Home Ensure your IAM Policies are not vulnerable to alteration

Ensure your IAM Policies are not vulnerable to alteration

-

As a root user, you always want to have full governance over your AWS infrastructure. If any change occurs into your configuration, you should be the first to get notified. Without considering what type of change is expected, unexpected, intentional or unintentional doesn’t matter. Thanks to AWS for CloudTrail, CloudWatch, and SNS (Simple Notification Service). AWS allows users to have a metric filter and alarm for Identity and Access Management policy (IAM) changes. So that you won’t miss any update about the changes in the configuration of IAM Policy.

The basic configurations you need to make before getting started:

  1. CloudTrail should be configured in all the regions of your account. Since CloudTrail record all the changes that occur into your configuration and play a crucial role in your cloud security.
  2. SNS should be configured to receive triggered alarm from CloudWatch.
  3. And to send events to CloudWatch Logs, CloudTrail must have access to an IAM role in your account.

Working of metric filter and alarm:

  1. When IAM users of your AWS account call for a change in the settings of Identity and Access Management Policies.
  2. This API call gets recorded by CloudTrail as logs (known as events) and, CloudTrail store these events in your S3 bucket.
  3. In the basic configuration, you will have to give access to CloudTrail so that it can publish/send these events in CloudWatch.
  4. CloudWatch monitors these events and trigger alarm based on your filter. And send this alert message to SNS.
  5. Now, SNS send you a message via SMS or e-mail.

Why do you need Centilytics?

Centilytics provide all the necessary services that are required to manage a cloud. While keeping a check on Identity and Access Management profile policies, you also need to configure CloudTrail for logs, add this trail to CloudWatch with policy change filter to trigger the alarm and check for the subscription of SNS to forward the alarm.

For the security of your account Centilytics have dedicated insight for each of the required services. Centilytics checks that a dedicated CloudWatch log should be present for policy change in your account. In any of the services is not working you can check through its severity check.

Insight Description:

OK
 Ok: CloudTrail has CloudWatch logs groups configured with metric filter, alarm, SNS topic with at least one subscriber.
Warning
Warning: For your CloudWatch alarms, either no SNS topic is created or no individual is present in the list of topic subscribers to receive the alerts.
Critical
Critical: Delivery to CloudWatch logs not configured

 

Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Account ID

Account Name: Shows the account name corresponding to the user’s account.

Account Name

Region: This column shows the region of your instance where it has been used.

Region

Identifier: Shows you the service with its trail name.

Identifier

Log Group Name: It represents the name of the group which has permission to use the service.

Log Group Name

Metric Filter Name: Shows you the name that you have given to the metric filter.

Metric Filter Name

Alarm Name: Shows you the name of the alarm which you have assigned.

Alarm Name

SNS Topic Name: SNS refers to the Simple Notification Service group. A group of individuals who receive the alert message.SNS Topic Name

Custom Severity Description: Shows the severity of your metric filter and its functions’ custom description.

Custom Severity Discription-Virtual Private Network Alarm

Filters Applicable:

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying the region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production).

Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

Compliance Applying the Compliance filter, you can further refine your security and health checks.

 

Cloud

Cloud Management