In an effort to reduce vulnerabilities and improve control over their cloud environments, an increasing number of AWS customers rely on the Evident Security Platform (ESP) to automate both the discovery and remediation of sensitive security issues. Integral to this mission is reducing the amount of time it takes to provision the resources necessary for ESP to monitor an AWS account. To allow for basic configuration monitoring, ESP requires that each AWS account has an associated IAM Service Role with an attached AWS’ managed ‘Security Audit’ policy.
For an administrator with only a handful of AWS accounts this may not take much time. However, consider an administrator that manages hundreds or thousands of AWS accounts. Creating a simple role for each of these accounts manually can quickly turn into a time consuming, monotonous task. By leveraging an Evident.io Python script that utilizes AWS CloudFormation templates in addition to the AWS Boto3 SDK, ESP users are able to forego the tedious process of resources creation in the AWS dashboard and register their accounts with a simple Python command:
CloudFormation templates are extremely helpful when it comes to setting up User Attribution capabilities, which is required for organizations to correlate ESP security alerts directly to AWS CloudTrail events. User Attribution analyzes events, reduces datasets to those that are relevant to the specific ESP alert, and summarizes the relevant CloudTrail event fields in ESP alerts. This helps identify the ‘needle in the haystack’ of data and eliminates the guesswork and manual detection that takes precious time away from the ability to make quick decisions, isolate data, and fix the issue.
ESP User Attribution identifies the following information for every alert:
- The exact performed action and tool that triggered the alert.
- The user or role that initiated the action that generated the alert.
- The IP address of the performed action’s source.
ESP provides these and other details to help identify the specifics of the issue:
With this information, admins, and security teams are able to specify issues as well as ongoing problem areas that may require policy changes. They can also apply user attribution data to incident response plans to create greater control over their cloud environment.
Enabling this feature requires setting up a few AWS services. As noted previously, there are documented steps for this set up, but to streamline the process, especially for users with multiple AWS accounts, we recommend leveraging our Python script and CloudFormation template to automatically provision all of the required resources with the same ‘python onboard_account.py’ command. For customers with a large number of accounts this can transform the setup process from hours to just minutes.
The steps include:
- Setup a CloudTrail
- S3 bucket
- KMS key
- SNS Topic
- Add Policy to External Account
- IAM policy
- Create SNS Subscription
- Add CloudTrail Name in ESP
Our Python script and CloudFormation template will deploy everything in steps 1 – 4.
For some customers ESP monitoring has become a hard requirement for any newly requested AWS account. As such, many of these customers have baked in the setup of ESP required resources into their account creation pipeline. Triggering our Python script and CloudFormation template on AWS account creation ensures security coverage as soon as a new AWS account goes live.
It might also be worth noting that if larger customers have already created a CloudFormation “Administrator Account” they could use a StackSet to deploy the template across multiple AWS accounts with a “single click.” To start working with AWS CloudFormation StackSets, you should understand how AWS CloudFormation works, and have some experience working with AWS CloudFormation templates and stacks. More information on these prerequisites for StackSets can be found here.
If you have questions about our python script or CloudFormation templates, or if you are a current customer, please feel free to email us at firstname.lastname@example.org to schedule a training call.
Keep an eye for more blogs in this series.