One typical concern when moving your infrastructure to Amazon Web Services is that you may lose control over it, but the truth is quite the opposite; AWS will take care of everything on the physical side of your infrastructure (while being compliant with basically every relevant certification and regulation) so you can focus on managing and monitoring the services that you use – and there are plenty of tools on AWS to do that.I will introduce five important services that are connected to managing security and monitoring your environment in the AWS Cloud. I won’t go too deep into details here but rather give an overview of these services and how they work together.
Virtual Private Cloud (VPC)
A Virtual Private Cloud (VPC) is your own private cloud inside AWS. Here you define all the networking details and manage how your instances can be accessed. You can use things like Route Tables and Network Access Control Lists to manage traffic flow in and out of (and within) your environment. In addition to EC2 instances, you can also put your relational databases (RDS) inside a VPC to make sure that they can only be accessed by your application servers. You have complete control over how your instances can be accessed and you can even limit this to a VPN connection from your on-premise environment. VPC has way too many features to be described in one blog post but you definitely want to learn to build VPCs as your first steps towards the AWS Cloud!
Once you have deployed your instances to a VPC, you want to monitor them. CloudWatch is a service that automatically collects metrics from your infrastructure and also from basically every managed service that AWS has to offer. You can use this data to trigger alarms that can, for example, send you e-mails or launch more EC2 instances to an Auto Scaling group. You can view graphs of your metrics from the past two weeks in the CloudWatch console or send those metrics to 3rd party services like DataDog for further analysis. CloudWatch is one of the main tools to create automation for your infrastructure so that you don’t need to manually react to traffic peaks or issues in your environment.
While CloudWatch is great for monitoring your infrastructure, it doesn’t track access to your AWS environment. CloudTrail is a service that you can enable per region and it will track all API calls (meaning all actions) that are done by your AWS users or roles. All of this data is stored in S3 and you can send it to CloudWatch Logs or 3rd party services for further analysis. CloudTrail will give you detailed information on who did what and when. This can also be very useful for audit purposes.
If CloudTrail is for tracking each and every action users make, then AWS Config is a service that will track the state of your environment. You will get detailed information on changes that are made to your resources and also reports on the state of your whole infrastructure. AWS Config provides point in time snapshots of your resources. You can also create Config Rules that are evaluated against changes in your resources and the rules can alert you on unwanted changes and possible security issues.
Simple Notification Service (SNS)
Simple Notification Service is a service that delivers messages to subscribers. It is widely used by other AWS services, including the ones listed here, to send you notifications on things that happen in your environment. You can use it together with alarms that you create in CloudWatch to get notifications when an alarm is triggered. You create Topics and publish messages to these Topics. A Topic can have multiple subscribers that will receive all messages published to the Topic. The subscribers can be a number of things from HTTP endpoints to e-mail and Lambda functions.
Security in the cloud starts with good knowledge of your infrastructure and extensive monitoring. The services I have described here can be used to achieve just that. There is of course, a lot more to consider when talking about the security of your environment. If you would like to talk to Nordcloud more about your cloud environments, contact us here.