Since AWS CloudWatch does not have access to your OS, some monitoring metrics may be missing including disk and memory utilization.
You are here
Your AWS CloudWatch Policies Could Compromise Security
CloudWatch provides all the latest metrics to monitor your AWS environment. When accessing CloudWatch for AWS, permissions are required to access the appropriate resources. Permissions are accessed through AWS' Identity Access Management (IAM). IAM contains policies that can be assigned for each user and role within the organization.
Setting the correct permissions is a key piece in ensuring your instances are secure and follow AWS best practices. AWS recommends using the security practice of least privilege. This means only giving users/roles the permissions needed to perform their job. It is not recommended to use root credentials to grant access to services and applications.
What is an IAM policy?
An IAM policy allows for an administrator to attach permissions to an individual or group within AWS. A policy document allows you to define permissions for allowing or denying access, performing an action, listing resources and settings conditions for AWS resources. Resources include S3, EC2, RDS and others.
Policies can be restricted via IP address or a date range by setting conditions. Monitoring with CloudWatch requires the use of access keys which contain an Access key ID and Secret access key for the user if you are using the SDK.
Users in this example would be set up as having access to CloudWatch. An example, would be creating a “read-only” user that will be accessed by your monitoring platform.
Below is an example of policies that can be used for a monitoring user:
- CloudWatchFullAccess includes all the CloudWatch services listed below (note: Despite the use of "FullAccess" in the policy name, it is only full access to read monitoring metrics, not full access to any monitored systems themselves.)
Fig 1: Samples of the CloudWatch policies within AWS.
This can also be done using Cloudformation.
Above: Sample Permission Policy I created in AWS to monitor CloudWatch from Opsview.
Security groups are another way to control security to and from your monitored instances. Keep in mind, security groups can only allow access to the information of an instance; they can't be used to explicitly deny. For example, allowing the ICMP protocol to be allowed from your instance. This is a great way to make sure the appropriate traffic is coming from the right resource.
Alternatively, using NACLs (Network Access Control Lists), you can allow and deny access to and from the entirety of the VPC (Virtual Private Cloud), which defines the network subnets where your instances run. For example, you would probably only allow ICMP replies from a VPC you are monitoring or allow port 80 for your web server from your monitoring server VPC. By default each NACL created will deny all inbound and outbound traffic, allowing only the ports necessary to perform secure monitoring.
Using the outline above will help you establish some baselines needed to properly monitor AWS along with the access needed to operate securely. It's critical to ensure that everything in your IT real estate is monitored, including your public cloud instances. Security, though, must be maintained. Hopefully these suggestions help you in your efforts to remain secure while maintaining visibility and notifications best practices.
More like this
Monitor AWS performance more efficiently by learning about our newly released Opspacks that oversee a variety of AWS services.
Amazon Web Services has become a go-to provider for cloud computing efforts because it simplifies the process of setting up servers and services...