monitoring and alerting
Post on 21-Apr-2017
2.550 Views
Preview:
TRANSCRIPT
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
AWS Logging, Analysis and AlertingBrian Wagner
Solutions Architect AWS Germany
What are we looking for?
Billing API activity Changes to resources Application activity Network activity
Detailed Billing
Billing Information logged Daily in S3 Also Visible in the Billing Console Alarms can be set on Billing Info to Alert on Unexpected Activity
Sample Records
ItemDescriptionUsageStartDate
UsageEndDate
UsageQuantity
CurrencyCode
CostBeforeTax
Credits
TaxAmount
TaxType
TotalCost
$0.000 per GB - regional data transfer under the monthly global free tier
01.04.14 00:00
30.04.14 23:59
0.00000675 USD 0.00 0.0
0.000000
None
0.000000
$0.05 per GB-month of provisioned storage - US West (Oregon)
01.04.14 00:00
30.04.14 23:59
1.126.666.554 USD 0.56 0.0
0.000000
None
0.560000
First 1,000,000 Amazon SNS API Requests per month are free
01.04.14 00:00
30.04.14 23:59 10.0 USD 0.00 0.0
0.000000
None
0.000000
First 1,000,000 Amazon SQS Requests per month are free
01.04.14 00:00
30.04.14 23:59 4153.0 USD 0.00 0.0
0.000000
None
0.000000
$0.00 per GB - EU (Ireland) data transfer from US West (Northern California)
01.04.14 00:00
30.04.14 23:59
0.00003292 USD 0.00 0.0
0.000000
None
0.000000
$0.000 per GB - data transfer out under the monthly global free tier
01.04.14 00:00
30.04.14 23:59
0.02311019 USD 0.00 0.0
0.000000
None
0.000000
First 1,000,000 Amazon SNS API Requests per month are free
01.04.14 00:00
30.04.14 23:59 88.0 USD 0.00 0.0
0.000000
None
0.000000
$0.000 per GB - data transfer out under the monthly global free tier
01.04.14 00:00
30.04.14 23:59 3.3E-7 USD 0.00 0.0
0.000000
None
0.000000
AWS CloudTrail
CloudTrail can help you achieve many tasks
Security analysis Track changes to AWS resources, for example VPC security groups and NACLs Compliance – log and understand AWS API call history Prove that you did not:
Use the wrong region Use services you don’t want
Troubleshoot operational issues – quickly identify the most recent changes to your environment
AWS CloudTrail logs can be delivered cross-account
CloudTrail can help achieve many tasks Accounts can send their trails to a central account Central account can then do analytics Central account can: ‣ Redistribute the trails ‣ Grant access to the trails ‣ Filter and reformat Trails (to meet privacy
requirements)
AWS Config
AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Continuous ChangeRecordingChanging Resources
AWS ConfigHistory
Stream
Snapshot (ex. 2014-11-05)AWS Config
Am I safe?Properly configured resources are critical to security
AWS Config enables you to continuously monitor the configurations of your resources at AWS API level, and evaluate these configurations for potential security weaknesses
Where is the evidence?Many compliance audits require access to the state of your systems at arbitrary times (i.e. PCI, HIPAA)
A complete inventory of all resources and their configuration attributes at AWS API level is available for any point in time
Resource
A resource is an AWS object you can create, update or delete on AWS
Examples include Amazon EC2 instances, Security Groups, Network ACLs, VPCs and subnets
Amazon EC2 Instance, ENI...
Amazon EBS Volumes
AWS CloudTrail Log
Amazon VPC VPC, Subnet...
ResourcesResource Type Resource
Amazon EC2 EC2 Instance EC2 Elastic IP (VPC only) EC2 Security Group EC2 Network Interface
Amazon EBS EBS Volume
Amazon VPC VPCs Network ACLs Route Table Subnet VPN Connection Internet Gateway Customer Gateway VPN Gateway
AWS CloudTrail Trail
Relationships
• Bi-directional map of dependencies automatically assigned
• Change to a resource propagates to create Configuration Items for related resources
Example: Security Group sg-10dk8ej and EC2 instance i-123a3d9 are “associated with” each other
Relationships
Resource Relationship Related ResourceCustomerGateway is attached to VPN ConnectionElastic IP (EIP) is attached to Network Interface is attached to InstanceInstance contains Network Interface is attached to ElasticIP (EIP) is contained in Route Table is associated with Security Group is contained in Subnet is attached to Volume is contained in Virtual Private Cloud (VPC)InternetGateway is attached to Virtual Private Cloud (VPC)… …. …..
Configuration Item
All AWS API configuration attributes for a given resource at a given point in time, captured on every configuration change.
Component Description Contains
Metadata Information about this configuration item
Version ID, Configuration item ID, Time when the configuration item was captured, State ID indicating the ordering of the configuration items of a resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, Resource type. Amazon Resource Name (ARN) Availability Zone, etc.
Relationships How the resource is related to other resources associated with the account
EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4
Current Configuration Information returned through a call to the Describe or List API of the resource
e.g. for EBS Volume State of DeleteOnTermination flag Type of volume. For example, gp2, io1, or standard
Related Events The AWS CloudTrail events that are related to the current configuration of the resource
AWS CloudTrail event ID
Configuration Item
Essentially, “Lambda Integration for Config” Apply detailed checks to the state of your configuration, at the point when it changes Raise alerts if anything is outside compliance with your defined policy ‣ Eg if there’s unencrypted non-root EBS volumes ‣ …or eg if any taggable resources aren’t tagged appropriately
We have a library of pre-built rules – or build your own See also Re:Invent (SEC308) “Wrangling Security Events in the Cloud” (https://www.youtube.com/watch?v=uc1Q0XCcCv4) Feature is available right now
Introducing Config Rules
Full visibility of your AWS environment
CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made
Who did what and when and from where (IP address)
CloudTrail support for many AWS services and growing - includes EC2, EBS, VPC, RDS, IAM and RedShift Easily Aggregate all instance log information – CloudWatch Logs agent scrapes files from EC2 instances and sends them to S3 Also enables alerting with SNS on “strings of interest”, just like regular CloudWatch CloudWatch Logs used as delivery mechanism for Flow Logging
Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic
Monitoring: Get consistent visibility of logs
Managing, Monitoring & Processing Logs
CloudWatch Logs Features ‣ Near real-time, aggregate, monitor, store, and search
Amazon Elasticsearch Service Integration ‣ Analytics and Kibana interface
AWS Lambda & Amazon Kinesis Integration ‣ Custom processing with your code
Export to S3 ‣ SDK & CLI batch export of logs
Firewall Requirements
Based on NIST SP-800, PCI-DSS and others ‣ Anti-Spoofing
‣ Packet-Filtering (minimum) stateful/stateless
‣ Segregation of Duties at the management side
‣ Logging/Audit capabilities on the management side
‣ Event-Logging on processed traffic
Security Group
IAM
AWS Config CloudTrail
FlowLogs
VPC Flow Logs
CloudWatchLogs
LogGroup
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
VPC Flow Logs in Context
route restrictively
lock down on network level
isolate concerns
lock down on instance level
Flows
Flow Log Record Structure
Event-Version
Account Number
ENI-ID
Source-IP
Destination-IP
SourcePort
Destination-Port
Protocol Number
Number of Packets
Number of Bytes
Start-Time Window
End-Time Window
Action
State
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589
ACCEPT OK
Flow Log Sampling
Flow Logs are statistical reports of activity over a window of time
Start-Time Window End-Time Window
Number of Packets Number of Bytes Action
Logs→metrics→alerts→actions
AWS Config
CloudWatch / CloudWatch Logs
CloudWatch alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC Flow Logs
Amazon SNS
email notification
HTTP/S notification
SMS notifications
Mobile push notifications
API calls from most services
Monitoring data from
AWS services
Custom metrics
top related