we saw that the complexity of using AWS Natives tools increased significantly during the multi-account and alerting setup, eventually requiring an aggregator, Lambda function, IAM roles, and SNS Topic.
Furthermore, the same task in Hyperglance took under 15 minutes and could be done entirely through the GUI without any scripting experience required.
Potentially saving an engineer 5-10 hours on this single task in addition to nullifying the additional costs of using AWS Config (up to 0.001 per rule evaluation).
AWS Native Solution
Estimated Completion Time
5-10 hours
Complexity
4/5
Requires Scripting?
Yes
Hyperglance Solution
Estimated Completion Time
15-20 minutes
Complexity
1/5
Requires Scripting?
No
Hyperglance - Cloud Management You Control
Hyperglance gives you complete cloud management enabling you to have confidence in your security posture and cost management whilst providing you with enlightening, real-time architecture diagrams.
Monitor security & compliance, manage costs & reduce your bill, interactive diagrams & inventory, built-in automation. Save time & money and get complete peace of mind.
Book a 30-minute demo today, or experience it all, for free, with a 14-day trial.
About The Author: Stephen Lucas
As Hyperglance's Chief Product Officer, Stephen is responsible for the Hyperglance product roadmap. Stephen has over 20 years of experience in product management, project management, and cloud strategy across various industries.