Most companies are lured to the cloud with the objective of near-instant resource availability, which can mean teams sign up for cloud accounts before controls are in place to audit and monitor these environments. Combined with this new world of app deployment on third-party cloud infrastructures, there can be limited processes for network perimeter review, credential rotation, and access logging. Due to poor logging configurations, security analysts could be limited in their ability to perform forensics in accounts following notification by our cloud infrastructure providers of suspicious activity.
To help alleviate these potential issues, Adobe developed a tool called MAVLink. MAVLink enables us to audit public cloud accounts for set best practices and to collect information useful in identifying potential security incidents. MAVLink provides a more robust monitoring solution which can be set-up in a new environment quickly, providing consistent data availability and audit information to help improve the security posture of our cloud infrastructure accounts. We’ll walk through some of the steps an organization can take to make a transition to monitored, audited environments and help avoid potential cloud chaos.
The first step is to attempt to control account creation. This was accomplished using a Microsoft Exchange filter targeting registration emails. Registration emails can then be redirected to a responsible group or individual to help ensure that all new accounts are properly provisioned and inventoried. When the cloud account provisioning team provisions a new account on behalf of another team, they generate and store the MFA token and password for the root user. We use APIs available from our identity management system to automate necessary actions.
The Adobe Secure Software Engineering Team (ASSET) is a user of our cloud infrastructure services as well. We enabled account trust relationships between engineering accounts and our ASSET accounts. This enables our security team to set up security feature defaults for services such as setting up data sources like our cloud infrastructure accounts AWS (Amazon Web Services) CloudTrail (for tracking API activity and usage), configuration snapshots, SNS (simple notification service) events, and ELB (elastic load balancer) access logs.
Configuration snapshots can mostly be a one-stop-shop to get information about created resources in the account. Do you need to know what public IPs are used, check ELB cipher suites, or get a list of users within an account? Configuration snapshots can help you answer all those questions. The account trust relationship mentioned earlier also allows our security team to query other services that may not necessarily be represented in a configuration snapshot such as IAM (identity & access management) credential reports. All this information flows into our MAVLink tool to help us better secure our cloud services.
If you decide to pursue the approach we are discussing here, the level of permissions you allot to your security or audit team depends on your organization’s requirements. Understand, however, that too many permissions could introduce operational risks and too few could require costly updates later to deployed services.
If you have a large number of accounts, it makes sense to templatize and automate the setup of the cross-account role. Tools are provided by cloud infrastructure providers to help automate this and we made use of them to set up MAVLink.
Once necessary account trust relationships are in place, the ability to use MAVLink’s data collection and configuration enforcement modules exists. MAVLink integrates with AWS Lambda for our Amazon Web Services (AWS) accounts. This allows for quick updates to the codebase and helps reduce the administrative overhead of maintaining instances. Lambda functions trigger on a regular basis, iterate over each registered account, assume the role into the account, and then perform the configuration check or data retrieval. That action may be reviewing AWS CloudTrail configuration to make sure it is still enabled, delivering it to the correct bucket, and ensuring it has the appropriate global trail. Whenever data is collected, it flows into our Security Incident and Event Management (SIEM) system and logging tools for analysis by MAVLink. MAVLink then helps enable us to monitor our cloud service accounts in one place.
MAVLink is a very useful tool that is helping improve our security hygiene across cloud services. You can learn more about MAVLink in our recent webcast.
Lead Cloud Security Engineer – Adobe Experience Cloud