Kit Wai Chan - Fotolia


Monitoring AWS comes down to tool choice

AWS has three services admins can use to assess a cloud environment: AWS CloudTrail, AWS Config and Amazon Inspector. Each has a different approach to the same overall objective.

AWS has an expanding list of functions and features designed to make its public cloud more manageable. AWS Config Rules, AWS CloudTrail and Amazon Inspector are three related services that can help administrators get a handle on monitoring AWS security and resource configurations.

AWS CloudTrail is an audit log of every API call made within an AWS account, including metadata of those calls. CloudTrail records information, such as the user, IP address, service and affected resource IDs, with each of the log entries.

From a security perspective, AWS CloudTrail is a "must-have," according to Matthew Fuller, inventor of CloudSploit, an open source AWS product and security company based in New York. The service is especially necessary for monitoring AWS accounts with multiple users. "If there is ever a security incident, CloudTrail provides a historical log that can be analyzed to determine exactly what led to the intrusion, what actions the malicious user took and what resources were affected," Fuller said.

AWS Config is slightly different from AWS CloudTrail in that the service records historical states of every enabled resource within the account, allowing AWS users to see how a specific piece of the infrastructure changed over time. AWS Config also shows how future updates or changes might affect the infrastructure. AWS Config integrates with AWS Lambda, allowing IT teams to run custom code in response to a change in resource state.

AWS Config Rules is an additional service that lets an admin define specific states in which resources are allowed. "If the resource fails to remain in that state -- a likely security risk -- a Lambda function can execute," he added.

AWS Config Rules, AWS CloudTrail and Amazon Inspector are three related services that can help administrators get a handle on monitoring AWS security and resource configurations.

While AWS CloudTrail simply provides logs, AWS Config is a "more advanced concept," said Zubin Irani, CEO of cPrime, a Foster City, Calif. company focused on agile training. AWS Config Rules tracks resource use and allocation as well as change history within the infrastructure. "CloudTrail's purpose is to keep records and react on who did what, and Config is about what resources changed and how they looked," Irani said. In other words, while both services help with monitoring AWS, one is resource-centric and the other user-action centric, respectively.

Amazon Inspector is an agent that runs on Elastic Compute Cloud instances and tracks potential compliance violations and security risks at the server level. Inspector aggregates potential vulnerabilities to show whether a project is compliant or not. "Inspector is like a profiling tool that can examine the infrastructure and provide recommendations on how to improve security," Irani said.

Choosing services for monitoring AWS

AWS Config, CloudTrail and Inspector all serve different purposes. CloudTrail is a record of every API call made to your account, every action taken and information on who took the action. This information is necessary for forensics and audits. AWS Config records every resource configuration change. For example, when an admin attaches or removes an Elastic Network Interface or when a rule is added in a security group, AWS Config records the change. It provides a timeline of an environment outlining when there has been a change.

IT teams that use CloudTrail and Config together receive an alert that a change occurred and can see when and where the change occurred. They can then use CloudTrail to determine who performed the action. Monitoring AWS and preserving security configurations is a big part of protecting any environment; these native AWS monitoring tools can help any organization ensure that changes are authorized, tracked and audited.

AWS Inspector looks inside cloud instances, running scans of installed software and comparing those scans against an AWS-maintained database of common vulnerabilities. This enables admins to determine which packages to update and how those updates will affect security. Inspector ensures an IT team can regularly identify which patches to make.

Config, CloudTrail and Inspector are all free, but "Inspector is fairly optional," Irani added. "The only required and recommended [service of the three] is CloudTrail."

Next Steps

AWS tools to help secure your cloud

CloudTrail watches cloud resources

AWS Config Rules automates resource tagging

Dig Deeper on AWS security