9 Continuous monitoring

 

This chapter covers

  • Scanning for insecure resource configuration to detect and fix issues quickly
  • Using agent-based scanners to find vulnerabilities on your fleet of hosts
  • Monitoring network and activity logs to identify threats in real time

Throughout the book so far, we’ve focused on how to securely configure your cloud environment. This can be useful as a guide if we’re building out new resources and want to apply best practices as we go. But rarely do we find ourselves starting new applications from scratch, with everyone baking in security from the start. More often we’re in one of these other situations:

  • Maintaining or extending existing applications that weren’t built with security best practices
  • Working on a new application with many other people who may not be following the same best practices
  • Evaluating security posture or resolving security issues for many applications

Scale and speed of development, two of the primary reasons that people use cloud platforms like AWS, make applying security best practices in these situations difficult. With scale, we may have hundreds or thousands of AWS resources we need to check for compliance with best practices. With the speed of development, we need to check these resources frequently because they can be changing all the time. By the time we checked all of the resources, we’d need to start over and check them again. Unless we want this to be our full-time job, we need a better way to solve this problem.

9.1 Resource configuration scanning

9.1.1 Ad hoc scanning

9.1.2 Continuous monitoring

9.1.3 Compliance standards and benchmarks

9.2 Host vulnerability scanning

9.2.1 Types of host vulnerabilities

9.2.2 Host-scanning tools

9.3 Detecting threats in logs

9.3.1 Threats in VPC Flow Logs

9.3.2 Threats in CloudTrail logs

Summary