Monitoring and securing AWS with Microsoft
NOTICE: There's a new AWS environment connector available for Azure Defender (nowadays Microsoft Defender for Cloud). It natively supports AWS APIs to provide CSPM instead of relying on AWS Security Hub. Also there's new threat detection support for EKS (Elastic Kubernetes Service). Use the new connector instead - Connect your AWS account to Microsoft Defender for Cloud | Microsoft Docs
Microsoft runs Azure and has best tools for securing and monitoring Azure, no question about that. But what about multi-cloud? Especially AWS.
This blog takes you through how to setup (advanced) monitoring of AWS:
CSPM & CWPP
In September '20, at Ignite, Azure Defender was announced. Azure Defender is the new name for paid version of Security Center. Essentially it carries out the "Cloud Workload Protection Platform" (CWPP) duties. While the Security Center free version still does the "Cloud Security Posture Management" (CSPM).
It was also announced that
Security posture management will rely on AWS Security Hub and GCP Security Command Center and integrate those finding into Secure Score. Great, no need to invent the wheel again, but trust that AWS knows how to secure AWS. As a result we'll have joint Secure Score from multiple clouds.
Adding AWS cloud connector
In order to add AWS cloud connector in Azure you don't need much work. (Assuming you're already running AWS with Security Hub enabled, Config enabled, Systems Manager enabled.)
More detailed instructions: Connect your AWS account to Azure Security Center
Once the connection is established, after a while, you'll start seeing recommendations for AWS and those are being calculated in Secure Score. Now you have security posture data in one place from two clouds.
Meanwhile wondering this shiny new data in Security Center, another thing which starts to kick in, is installation of Azure Arc agents in EC2 instances (in order this to work, you need to have AWS Systems Manager / SSM enabled which orchestrates the installation).
Once done, you'll get visibility to virtual machines in AWS:
When we have visibility to VMs with Azure Arc, it causes more recommendations:
Azure Defender
In order to start monitoring VMs for threats & vulnerabilities, we'll install the Log Analytics agent by doing "Quick Fix!". Azure Arc agent will be used to deploy Microsoft Monitoring Agent (notice: not all OSs are supported, for example Amazon Linux isn't). Also vulnerability assessment solution (Qualys) can be installed by "Quick Fix!". BTW. Now you'll pay 15$/node/month for this joy.
Microsoft Monitoring Agent (Log Analytics agent) and Qualys agent running in AWS EC2 (Ubuntu):
Microsoft Monitoring agent collects the telemetry data from the VM and captures it in Log Analytics workspace.
Now, Threat detection is provided out-of-the-box! By default, Azure Defender detects dozens of threats from Windows & Linux VMs: Reference table for all security alerts in Azure Security Center
So, the question goes: Do you want to start figuring out by yourself what bad things you could find from the logs or will you let someone else do it for you?
领英推荐
On top of these, automatically, Windows Servers shall get EDR (endpoint detection and response) treatment from Microsoft Defender for Endpoint:
And Qualys can bring you a vulnerability assessment (from Windows & Linux):
More
CASB
Next we want to start monitoring activities in AWS and detect anomalies in usage. Well, again we could collect the log somewhere and start writing use cases. However, we'll use Microsoft Cloud App Security (MCAS) which provides out-of-the-box UEBA and anomaly/threat detection.
By connecting AWS via API (just add user in aws and connect from mcas - Connect Amazon Web Services with Cloud App Security), you'll get full activity log:
With this activity log, Cloud App Security analyzes user activities (and reflects those against learned user profile) and detect the threats.
Out-of-the-box there's great amount of ready made use cases for your Security Operations (SOC): Get behavioral analytics and anomaly detections
...and an alert could look just like this:
Cloud App Security does the threat detection cross-SaaS apps! So what happens in Office 365, Azure and AWS are correlated together.
SIEM
Your Security Operations of course needs to have it all in SIEM. Natively Azure Sentinel can ingest all this data:
After connecting AWS to Azure Sentinel, next step is to setup workbooks for Network activities & User activities and take analytics rules templates in use:
Hunting season can start with pre-defined queries:
More detections, workbooks, hunting queries, etc. can be obtained from GitHub: GitHub - Azure/Azure-Sentinel
Once this all data is coming in, at some point it's time to investigate AWS incidents in Azure Sentinel:
Thank you for reading this long! I hope this helped to understand what Microsoft security stack can deliver for AWS.
Cloud Security Engineer, SAP
2 年I was wondering whether I could utilize Security Hub to consolidate several AWS accounts. At the same time, I utilize the security hub to get other findings, such as those generated by Guardduty, IAM Access Analyzer, and so on. Is it possible that the findings (not just SecHub's) will be sent to Microsoft Defender for Cloud? When I connect multiple clouds, it appears that Microsoft Defender for Cloud only receives the Security Hub finding.
Global GTM Business Strategy and Transformation Leader
3 年Very useful
Cyber Security Director at ★ CyberProof, a UST company ★ | Your Partner to - Identify ?, Protect ?, Detect ?, Respond ?, Recover ?
3 年Marko Lauren - What about a AWS environment that is serverless (no IaaS) - Many enterprises are only using the Lamda/Container functions of AWS - How can Azure ingest those logs ?
Cybersecurity Architect | Ex-Microsoft IR
3 年Nice job Marko ????
Chief Information Security Officer at Normet
3 年Harri Trebs , Jani Poikela & Marek Luoto ??