Remote work initiatives can result in cloud security risks as security and IT teams quickly migrate to the cloud while still supporting legacy technology.
As you adopt new cloud technologies, it’s harder to gain visibility into security risks outside of your control. Any administrative changes and other common misconfigurations gone unnoticed can have cascading effects on security, and widen an organization’s attack surface, unintentionally exposing sensitive data to the internet.
Organizations of all sizes struggle with securing a hybrid environment of on-premises and cloud applications, services and infrastructure. To compensate, they may turn to a growing number of security tools that are too costly, complex and manual.
Comprehensive Cloud Security Monitoring and Response
To help secure organizations of all sizes migrating to cloud infrastructure and software as a service (SaaS), Blumira has built integrations with cloud infrastructure, identity providers and applications to ensure we have coverage across different platforms and vendors.
This provides value for our customers as they endeavor to gain visibility, centralize cloud monitoring and simplify their detection and response capabilities.
AWS Security Monitoring and Response
Recently, we’ve released our integration with AWS (Amazon Web Services) to enable you to detect, alert and respond to indicators of an attack in progress like account changes, malware infection, abnormal cloud infrastructure behavior and more.
Our solution has been reviewed by AWS to meet the highest standards for security, reliability and operational excellence. Blumira has officially joined the Amazon Partner Network (APN) as an Independent Software Vendor (ISV).
Our platform monitors GuardDuty, CloudTrail and VPC Flow Logs for malicious activity, centralizing log flows for continuous monitoring to help you protect your AWS environment.
- CloudTrail – AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity across your AWS infrastructure. CloudTrail provides an event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
- VPC Flow Logs – VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
- GuardDuty – Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
Learn more about how to integrate your AWS log sources with Blumira’s cloud SIEM in our AWS: Getting Started Guide.
Detect S3 Bucket Security Risks
Common misconfigurations can result in the exposure of AWS S3 (Simple Storage Service) buckets, which are scalable object storage that you can use to store applications, backup and recovery, disaster recovery, hybrid cloud storage and more.
Any administrative change in settings can unknowingly result in the public exposure of potentially sensitive or customer data, which can result in data breaches, compliance violations and costly fines.
In the Capital One breach from 2019, a software engineer used scanning software to identify AWS customers with misconfigured firewalls that had access permissions to S3 buckets. She decrypted and exfiltrated data from a found account (U.S. Dept. of Justice).
A few years back, S3 bucket exposures were more common due to the lack of visibility and inability of companies to keep track of bucket configurations. Additionally, there were certain bucket access control lists (ACLs) that allowed for public access to buckets, due to both poor naming and user education on ACL permissions (SecurityBoulevard).
Blumira Detects S3 Bucket Misconfigurations
Blumira’s SIEM monitors CloudTrail logs for these types of changes and misconfigurations, parsing and analyzing billions of events to pare them down to a few prioritized alerts sent in near real-time to your team to respond to quickly.
S3 Detection: Finding Analysis
In this example detection, we’ve identified that a specific Amazon S3 bucket has been granted publicly anonymous access by a certain user originating from an IP address. If this was unexpected behavior, it could indicate a misconfiguration or compromised credentials.
S3 Detection: Workflow Remediation
To help you respond quickly, we populate the finding with a pre-built playbook to walk through remediation. In this case, we recommend you review the S3 bucket in question that we identified, its ARN (Amazon Resource Number) and the bucket owner to determine if it was an expected or authorized change.
If not, you should mark the finding as malicious activity, work to quarantine the IAM principal and investigate further. If your team needs more advice or information to understand this finding or what your next steps should be, you can directly message the responsive Blumira security team for additional help.
Detect AWS Cloud Security Risks
In addition to S3 misconfigurations, we monitor your AWS cloud environment for indicators of other cloud security threats to help you identify malicious activity and stop an attack in progress.
Additional AWS Security Resources
- AWS: Getting Started Guide – A basic overview of the six steps to set up and correctly configure AWS data streams, which will connect AWS logs to Blumira’s platform for automated detection and response.
- AWS Security Monitoring – An overview of Blumira’s cloud security monitoring and response capabilities for comprehensive AWS security coverage.
Join VP of Product Jim Simpson and CTO Matt Warner as they cover how to reduce cloud security risks with Blumira’s cloud and AWS security monitoring solution in our on-demand webinar, Security Advisor Series: Tackling Cloud Security Threats in AWS.