Services to Create And Monitor Secure Environments on AWS
As more and more enterprises and organisations move to the cloud, one great concern is how to ensure it is secure. In this post I will highlight five important services that relate to managing security and monitoring of your AWS cloud environment. This won’t be a deep dive but rather give an overview of these services and how they work together.
Virtual Private Cloud (VPC)
In AWS, A VPC is an isolated private cloud to host your servers in. You get to control how those servers are accessed by using Route Tables, Security Groups and Network Access Control Lists to manage the flow of traffic in and out your environment. This in turns gives you full control of how the severs hosted inside your environment can be accessed either internally or by external servers on-premise or otherwise through a VPN connection.
CloudWatch is a service on AWS that automatically collects metrics the infrastructure deployed such as EC2 instances, SQS queues and RDS instances. CloudWatch out of the box collects some type of metrics from every service on AWS. With the data collected by CloudWatch, you can trigger alerts that can send SMS or emails based on certain thresholds or increase the number of EC2 instances in an Auto Scaling group. CloudWatch also provides a dashboard to view these metrics in form of a graph via the Console. All metrics collected by CloudWatch can also be forwarded to 3rd party services such as New Relic and Prometheus for further analysis and action.
CloudTrail serves as the “Big Brother” in AWS. CloudTrail is a service that you can enable per region and it will track all API calls (meaning all actions) that are done by your AWS users or roles. CloudTrail will give you detailed information on who did what and when. All the CloudTrail data is automatically stored in an S3 bucket and also CloudWatch for further analysis but can also be streamed in realtime to 3rd party tools such as an ELK (Elasticsearch, Logstash, Kibana) stack for both analysis and auditing of the environment.
With CloudWatch monitoring your AWS environment and CloudTrail tracking each and every action users make, AWS Config is a service for tracking the state of your environment. Every change made to the resources within your AWS account is recorded. You can also create Config Rules that are evaluated against changes in your resources and the rules can alert you on unwanted changes and possible security issues.
Securing your cloud infrastructure requires a good knowledge of your environment and extensive monitoring and alerting.
At AltoStack, our mission is to help organisations accelerate their time to value from the cloud by designing, building, and optimising their infrastructures in the public cloud.
We are a team of DevOps fanatics and a core part of our work is helping organisations leverage the cloud to increase the speed and success of cultural transformation.