1. Background
As Penn expands into the Amazon Web Services (AWS) cloud platform, IT risk is shifting from traditional on-prem systems with well-defined security boundaries to infrastructure on the scale of a traditional datacenter capable of being managed through code by a small team. System event logging is the means through which administrators of IT infrastructure can understand their environment, yet in AWS we find that little of it is configured by default. Campus IT personnel thus need to learn how to configure and explore the fundamental logging necessary to understand the assets they deploy in the AWS cloud.
2. Purpose
This guidance represents the fundamental set of logging controls you can configure in your AWS account to log and analyze security-relevant events regarding access and changes to your AWS account. The procedures described in this document are accurate as of March 2022.
3. Scope
Penn IT professionals responsible for deploying and maintaining Penn assets in AWS are the target audience for this guidance. In it, we discuss a few key logging features native to AWS:
- AWS Config (configuration & alerting)
- VPC Flow (configuration & data exploration)
- AWS CloudTrail (configuration & data exploration)
- S3 server access logging (configuration)
- Amazon CloudWatch (configuration & data exploration)
Configuring these services within your AWS instance will help you detect security problems among the assets in your account, but are by no means comprehensive. Additional security controls are necessary to ensure the confidentiality, integrity, and availability of the assets you deploy within AWS, which may require enabling more logging facilities than are described in this document.
If you are a customer of ISC’s AWS@Penn service, we encourage you to coordinate your deployment of these recommendations with your AWS@Penn service providers. If your AWS account is currently not participating in AWS@Penn, we encourage you to migrate to the service to take advantage of its consolidated billing, cheaper enterprise support and managed deployment of security controls, and the technical expertise of the ISC Cloud Services team. To enroll in the service, contact ISC Client Care.
If you have questions about how better to secure your AWS infrastructure, write to security@isc.upenn.edu to request a consultation with your OIS Security Point-of-Contact.
4. Requirements
This document assumes introductory to intermediate familiarity with the AWS platform, including fundamental skills such as:
- An understanding of the AWS service- and “shared responsibility” models.
- Configuring and launching an EC2 instance.
- Configuring and launching an S3 bucket.
- Managing users, groups, and permissions with the AWS IAM service.
We further assume that the AWS account being used by the reader has at least one IAM User configured and that the reader has access to an IAM User or Role providing the “AdministratorAccess” Policy in the AWS account.
Also, note that turning on the features demonstrated here will likely incur additional charges on an AWS account. As cost structures are variable and likely to change, the burden is on the reader to determine the cost impact of turning on these features.
5. Best Practices
We provide a brief overview of each AWS service to be configured, along with detailed instructions on how to configure them available in PennBox at https://upenn.box.com/s/r9ukhar8xdieaumiadlwu1m8xytni4kr.