Introduction
Best practices for securing an AWS environment have been well-documented and generally accepted, such as AWS’s guidance. However, organizations may still find it challenging on how to begin applying this guidance to their specific environments.
- Which controls should be applied out-of-the-box vs. customized?
- What pitfalls exist in implementing the various controls or checks?
- How do you prioritize remediation of the “sea of red” violations?
In this blog series, we’ll analyze anonymized data from Netskope customers that include security settings of 650,000 entities from 1,143 AWS accounts across several hundred organizations. We’ll look at the configuration from the perspective of the best practices, see what’s commonly occurring in the real world and:
- Discuss specific risk areas that should be prioritized
- Identify underlying root causes and potential pitfalls
- Focus on practical guidance for applying the Benchmark to your specific environment
This blog post focuses on IAM security controls related to logging. Based on the Netskope dataset analyzed, we will highlight four opportunities to improve security:
- Enable VPC flow logs: 81% of VPCs do not have VPC flow logging enabled, which will hinder incident response and investigations.
- Encrypt CloudTrail logs at rest: 91% of CloudTrail logs are not encrypted at rest. Encryption at rest supports data compliance controls and is easy to do.
- Ensure S3 bucket access logging is enabled for CloudTrail buckets: 41% of CloudTrail buckets do not have server access logging enabled. Logging should be enabled for all CloudTrail S3 buckets.
- Ensure CloudTrail logs are integrated with CloudWatch or a SIEM: 54% of CloudTrails are not integrated with CloudWatch. These should be reviewed to ensure they are integrated with a production log search service or SIEM.
Logging
These nine technical best practices involve logging configuration, including AWS CloudTrail, bucket access logging, and VPC flow logs. They were analyzed against 1,485 CloudTrails, 11,101 VPCs, and 16,281 keys across 1,143 accounts in the Netskope customer dataset.
# | Best Practice | # Violations | % |
---|---|---|---|
1 | Ensure CloudTrail is enabled in all regions | 39 | 3.4 |
2 | Ensure CloudTrail log file validation is enabled | 271 | 18.2 |
3 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | 2 | 0.13 |