Click here to load reader

Monitoring and Alerting

  • View
    2.512

  • Download
    0

Embed Size (px)

Text of Monitoring and Alerting

  • 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

    AWS Logging, Analysis and AlertingBrian Wagner

    Solutions Architect AWS Germany

  • My Application

    Why monitor?

  • What are we looking for?

    Billing API activity Changes to resources Application activity Network activity

  • Detailed Billing

    Billing Information logged Daily in S3 Also Visible in the Billing Console Alarms can be set on Billing Info to Alert on Unexpected Activity

  • Sample Records

    ItemDescriptionUsageStartDate

    UsageEndDate

    UsageQuantity

    CurrencyCode

    CostBeforeTax

    Credits

    TaxAmount

    TaxType

    TotalCost

    $0.000 per GB - regional data transfer under the monthly global free tier

    01.04.14 00:00

    30.04.14 23:59

    0.00000675 USD 0.00 0.0

    0.000000

    None

    0.000000

    $0.05 per GB-month of provisioned storage - US West (Oregon)

    01.04.14 00:00

    30.04.14 23:59

    1.126.666.554 USD 0.56 0.0

    0.000000

    None

    0.560000

    First 1,000,000 Amazon SNS API Requests per month are free

    01.04.14 00:00

    30.04.14 23:59 10.0 USD 0.00 0.0

    0.000000

    None

    0.000000

    First 1,000,000 Amazon SQS Requests per month are free

    01.04.14 00:00

    30.04.14 23:59 4153.0 USD 0.00 0.0

    0.000000

    None

    0.000000

    $0.00 per GB - EU (Ireland) data transfer from US West (Northern California)

    01.04.14 00:00

    30.04.14 23:59

    0.00003292 USD 0.00 0.0

    0.000000

    None

    0.000000

    $0.000 per GB - data transfer out under the monthly global free tier

    01.04.14 00:00

    30.04.14 23:59

    0.02311019 USD 0.00 0.0

    0.000000

    None

    0.000000

    First 1,000,000 Amazon SNS API Requests per month are free

    01.04.14 00:00

    30.04.14 23:59 88.0 USD 0.00 0.0

    0.000000

    None

    0.000000

    $0.000 per GB - data transfer out under the monthly global free tier

    01.04.14 00:00

    30.04.14 23:59 3.3E-7 USD 0.00 0.0

    0.000000

    None

    0.000000

  • AWS CloudTrail

    CloudTrail can help you achieve many tasks

    Security analysis Track changes to AWS resources, for example VPC security groups and NACLs Compliance log and understand AWS API call history Prove that you did not:

    Use the wrong region Use services you dont want

    Troubleshoot operational issues quickly identify the most recent changes to your environment

  • AWS CloudTrail logs can be delivered cross-account

    CloudTrail can help achieve many tasks Accounts can send their trails to a central account Central account can then do analytics Central account can:

    Redistribute the trails Grant access to the trails Filter and reformat Trails (to meet privacy

    requirements)

  • AWS Config

    AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.

  • 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

    Continuous ChangeRecordingChanging

    Resources

    AWS ConfigHistory

    Stream

    Snapshot (ex. 2014-11-05)AWS Config

  • Am I safe?Properly configured resources are critical to security

    AWS Config enables you to continuously monitor the configurations of your resources at AWS API level, and evaluate these configurations for potential security weaknesses

  • Where is the evidence?Many compliance audits require access to the state of your systems at arbitrary times (i.e. PCI, HIPAA)

    A complete inventory of all resources and their configuration attributes at AWS API level is available for any point in time

  • Resource

    A resource is an AWS object you can create, update or delete on AWS

    Examples include Amazon EC2 instances, Security Groups, Network ACLs, VPCs and subnets

    Amazon EC2 Instance, ENI...

    Amazon EBS Volumes

    AWS CloudTrail Log

    Amazon VPC VPC, Subnet...

  • ResourcesResource Type Resource

    Amazon EC2 EC2 Instance EC2 Elastic IP (VPC only) EC2 Security Group EC2 Network Interface

    Amazon EBS EBS Volume

    Amazon VPC VPCs Network ACLs Route Table Subnet VPN Connection Internet Gateway Customer Gateway VPN Gateway

    AWS CloudTrail Trail

  • Relationships

    Bi-directional map of dependencies automatically assigned

    Change to a resource propagates to create Configuration Items for related resources

    Example: Security Group sg-10dk8ej and EC2 instance i-123a3d9 are associated with each other

  • Relationships

    Resource Relationship Related ResourceCustomerGateway is attached to VPN ConnectionElastic IP (EIP) is attached to Network Interface is attached to InstanceInstance contains Network Interface is attached to ElasticIP (EIP) is contained in Route Table is associated with Security Group is contained in Subnet is attached to Volume is contained in Virtual Private Cloud (VPC)InternetGateway is attached to Virtual Private Cloud (VPC) . ..

  • Configuration Item

    All AWS API configuration attributes for a given resource at a given point in time, captured on every configuration change.

  • Component Description Contains

    Metadata Information about this configuration item

    Version ID, Configuration item ID, Time when the configuration item was captured, State ID indicating the ordering of the configuration items of a resource, MD5Hash, etc.

    Common Attributes Resource attributes Resource ID, tags, Resource type. Amazon Resource Name (ARN) Availability Zone, etc.

    Relationships How the resource is related to other resources associated with the account

    EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4

    Current Configuration Information returned through a call to the Describe or List API of the resource

    e.g. for EBS Volume State of DeleteOnTermination flag Type of volume. For example, gp2, io1, or standard

    Related Events The AWS CloudTrail events that are related to the current configuration of the resource

    AWS CloudTrail event ID

    Configuration Item

  • Essentially, Lambda Integration for Config Apply detailed checks to the state of your configuration, at the point when it changes Raise alerts if anything is outside compliance with your defined policy Eg if theres unencrypted non-root EBS volumes or eg if any taggable resources arent tagged appropriately

    We have a library of pre-built rules or build your own See also Re:Invent (SEC308) Wrangling Security Events in the Cloud (https://www.youtube.com/watch?v=uc1Q0XCcCv4) Feature is available right now

    Introducing Config Rules

    https://www.youtube.com/watch?v=uc1Q0XCcCv4

  • Full visibility of your AWS environment CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made

    Who did what and when and from where (IP address) CloudTrail support for many AWS services and growing - includes EC2, EBS, VPC, RDS, IAM and RedShift Easily Aggregate all instance log information CloudWatch Logs agent scrapes files from EC2 instances and sends them to S3 Also enables alerting with SNS on strings of interest, just like regular CloudWatch CloudWatch Logs used as delivery mechanism for Flow Logging

    Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic

    Monitoring: Get consistent visibility of logs

  • Managing, Monitoring & Processing Logs

    CloudWatch Logs Features Near real-time, aggregate, monitor, store, and search

    Amazon Elasticsearch Service Integration Analytics and Kibana interface

    AWS Lambda & Amazon Kinesis Integration Custom processing with your code

    Export to S3 SDK & CLI batch export of logs

  • Firewall Requirements

    Based on NIST SP-800, PCI-DSS and others Anti-Spoofing

    Packet-Filtering (minimum) stateful/stateless

    Segregation of Duties at the management side

    Logging/Audit capabilities on the management side

    Event-Logging on processed traffic

    Security Group

    IAM

    AWS Config CloudTrail

    FlowLogs

  • VPC Flow Logs

    CloudWatch

    Logs

    LogGroup

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

  • VPC Flow Logs in Context

    route restrictively

    lock down on network level

    isolate concerns

    lock down on instance level

    Flows

  • Flow Log Record Structure

    Event-Version

    Account Number

    ENI-ID

    Source-IP

    Destination-IP

    SourcePort

    Destination-Port

    Protocol Number

    Number of Packets

    Number of Bytes

    Start-Time Window

    End-Time Window

    Action

    State

    2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589

    ACCEPT OK

  • Flow Log Sampling

    Flow Logs are statistical reports of activity over a window of time

    Start-Time Window End-Time Window

    Number of Packets Number of Bytes Action

  • Statistical Sampling and Spikes

    Time

    Src/Dst IP/Port Tuple

    ?

  • Example

  • Logsmetricsalertsactions

    AWS Config

    CloudWatch / CloudWatch Logs

    CloudWatch alarms

    AWS CloudTrail

    Amazon EC2 OS logs

    Amazon VPC Flow Logs

    Amazon SNS

    email notification

    HTTP/S notification

    SMS notifications

    Mobile push notifications

    API calls from most services

Search related