Cloud Workload Protection Platform (CWPP) is a security solution to protect compute workloads like Virtual Machines (VM), containers and serverless resources running in the cloud. It provides security teams visibility into compute resources and monitors for anomalous behavior, malicious activity, unauthorized access, vulnerabilities, secrets, compliance and configuration posture, etc. There…

AWS CloudTrail provides audit capabilities for risk, governance and compliance. CloudTrail Lake (CTL) provides ability to query the audit events using SQL. Recently AWS released a new feature to ingest external audit data into CTL using PutAuditEvents API. Data is stored as immutable ORC files for up to 7 years…

Cloud attacks haven’t yet become very sophisticated. In AWS, most of the external attacks are related to resource mis-configurations and/or stolen credentials. Many audit trail based detections in security products are easy to bypass unless they are comprehensive and complemented with resource details. GetCallerIdentity GetCallerIdentity is an AWS API call to…

I run into Server-Side Encryption (SSE) every other day: compliance related alerts, AWS announcements about some service now supporting SSE. It all started with SSE support for S3 more than a decade ago. Let’s use S3 as an example to see what it provides. …

Glue your audit trails together easily — A good audit trail captures sufficient information about who, what, when, and where. If any of these are missing or lacking in details, it becomes a nightmare to glue things together. I spent a decent amount of time analyzing AWS CloudTrail (CT). Many Cloud Security Posture Management (CSPM) and Cloud…

Cloud Security teams have heard of Cloud Infrastructure Entitlement Management (CIEM). It’s one of many buzzwords in Cloud Security. One common feature in every CIEM product is mitigating risks due to excess permissions. Excess permissions refer to the permissions an entity (user, resource, etc.) have been given but have not…

Virtual networking in the Cloud has become very complicated. Current crop of security tools focus heavily on only resource misconfigurations, compliance, vulnerabilities etc. But I haven’t seen much focus on network security concerns. Simple construct in the AWS networking is a security group (SG). Security Group It is a firewall around an…

There are other approaches, that use two servers per VPC (OpenVPN or OpenSWAN/StrongSWAN etc) connecting to remote VPN servers. High availability (HA) is implemented using a script to monitor and swap routes in the route table. That might be cheaper to implement. You could also use Amazon’s Direct Connect etc…