By leveraging AWS continued compliance solutions, Basefarm is able to offer compliance monitoring solutions to Bokbasen.
The solution consists of AWS Security Hub, AWS Inspector, AWS Config, AWS CloudTrail, Amazon CloudWatch and Amazon GuardDuty. The services will identify common security issues and potential threats, while allowing Bokbasen to maintain their development velocity. Security events are raised as tickets within Basefarm’s ITSM solution, allowing security incidents to be managed using Basefarm’s mature and battle tested incident management processes.
Using AWS Security Hub with the CIS AWS Foundations compliance standard, Basefarm can ensure that all of Bokbasen’s AWS accounts are maintained at a minimum level of security hygiene, which complies with the Centre for Internet Security’s best practices. If any element of the account configuration is discovered not to meet these standards, then a security incident is automatically raised.
Amazon GuardDuty and AWS Inspector are integrated with AWS Security Hub, which offers a single pane of glass for security insight. Additionally AWS Security Hub will flag non-compliance of rules configured in AWS Config.
AWS Inspector provides the capability to conduct vulnerability and compliance analysis for instances running in Amazon EC2, using one or more of four pre-defined rulesets.
For any given rule in an AWS Inspector ruleset, it is currently not possible to ignore certain controls. This can cause unnecessary alerts, which in turn create tickets and cause unnecessary work. It was a requirement that certain controls be disabled, thus Basefarm created a filter function based on AWS Lambda. The filter is configured using JSON objects in Amazon S3. It is used both to ignore certain controls and to augment any event with additional information about it, such as priority, assignee, event type and additional documentation and references.
Amazon GuardDuty is AWS managed threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads.
GuardDuty uses Machine Learning to analyze events across multiple AWS accounts and data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.
Amazon CloudWatch Alarms are configured for specific events found in AWS CloudTrail.
One example of configured Amazon CloudWatch Alarm is when the root user is used; as this should never happen without a ticket in Basefarm’s ITSM tool.
The Basefarm ITSM integration also supports receiving alarms defined in Amazon CloudWatch, by using Amazon Simple Notification Service.
When AWS Config was enabled in Bokbasen’s highly dynamic accounts with stopping and starting EC2 instances happening all the time, the cost of AWS Config on certain resources was higher than the cost of the resources. Basefarm along with the customer ended up disabling AWS Config on Amazon EC2 and AWS Auto Scaling resources.