Security Software Engineer at Pinterest·

We would like to detect unusual config changes that can potentially cause production outage.

Such as, SecurityGroup new allow/deny rule, AuthZ policy change, Secret key/certificate rotation, IP subnet add/drop. The problem is the source of all of these activities is different, i.e., AWS IAM, Amazon EC2, internal prod services, envoy sidecar, etc.

Which of the technology would be best suitable to detect only IMP events (not all activity) from various sources all workload running on AWS and also Splunk Cloud?

READ LESS
8 upvotes·149.7K views
Replies (5)
Cloud Architect at AWS·
Recommends
on
AWS Config

For continuous monitoring and detecting unusual configuration changes, I would suggest you look into AWS Config.

AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. Here is a list of supported AWS resources types and resource relationships with AWS Config https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html

Also as of Nov, 2019 - AWS Config launches support for third-party resources. You can now publish the configuration of third-party resources, such as GitHub repositories, Microsoft Active Directory resources, or any on-premises server into AWS Config using the new API. Here is more detail: https://docs.aws.amazon.com/config/latest/developerguide/customresources.html

If you have multiple AWS Account in your organization and want to detect changes there: https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html

Lastly, if you already use Splunk Cloud in your enterprise and are looking for a consolidated view then, AWS Config is supported by Splunk Cloud as per their documentation too. https://aws.amazon.com/marketplace/pp/Splunk-Inc-Splunk-Cloud/B06XK299KV https://aws.amazon.com/marketplace/pp/Splunk-Inc-Splunk-Cloud/B06XK299KV

READ MORE
11 upvotes·2 comments·69.3K views
Ethan Grubber
Ethan Grubber
·
April 16th 2021 at 1:16PM

The key difference between Enterprise and Cloud is you have no control over the underlying infrastructure with Cloud. You can install and manage apps using the familiar GUI, but any changes to the platform (permissions changes, program installation, etc.) are done by Splunk support via a ticket. https://www.treeservicedenvercolorado.com/greeley-colorado.html

·
Reply
Loki Robles
Loki Robles
·
August 26th 2021 at 2:54AM

Image result for AWS Config. If you are using AWS Config rules, AWS Config continuously evaluates your AWS resource configurations for desired settings. <a href="https://www.rooferslakewood.com/">Lakewood Roofing Company</a>

·
Reply
Casual Software Engineer at Skedulo·
Recommends
on
Terraform

While it won't detect events as they happen a good stop gap would be to define your infrastructure config using terraform. You can then periodically run the terraform config against your environment and alert if there are any changes.

READ MORE
6 upvotes·1 comment·71.1K views
Thiago Arrais
Thiago Arrais
·
July 20th 2020 at 11:43AM

I would like to hear about using Terraform in combination with Open Policy Agent and/or Hashicorp's Sentinel for that purpose. Does anyone have any experience with that?

·
Reply
View all (5)
Avatar of Nati Abebe

Nati Abebe

Cloud Architect at AWS