Which service enables customers to audit and monitor changes in aws resources?

Recommended textbook solutions

Information Technology Project Management: Providing Measurable Organizational Value

5th EditionJack T. Marchewka

346 solutions

Introduction to Algorithms

3rd EditionCharles E. Leiserson, Clifford Stein, Ronald L. Rivest, Thomas H. Cormen

726 solutions

Information Technology Project Management: Providing Measurable Organizational Value

5th EditionJack T. Marchewka

346 solutions

Starting Out with Python

4th EditionTony Gaddis

629 solutions

Use the following guidelines to monitor your AWS account activity:

• Turn on AWS CloudTrail in each account, and use it in each supported Region.

• Store AWS CloudTrail log in a centralized logging account with very restricted access.

• Periodically examine CloudTrail log files. You can also use GuardDuty — a service that provides threat detection by continuously analyzing AWS CloudTrail Events, VPC Flow Logs and DNS Logs.

• Enable Amazon S3 bucket logging to monitor requests made to each bucket.

• If you believe there has been unauthorized use of your account, pay attention to temporary credentials that have been issued. If temporary credentials have been issued that you don't recognize, disable their permissions.

Segregation of duties, as it relates to security, has two primary objectives. The first objective is the prevention of conflict of interest, abuse, and errors. The second objective is the detection of control failures that include security breaches, information theft, and circumvention of security controls.

While robust automation of infrastructure and application deployments will reduce the need for human access, there will still be instances where individuals need to complete key functions. Segregation of duties can help mitigate risk. For users with increased privileges, it is important to distribute system administration activities so no one administrator can hide their activities or control an entire system. Additional levels of approvals for critical tasks, and independent reviews of activity are required.

Create roles by using job function policies

AWS managed job function policies can be used as a starting point to create organization-wide roles to ensure that least privilege principles are in effect. AWS provides 10 job function-based policies by default for a common set of job functions within an organization.

Use AWS Config to view historical IAM configuration and changes over time

Use AWS Config to view the IAM policy that was assigned to an IAM user, group, or role at any time in which AWS Config was recording. This information can help you determine the permissions that belonged to a user at a specific time. For example, you can view whether the user John Doe had permission to modify Amazon VPC settings on January 1, 2015.

Set up alerts for IAM configuration changes and perform audits

You can add a level of indirection by setting up alerts to notify on IAM configuration changes. This is helpful for monitoring activities by users with increased privileges. The added indirection can be set up using a combination of AWS CloudTrail, Amazon CloudWatch, and Amazon SNS. For more information, refer to the How to Receive Alerts When Your IAM Configuration Changes blog post.

At financial institutions, internal and external risk and audit teams scrutinize user access management and auditability of user actions. Federation enables organizations to leverage existing functions such as user lifecycle, password, and Multi-Factor Authentication (MFA) management, to extend single sign-on for applications and the AWS Management Console.

Use federated access for developers CLI and API environments

When setting up federated access, it’s important to include access to the AWS Management Console and CLI or AWS APIs. Refer to the How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS blog post for details and sample scripts for setting up SAML federation for CLI and API access. Similar scripts are also available from third-party IdP vendors.

Implement preventative and detective controls around IAM user creation

After federation is configured for human access, and EC2 instance profiles are used for application access, very few additional identities, or IAM users, are needed to be created in AWS. You may have a handful of admin identities for break glass processes (for example, if there is an issue with federation configuration or the identity provider). You may also have a handful of users for some third-party applications that do not support integration with IAM roles. Detective controls with AWS Config need to be implemented when a new IAM user or group is created.

Implement detective controls when IAM user credentials are used

Detective controls must be implemented for any API actions performed by a non-federated IAM principal. In fully federated environments that leverage IAM roles, IAM users should be used only on rare occasions, such as break glass procedures. All actions by IAM users need to be monitored and alerted on.

As a security best practice, use IAM roles and federation for third-party applications when delegating access to the organization's AWS API resources.

Grant permissions through Roles

Roles provide you temporary security credentials for the role session. A third-party application can access your AWS resources by assuming a role that you create in your AWS account. You must specify IAM permissions when defining the role's permissions policy. This policy defines the actions they can take and the resources they can access.

IAM Roles are meant to be assumed by authorized entities, such as IAM users, third-party applications, or an AWS service such as EC2. IAM Roles can be associated with EC2 instances to simplify management and deployment of AWS access keys. An EC2 instance can provide temporary security credentials to third-party applications running on that instance, which in turn can use those credentials to make API requests to your AWS resources.

Rotate and review IAM privileges assigned to third parties

Third-party applications must use federation. If federation is not supported, IAM credentials need to be rotated on a regular basis and removed after the defined purpose is no longer necessary, or if you suspect the user is compromised.

Considerations for defining the time span during which a particular IAM user needs to be rotated or removed include, but are not limited to, the sensitivity of the data, your company’s security posture, corporate governance and compliance requirements, and risk of damage that a compromised IAM user could cause to your financial systems.

Which AWS service allows clients to audit and monitor AWS resource changes?

Which service enables customers to audit API calls in their AWS accounts?

Which AWS service can be used to track resource changes?

Which AWS service is used to track record and audit?