The Top 10 Most Commonly Used Guardrails for Automating Routine Monitoring Tasks
These are our top 10 most requested or frequently run ops that help our customers automate the routine tasks required to manage and secure their AWS instances.
There are many advantages to writing Guardrails to enforce best practices for cloud security and operations. These guardrails are typically scripts or code snippets to automate the remediation when a policy violation is identified. These homegrown scripts tend to be reasonably easy to build, but present serious manageability challenges which all too often end up causing more pain than improvement. Considering the increasing rate at which AWS makes updates or changes in their services, combined with the rate at which your company is scaling into the cloud, it’s critical to manage these guardrails with a scalable platform.
This is why the DisruptOps Cloud Management Platform is ideal for helping organizations and departments automate routine tasks and manage the longevity of these guardrails (which we call Ops), so you can focus on your task at hand — not on juggling scripts, updates, OR other monitoring or management requirements of operating/developing within the cloud.
Here is our list of the top 10 most frequently used Ops for automating routine monitoring tasks associated with AWS accounts:
- Assess and Enforce Monitoring and Alerting – Determine if recommended settings for CloudTrail, Config, CloudWatch, and alerting are enabled.
- Provision CloudTrail with best practices – Enable CloudTrail with recommended best practices.
- Implement centralized CloudTrail and Config monitoring – Enable CloudWatch, CloudTrail, and Config if not enabled and/or add sending logs to a designated central repository (with or without option to still keep local copies).
- Provision Config with best practices – Enable Config with best practices.
- Implement recommended account local security alerts – Create a mix of recommended CloudWatch and Config alerts within an account.
- Implement centralized alerting – Link an account into a centralized alerting infrastructure using CloudWatch Logs synchronization to a Kinesis stream. Create everything needed that isn’t there.
- Set AWS log rotation and archiving – Set lifecycle policies to migrate logs to Glacier after a designated time period.
- Create console login without MFA security alert – Create an alert that triggers when someone logs into the AWS console without MFA.
- Create Security Group change alert – Create an alert for any changes to the designated security groups in designated accounts or VPCs.
- Create alert for… public S3 buckets, security groups allowing open Internet access, if monitoring is disabled, root account access, changes to KMS encryption policy.
Always keep in mind the infamous words uttered by our very own Rich Mogull, “cloud security starts with architecture and ends with automation.” Some of these Ops can seem more basic than others, but remember, each automated task (simple or complex) is one less task requiring manual effort from scarce resources, and when scalability is brought into the discussion, one small task can quickly become a repeatable nuisance.
To learn about available AWS monitoring tools and automated ops, visit our guardrails library and see how we can help you monitor AWS security and optimize performance.