Plugging AWS Into Your SIEM: A Practical Guide

Managing cloud security can be a challenge, particularly as your data, resources and services grow. Misconfiguration and lack of visibility are frequently exploited in data and system breaches. Both issues are more likely to occur without centralized tools. 

Provider dashboards and services may be enough to provide basic visibility. However, most organizations need more advanced security measures. 

For many organizations, security information and event management (SIEM) tools provide a solution. In this article, I’ll explain what a SIEM is and how it can benefit your cloud security and management strategies. You’ll also learn what services are useful to integrate into a SIEM with a focus on AWS and how data from these services are consumed.

What is a SIEM?

A SIEM is a collection of tools and services that you can use to centralize monitoring, alerting, and logging. You can use SIEMs to perform data analysis to detect anomalies in system activity and gain context for events and incidents. 

SIEM solutions are often combined with user and entity behavior analysis (UEBA) tools. UEBA tools create baselines of “normal” activity and can identify and alert to activity that deviates from the baseline. 

SIEMs can benefit cloud management by:

• Providing centralized monitoring – dispersed systems can be a challenge to monitor as you may have individual dashboards and portals for each service. SIEMs can alert you to suspicious or policy-breaking behavior that you might otherwise miss in standalone dashboards.
• Creating visibility in multi and hybrid cloud systems – cloud-specific services may not be extendable to on-premises resources and vice versa. SIEMs can help you ensure that policies and configurations are consistent across environments. For example, by monitoring data use and transfer in hybrid storage services.
• Helping you evaluate and prove compliance standards – SIEMs can provide trackable, unified logging with evidence of actions taken. You can use SIEM logging and event tracking in compliance audits and certifications.
• Scaling to match your system needs – SIEMs often use daemons or agents to monitor distributed systems. These agents allow you to scale your SIEM to match your environment size. You can take advantage of the scalability of any tools you use by accepting and incorporating data streams for tools across your system.

Plugging AWS into your SIEM

To connect AWS data to your SIEM, it’s important to understand which services provide ingestible data, how to transfer data and how you can respond from your SIEM. You should also take into consideration what SIEM services AWS provides and how information from these services can be incorporated.

Data sources and response

The following are some of the most common data sources from AWS. These sources aggregate data from multiple AWS services. You may also need to collect data from services individually depending on the services you’re using.

Identity and access management (IAM)

IAM lets you assign permissions and credentials based on users, groups or roles. You can use it to manage credentials with policies specifying access and abilities. You can also use IAM to federate credentials with on-premises systems and access this data through logs stored in S3, AWS Security Hub or through API calls.

CloudTrail 

CloudTrail allows you to perform compliance, governance, operational and risk audits. You can use it to continuously monitor and log account activity. This activity includes history from AWS Management Console, SDKs, other AWS services and command-line tools. CloudTrail collects information from security, audit and VPC flow logs as well as on API calls.

CloudTrail data is delivered to S3 every five minutes. You can access CloudTrail data from logs delivered to S3. Alternatively, you can have data delivered to CloudWatch Logs and access it from the API or CloudFormation.

Virtual private cloud (VPC) Flow Logs

With VPC Flow Logs you can see logging from security groups and access control list (ACL) events. It provides a log of all traffic occurring in your VPC. You can use it to identify system misuse, analyze rejection rates, correlate traffic flow increases and verify server or port access.

VPC Flow Logs includes source and destination IP addresses, ports, packet and byte counts, actions taken, and allowed or denied requests. Flow log data is captured in up to 10-minute blocks when an event triggers logging. You can access VPC Flow Logs data via CloudWatch Logs or log storage in your designated S3 bucket.

CloudWatch Events

CloudWatch Events is a service that lets you use to perform automated response actions. It is tied to CloudWatch and can trigger events in other services, such as Lambda or Simple Notification Service (SNS). 

CloudWatch Events allows you to define response workflows that are initiated automatically when a trigger event occurs. For example, sending log data or alerts to your SIEM.

AWS centralization services

You can use the following services to perform SIEM tasks in your cloud environment. These services collect and forward data to your on-premises SIEM.

CloudWatch

CloudWatch is a visibility service you can use to monitor applications, system performance, resource utilization and operational health. It collects logs, events and metrics from your AWS services. You can use CloudWatch to detect suspicious behavior, visualize logs, alert to events and perform automated actions. 

CloudWatch integrates natively with 70 AWS services and publishes metrics in minute or second intervals. It also includes a built-in service called CloudWatch Logs. This service gives you the ability to centralize logs from other services and forward data to an external SIEM via integration with Kinesis.

AWS Security Hub

Security Hub is a service that centralizes and organizes alerts and findings from across services. Services include GuardDuty, Macie, IAM Access Analyzer, and AWS Firewall Manager. You can use Security Hub to continuously monitor your environment and perform automated compliance checks. 

Conclusion

In a cloud environment, with distributed resources that are potentially publicly Internet-accessible, a fast and continuous response is key. SIEMs provide a unified and centralized console for monitoring and managing your systems. These tools let you incorporate data across services and tools so you can identify and respond to issues effectively and efficiently. 

Hopefully, this article gives you an introduction on how to integrate your AWS environment and your SIEM solution. After integration, you should have improved visibility and find that securing and maintaining your system is easier and more consistent.