As you know, Microsoft Cloud App Security can help protect several SaaS applications. It gives you control over the actions carried out by your users and to the data they decide to store in the cloud. SaaS app protection is indeed critical, but that should not come at the cost of neglecting the protection of your Infrastructure as a Service (IaaS).
For that purpose, Cloud App Security can integrate with your AWS platform and detect risky behavior, control data sharing and help review best practice recommendations.
Note: While this blog is specific to AWS, Cloud App Security can also help you secure your Azure and Google Cloud Platform environments in the same way.
Microsoft Cloud App Security will help your protecting your AWS infrastructure in the following ways:
Benefit |
Description |
Feature or policy |
Cloud Security Posture Management |
A large portion of security issues we see daily are related to: - Accidental or malicious configuration changes - Lack of compliance to products’ best practices MCAS can help in both of these areas. Policies can be configured to alert you when a configuration is modified in a way that may impact security. Best practices for AWS (as well as for other IaaS platforms) are reported in MCAS, making it a single pane of glass for your cloud security recommendations. |
Get security configuration recommendations for AWS | Microsoft Docs
Activity policy templates: “IAM Policy Change”, “Security Group Configuration changes”, Network ACL changes”, etc. |
Compromised account or insider threat |
As for most applications, when AWS is connected, the applicable build-in threat detection policies will apply automatically. Some are standard and apply to all apps, some are tailored for IaaS. |
Built-in policies such as “Multiple delete VM activites”, “Multiple VM creation activities”, “Impossible Travel”, “Activity from infrequent country”, “Connection from Risky IP”. Etc. |
Data leakage protection |
Many of the security incident we’ve seen in the news in the past few months/years are often due to improperly shared documents or folders. To help you limit these risks, MCAS can detect publicly shared AWS S3 buckets and alert you, or automatically make them private. Note: MCAS does not inspect the content of files stored in AWS S3 buckets, only their sharing status. |
File policy template: “Publicly accessible S3 buckets”
Activity policy template: “S3 Bucket Activity” |
Let's start with connecting AWS and Cloud App Security. Several steps need to be accomplished in this connection: Cloud App Security needs to gather (1) all the activities happening at the AWS level, like it does for other apps, and (2) some of the configuration settings and best practice guidance to review the account’s security configuration. In order to get the activities and security recommendations, the connection of AWS to Cloud App Security is two-fold:
This is demonstrated in the video below.
The video below shows how to establish this connection, as well as how to leverage Security recommendations from the Cloud App Security console.
A step-by-step procedure to establish these connections is also available here.
Once AWS is connected, the built-in threat detection policies listed here are in place analyzing the activities of taking place in AWS.
Let’s note the policies below that are specific to IaaS platforms and apply only to AWS and Azure:
Policy name |
Description |
Unusual multiple storage deletion activities (preview) |
This policy profiles your environment and triggers alerts when users perform multiple storage deletion or DB deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach. |
Multiple delete VM activities |
This policy profiles your environment and triggers alerts when users perform multiple delete VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach. |
Unusual multiple VM creation activities (preview) |
This policy profiles your environment and triggers alerts when users perform multiple create VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach. |
Unusual region for cloud resource (preview) |
This policy profiles your environment and triggers alerts when a user performs suspicious creation activities in a cloud region that was not recently, or was never, accessed. This may indicate that an attacker is creating cloud resources to run malicious activities like crypto mining. |
In addition to the built-in threat detection policies there are a number of file and activity policy templates specifically for AWS activities, that you can use as a starting point to create your own policies.
The list is available here:
Template |
Description |
Publicly accessible S3 buckets (AWS) |
Alert when an S3 bucket in AWS is publicly accessible. |
Virtual Private Network (VPC) changes (AWS) |
Alert on any API calls made to create, update, or delete an Amazon VPC, an Amazon VPC peering connection, or an Amazon VPC connection to classic Amazon EC2 instances.
|
IAM Policy changes (AWS) |
Alert on any API calls made to change IAM policy
|
Console Sign-in Failures (AWS) |
Alert of multiple sign-in failures to AWS console.
|
CloudTrail changes (AWS)
|
Alert on any API call made to create, update, or delete a CloudTrail trail, or to start or stop logging a trail.
|
EC2 Instance changes (AWS)
|
Alert on any API call is made to create, terminate, start, stop, or reboot an Amazon EC2 instance.
|
Network Gateway changes (AWS)
|
Alert on API call made to create, update, or delete customer's internet gateway.
|
Network Access Control List (ACL) changes (AWS)
|
Alert on any configuration changes involving Network ACLs.
|
S3 Bucket Activity (AWS)
|
Alert when AWS S3 API call is made to PUT or DELETE bucket policy, bucket lifecycle, bucket replication, or to PUT a bucket ACL. The alert will also cover Cross-origin resource sharing PUT bucket and DELETE bucket events. |
Security Group Configuration changes (AWS) |
Alert on configuration changes which involve security groups. |
When you create a new policy from a template the default behavior is to create an alert, so you can be notified of a match to the policy. This does not have any impact on the users or environment. After reviewing the policy matches you can decide to configure governance actions to be taken when there is a policy match. For example, a policy that is created from the Publicly accessible S3 buckets (AWS), you can decide to “Make private” or “Remove a collaborator”.
The video below will details how to create and configure these policy templates:
All the templates we discussed above are great best practices and apply to most customers. However, they may not capture the uniqueness of your environment. For that, you can configure custom policies. Here are a few best practices when configuring these:
And now, a real-life example. The policy below will alert when a large number of S3 buckets are shared within a minute:
Microsoft Cloud App Security can also help you verify and ensure that your AWS environment configuration complies with Amazon’s best practices recommendations. Our official documentation, here, describes how to get started. Once you navigate through the page, you can start reviewing the recommendations.
Note: these recommendations showing up in your environment do not necessarily mean that a security incident has happened, but rather that the environment is not following security best practices.
The filters in this page can be used to prioritize high severity recommendations, or specific AWS accounts in your environment. As an example, let’s review the first item from the list above.
One of the critical recommendations is to avoid the use of the “root” account in AWS. By clicking on the recommendation, Microsoft Cloud App Security automatically redirects you to the AWS portal, where you can take action.
Note: not only will the security recommendation page show security configuration best practices for AWS, but also for Azure and Google Cloud Platform, should you use these. This will make Microsoft Cloud App Security your "one stop shop" to review your Cloud Platform Security Posture (CSPM).
Now that you know all you need to get started with protecting AWS using Microsoft Cloud App Security, please share with us your thoughts and your use cases. We would love to hear your feedback on our AWS integration.
Blog by @Gershon Levitz , Idan Basre and @Yoann_David_Mallet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.