Business Challenge 

A premier product-content provider that helps distributors and manufactures deliver next generation content and e-commerce solutions to its customers was experiencing rapid growth and was concerned that fast expansion of its AWS environment could result in security vulnerabilities if best practices were not implemented.  To remedy this, this customer wished to operate its workloads in alignment with AWS best practices and the Security Perspective of the AWS Cloud Adoption Framework (CAF).  This would bolster workload-environment security, improve scalability and support future business growth.

Solution 

As an AWS Advance Consulting Partner and Well-Architected Partner, Lightstream utilized the AWS Well-Architected tool to begin the assessment of this customer’s environment.  This review laid the groundwork to determine how the workloads within the customer’s environment were aligned with the six pillars of the CAF and uncover areas where remediation was necessary to adhere to the AWS Cloud Adoption Framework (CAF) Security Perspective.  This spotlighted security needs that could be addressed by native AWS security tools and surfacing any additional needs.

The implemented solution for this customer focused on four main sets of controls.  The first set would be the directive controls that would establish the governance, risk, and compliance models that the environment would operate within.  The second set of controls would be the preventative controls that are meant to protect workloads and mitigate threats and vulnerabilities.  The next were the detective controls that provide full visibility and transparency over the operational in deployments in AWS.  Finally, the last set of controls would be the responsive controls that drive remediation of potential deviation from security baselines.

Lightstream worked with this customer to determine appropriate staff to receive various levels of vendor training during the engagement. During the implementation, processes and procedures were evaluated and updated. At the end of the engagement, Lightstream held a workshop to review the integration and updated processes and procedures with the customer. 

Solution Details 

Directive Controls

The Directive components of the AWS Security Perspective provides policy guidance and  planning an organization’s security approach as it migrates to AWS.  Part of this component includes applying an industry standard control framework and incorporating AWS native security controls at expected levels.  This helped simplify overall workload-environment management, shrink its blast radius, control its service limits and ensure better security for its individual accounts by dividing them from each other.
 
Examples: 
Lightstream moved and separated this customer’s workload under one AWS Organization with seven distinct organization units and sub-accounts for billing, production, development, logging, and data.

  • Customer’s Original State
    • Single AWS account
    • Single shared environment
    • Billing complexity
    • High risk blast radius
    • Service limits risk
  • Customer’s Delivered State
    • Organization units
    • Multiple AWS accounts
    • Multiple application environments
    • Detailed billing by account
    • Limited blast radius
    • Controlled service limits

Preventive Controls

The Preventive component of the AWS Security Perspective provides guidance for implementing security infrastructure with AWS and within an organization.  This component includes identity and access for the sources of authentication and authorization to reduce human access to production systems and data.  AWS Single Sign-On (SSO) helps ensure better security by connecting all AWS accounts to a single source of truth (SSOT) where users are centrally administered and managed.  This provides administration clean access to AWS accounts.  AWS SSO helps this customer’s administrators easily manage user privileges while positively impacting productivity through expedited access to needed AWS resources.

Examples: 

  • Lightstream configured AWS Single Sign-On (SSO) for centralized access federation to all AWS access the AWS portal, AWS Command Line Interface (CLI) and AWS SDK. The team also configured and assigned permission sets based on defined Cloud Ops roles and responsibilities.
  • Customer’s Original State
    • IAM users only
    • No easy way to support multiple accounts
  • Customer’s Delivered State
    • Central single source of truth user database
    • Single entry point portal URL
    • Federation to all AWS accounts
    • Granular permission sets
    • Central MFA
    • Active Directory ready

Detective Controls

The Detective component of the AWS CAF Security Perspective provides guidance for gaining visibility into an organization’s security posture.  This component includes logging and monitoring to provide greater visibility near to real time for occurrences in the AWS environment.  This enabled the company to improve visibility and monitoring of it’s cloud logs by aggregating them into a central location for 3rd-party analysis.

Examples: 

  • Lightstream deployed and configured one AWS S3 bucket (object storage) in this customer’s logging account for centralized logging. The team then configured a Least Privileged access logging bucket policy for the five AWS accounts to write logs.  Next, CloudTrail – Organizations Trails were enabled and configured to log account trail logs to he newly created S3 logging bucket.  Once completed, the CloudTrail trail logs were verified for correct paths and log file integrity
  • Customer’s Original State
    • No platform logging enabled
    • No API log visibility
    • No VPC log visibility (accept/deny)
    • No Config compliance visibility
  • Customer’s Delivered State
    • CloudTrail logs enablement
    • VPC flow log s enablement
    • Config logs enablement
    • Central secure log aggregation and storage account
    • Limited log access
    • Log authenticity
    • Log file encryption

Responsive Controls

The responsive component of the AWS CAF Security Perspective provides guidance for the responsive portion of an organization’s security posture by preparing and simulating actions that require response to prepare organizations to respond to incidents as they occur.  Automation plays a large role in this component.  The objective is to help shift the focus of the security team from response to performing forensics and root cause analysis.

AWS Config is a service that enables organizations to assess, audit, and evaluate the configurations of the AWS resources.  Config continuously monitors and records AWS resource configurations against desired configurations.  With Config, organizations can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories and determine overall compliance against the configurations specified by internal guidelines.  This simplifies compliance auditing, security analysis, change management, and operational troubleshooting.

AWS CloudWatch provides data and actionable insights to monitor applications, respond to system-wide performance changes, optimize resource utilization and get a unified view of operational health.  This service will allow this customer to detect anomalous behavior in its environment, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep its workload running smoothly. 

Examples: 

  • Lightstream configured and enabled AWS Config, Config rules and an aggregator to support a single-pane-of-glass dashboard for all accounts. The enabled Config rules are backed by Lambda functions that push SNS notifications to specific mail DL’s and self-healing remediation when compliance issues arise.  They include:
    • CloudWatch dashboards
    • Monitoring storage encryption (Amazon Elastic Block Store, Amazon S3 and Amazon Relational Database Service) – alerting with notification
    • AWS Identity and Access Management (IAM) password policy – alerting and notification
    • Root account multi-factor authentication (MFA) – alerting with notification
    • Amazon S3 public read and write – removing public access
    • Insecure security group rules – any SG 0.0.0.0/0 remove rule
  • Lightstream configured Systems Manager to auto deploy custom CloudWatch agents across the EC2 instances farm. This enabled the applications team to collect metric logs and gain visibility to system-level monitoring through dashboards and alarms.  They include:
  • Customer’s Previous State
    • No EC2 detailed systems metrics
    • No custom application log metrics
    • No EC2 even alarms
    • No EC2 metrics dashboards
  • Customer’s Delivered State
    • Established EC2 baseline metrics
    • Enabled detailed monitoring
    • Deployed and configured CloudWatch agents
    • Setup events and alarms w/notifications
      • CPU – CPUUtilization, StatusCheckFailed_System and StatusCheckFailed_Instance
      • Network – NetworkingIn/NetworkOut and NetworkPacketsIn/NetworkPacketsOut
      • Disk – DiskReadOps/DiskWriteOps and DiskReadBytes/DiskWriteBytes
      • Memory – utilization
      • Custom – RDX application

Business Outcomes

Assessing this customer’s workloads through the AWS Well-Architected Framework Review provided them with the best security practices to grow and expand their AWS services in a secure, stable, and efficient manner.  Automation will keep their security team focused on root cause analysis and forensics versus response and administrators will have better visibility and control.

By aligning this customer to the AWS CAF Security Perspective, the company had experienced dramatically better security and scalable workloads that will support future business growth.  

Security Tools Used

  • AWS Single Sign-On (SSO)
    • Ensure better security by connecting all AWS accounts to a single source of user administration
  • AWS Multi-Account Strategy / Centralized logging
    • Send all logs to one central account for simplicity, security, and compliance
  • AWS CloudTrail – Organizations
    • Centralized account for trail logs
  • AWS Config
    • Enable a single-pane-of-glass dashboard for all accounts to track changes in resources
  • AWS CloudWatch
    • Agent deployed through Systems Manger to collect multiple system metrics
  • Lambda
    • Push SNS notifications to specific mail distribution list and self-healing remediation
  • AWS Systems Manager
    • Auto deploy custom CloudWatch agents across EC2 instances

Architectural Diagram

Public Facing Architectural Doc