Introducing CloudSploit Events
CloudSploit Events is a new product release from CloudSploit, enabling real-time security analysis of API activity across an entire AWS account environment.
To explain CloudSploit to potential users, we often ask them “how would you know if a malicious user was created in your Amazon Web Services account?” The goal is to demonstrate that AWS accounts are quite difficult to audit for security risks and that many users do not have insights into the entire account environment. The parts that slip through the cracks may very well be the misconfiguration that leads to a compromised infrastructure. CloudSploit handles this use case nicely with its background scanning services; these scans unearth the configuration status of scores of AWS services.
As we have grown as a security scanning service, we realized that an even more important question to ask is “how long would it take you to realize your AWS account was compromised?” Unfortunately, the answer for most users ranges anywhere from “days” to “never.”
Today, CloudSploit is announcing what we believe is our most important product update to date — CloudSploit Events. With Events, the answer to the above question can be “seconds.”
Until now, CloudSploit has primarily been a reactive service. We scan your AWS account every few hours, collecting configuration results, and comparing them to known security best practices. We then use these results to produce the scan reports that are delivered to your email and dashboard. If new risks appear in the AWS account, the subsequent scan will detect them and trigger alerts as needed.
However, the time between scans can be as long as 36 hours. That’s a long time for a potential security risk to exist in your account, undetected. With CloudSploit Events, these risks are now detected, analyzed, and forwarded to your alert integrations within seconds of being introduced. This ensures you are made aware the moment suspicious activity occurs in your account.
CloudSploit Events works by hooking into AWS CloudWatch Events — the “event bus” of the AWS environment. Every action that occurs in your account, from security group changes to console logins to Route53 domain changes, is sent to CloudWatch Events via CloudTrail. From there, select security-sensitive events can be forwarded to CloudSploit where we can analyze the entire event object for suspicious activity.
Within seconds (not hyperbole — we timed it — 25 seconds on average), CloudSploit can receive the event from your AWS account, compare it to known risk profiles, store a copy, and trigger an integration like Slack, SNS, or OpsGenie. We envision having a Slack channel, #aws-security-events that contains a stream of potential risks detected by CloudSploit.
So what exactly can CloudSploit Events warn you about? The answer is “almost anything.” But to narrow it down a bit, here are some examples:
- The root user logs into your AWS account
- The account password policy is modified
- EC2 security groups are modified
- CloudTrail logging is stopped, or otherwise interrupted
- A new user account is created with excessive permissions
- The AWS ConfigService recorder is stopped
- VPC Flow logs are disabled or deleted
- A suspicious IP address logs into the console or makes an API request
- Activity is detected in an unused region
- A login is made without an MFA device
- The MFA device is deactivated or changed
The list goes on, but hopefully this gives you a good idea of the events we’re looking for. What’s important to note is that CloudSploit is learning — both from your input (via our custom “event rules”), as well as through events that you ignore or respond to. Overtime, the alerts CloudSploit sends you will become more tailored to the exact risks you deem important.
Getting started with CloudSploit Events is very simple, but there are a few pre-requisites:
- First, you must be a CloudSploit Premium Plan subscriber. Events costs us quite a bit of money to operate (there is a lot of data flowing), so we’re only able to make this feature available to our Premium subscribers.
- You must enable AWS CloudTrail within your AWS account. This feature is very helpful for tracking down security issues, but in terms of CloudSploit Events, CloudTrail (through CloudWatch Events) serves as the source of all events originating from the account.
Once that’s done, you can enable CloudSploit Events directly from your CloudSploit console by following the steps and launching the CloudFormation template. We’ll handle everything else from there!
We’re incredibly excited about the possibilities that CloudSploit Events exposes. With this release, we are shifting from the reactive world of passive scanning to the active world of detecting security risks within moments of their occurring at the source. You can start using CloudSploit Events today!
