Security Software Engineer at Pinterest·

We would like to detect unusual config changes that can potentially cause production outage.

Such as, SecurityGroup new allow/deny rule, AuthZ policy change, Secret key/certificate rotation, IP subnet add/drop. The problem is the source of all of these activities is different, i.e., AWS IAM, Amazon EC2, internal prod services, envoy sidecar, etc.

Which of the technology would be best suitable to detect only IMP events (not all activity) from various sources all workload running on AWS and also Splunk Cloud?

READ LESS
8 upvotes·148.7K views
Replies (5)
DevOps/TechOps Consultant at Qantas Loyalty·
Recommends
on
AWS CloudTrail

Well there are clear advantages of using either tools, it all boils down to what exactly are you trying to achieve with this i.e do you want to proactive monitoring or do you want debug an incident/issue. Splunk definitely is superior in terms of proactively monitoring your logs for unusal events, but getting the cloudtrail logs across to splunk would require some not so straight forward setup (Splunk has a blueprint for this setup which uses AWS kinesis/Firehose). Cloudtrail on the other had is available out of the box from AWS, the setup is quite simple and straight forward. But analysing the log could require you setup Glue crawlers and you might have to use AWS Athena to run SQL Like query.

Refer: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

In my personal experience the cost/effort involved in setting up splunk is not worth it for smaller workloads, whereas the AWS Cloudtrail/Glue/Athena would be less expensive setup(comparatively).

Alternatively you could look at something like sumologic, which has better integration with cloudtrail as opposed to splunk. Hope that helps.

READ MORE
3 upvotes·1 comment·61.8K views
Max Kaplan
Max Kaplan
·
July 16th 2020 at 1:03PM

avoid all the hastle of cloudtrail/glue/athena and just use a managed provider like chaossearch that does all of that with no maintenance and at half the cost.

·
Reply
Cloud Architect at AWS·
Recommends
on
AWS Config

For continuous monitoring and detecting unusual configuration changes, I would suggest you look into AWS Config.

AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. Here is a list of supported AWS resources types and resource relationships with AWS Config https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html

Also as of Nov, 2019 - AWS Config launches support for third-party resources. You can now publish the configuration of third-party resources, such as GitHub repositories, Microsoft Active Directory resources, or any on-premises server into AWS Config using the new API. Here is more detail: https://docs.aws.amazon.com/config/latest/developerguide/customresources.html

If you have multiple AWS Account in your organization and want to detect changes there: https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html

Lastly, if you already use Splunk Cloud in your enterprise and are looking for a consolidated view then, AWS Config is supported by Splunk Cloud as per their documentation too. https://aws.amazon.com/marketplace/pp/Splunk-Inc-Splunk-Cloud/B06XK299KV https://aws.amazon.com/marketplace/pp/Splunk-Inc-Splunk-Cloud/B06XK299KV

READ MORE
11 upvotes·2 comments·69K views
Ethan Grubber
Ethan Grubber
·
April 16th 2021 at 1:16PM

The key difference between Enterprise and Cloud is you have no control over the underlying infrastructure with Cloud. You can install and manage apps using the familiar GUI, but any changes to the platform (permissions changes, program installation, etc.) are done by Splunk support via a ticket. https://www.treeservicedenvercolorado.com/greeley-colorado.html

·
Reply
Loki Robles
Loki Robles
·
August 26th 2021 at 2:54AM

Image result for AWS Config. If you are using AWS Config rules, AWS Config continuously evaluates your AWS resource configurations for desired settings. <a href="https://www.rooferslakewood.com/">Lakewood Roofing Company</a>

·
Reply
View all (5)
Avatar of Vijayanand Narayanasharma

Vijayanand Narayanasharma

DevOps/TechOps Consultant at Qantas Loyalty