Cloud Governance is Tough

Cloud Governance can be difficult to translate into technical objectives, and even more challenging to implement and scale.

Amazon Web Services’ (AWS) Cloud Adoption Framework includes 6 different perspectives:

  1. Governance
  2. People
  3. Business
  4. Platform
  5. Security
  6. Operations

Cloud Governance could be considered a combination of these business and technical capabilities.

In this blog, we’ll look at a solution for monitoring & alerting events that deviate from the company’s configuration baseline.

We’ll first take a look at a solution using AWS native tools and compare it to Hyperglance’s solution to the same problem.

The Scenario

The security team has identified several bastion hosts allowing port 22 (SSH) inbound from anywhere despite the company’s best practice of using AWS Session Manager over port 443.

A policy is created enforcing that port 443 must be used to access all systems and port 22 inbound traffic must be denied.

You're charged with ensuring this policy is adhered to and reporting violations to the security team.

There are 10 AWS accounts used by the company. Each requires monitoring, and alerts should be aggregated within a single account. Furthermore, non-compliance notifications should be posted to the security slack channel for increased awareness.

AWS Native Solution

AWS Config is the appropriate cloud-native tool to assess the configuration of our resources.

 

1. If it’s your first time using AWS config, you’ll have to enable the service on your AWS account.

 

2. Next, click add a rule and search for restricted-ssh, luckily AWS Config already has this as one of the 200+ managed rules. For other ports, you may need to create a custom rule & Lambda function.

3. Then apply this to all EC2 security groups and add the rule.

apply to all ec2 resources

4. Kick-off an evaluation, and verify that all security groups are compliant in the Config Dashboard.

aws config evaluation

5. If you’re using Terraform or Cloud Formation, you can apply the changes to the other accounts, otherwise repeat steps 1-4 in the console for each account.   

6. Now we need to aggregate the AWS Config data in a single account, this is done by creating an “Aggregator”!

aws config aggregator

7. After creating the aggregator, an IAM Role, and adding your organization’s accounts. AWS Config will display the results from all of your accounts.

8. Lastly, we need to post the alerts to the slack channel by doing the following:

a) Create a Slack webhook

b) Create an SNS topic for the webhook

c) Use either AWS Chatbot or a build a Lambda function to post the config events to SNS

aws notification channels

9. Mission Accomplished! We are now notifying the security team on port 22 usage across all of our AWS accounts.

Summary - AWS Native Solution

Estimated Completion Time

1-2 days

Complexity

4/5

Requires Scripting?

Yes

Hyperglance Solution

Hyperglance is an all-in-one, container-based cloud management platform deployed inside an instance, EKS or ECS that uses the AWS, Azure, and Kubernetes APIs to gather data on your resources.

It can be deployed directly from the AWS or Azure Marketplace or via Terraform into your own infrastructure, visit hyperglance.com to start a free trial and initiate the deployment.

After the setup is complete, you’ll be able to access your personal dashboard and continue following along with the steps below.

1. Search for 'ssh' on your Hyperglance dashboard

search for ssh in hyperglance

2. Click the first result, which will be the start of our new config check. As you can see, the results are already aggregated from all of the AWS accounts here.

aws search results

3. We want to change this rule so that we’re looking for all instances with port 22 inbound enabled, to do that click the X next to “Source:0.0.0.0/0” in the security group attributes block to remove that condition.

aws search results

4. Now that we have the conditions we want, click “Save Rule As”.

aws search results

5. Enable notifications and then click the “Settings page > Alert Notifications tab” link to add the Slack webhook URL.

aws search results

6. After adding the webhook in your settings, go back to the rule, select the hook you’ve just created and add the rule.

aws search results

7. Mission accomplished!

Summary - Hyperglance Solution

Estimated Completion Time

15-20 minutes

Complexity

1/5

Requires Scripting?

No

Conclusion

During this exercise we proved that AWS Config and Hyperglance are both viable options for configuration monitoring across multiple accounts.

However, we saw that the complexity of using AWS Natives tools increased significantly during the multi-account and alerting setup, eventually requiring an aggregator, Lambda function, IAM roles, and SNS Topic.

Furthermore, the same task in Hyperglance took under 15 minutes and could be done entirely through the GUI without any scripting experience required.

Potentially saving an engineer 5-10 hours on this single task in addition to nullifying the additional costs of using AWS Config (up to 0.001 per rule evaluation).

AWS Native Solution

Estimated Completion Time

5-10 hours

Complexity

4/5

Requires Scripting?

Yes

Hyperglance Solution

Estimated Completion Time

15-20 minutes

Complexity

1/5

Requires Scripting?

No

Start a 14-day free trial today to discover how Hyperglance can save your team time, risk, and money!