AWS Logging Mechanisms
Advanced networking at scale
The course is part of this learning path
In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various network management services currently available in AWS that are relevant to the ANS-C01 exam.
- Identify and describe the various network management services available in AWS
- Understand the use of AWS Config to assess network infrastructure
- Describe how AWS CloudTrail is used to monitor and audit network infrastructure
- Explain how Amazon Inspector is used to enhance AWS network security and compliance
- Describe how VPC Flow Logs are used to capture IP traffic within the AWS Cloud
- Identify strategies for solving common issues that occur when running cloud networking at scale
The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
Hello and welcome to this lecture. What I want to show you, how to work with Findings from your Assessment Runs, that you may find. I thought that this lecture might be easier if we continue on from the previous demonstration, so let's get back to the environment.
Okay, so we're back in the console, looking at our two Assessment Runs, that we had and just as a quick reminder, for the Linux template, we had four Findings and for the Windows, we had 230, so I just kind of want to run through how you can look at the Findings in a bit more detail and the information that they provide.
If we go across to the left-hand side here under Findings, there's a number of Severity Filters, High, Medium, Low and Informational, so if we take a look at the High Severity Findings first. Now, we can see that there's 227 of these, that the Assessment has found and we can see that the majority of them are against the Windows template, so let's have a look at one of these Findings, just to see what information we have.
So, if we expand the Finding and get a bit more detail, this will give us the ARN of the Finding, the Run Name, the Target Assessment, that the Finding was run against and which template was used within the Assessment as well and the Start and End Time of the Assessment Run and the Current Status. As we scroll down, we can also see which Rules Package that this Finding came from, so this came from the CIS Benchmarks and it also gives the ID of the Instance as well, I mean, if we was to click on this, for example, it'll take us straight to that Instance, as we can see there, it's the Windows box, so there's a number of hyperlinks, that you can kind of access the Target etc and the template, if you needed to to get more information.
Right, in this section here, the Finding, this is actually the issue that it found and then it raised, so here you can see, it explains that this Instance is not compliant with a specific rule within the Rules Package and it explains that you need to ensure there's a minimum password age is set to one or more days and this is a requirement against the CIS Benchmark for this Windows server, 2012, so that's been highlighted as Severity of High.
If we go down to the Descriptions section, it gives us further details again and again, this talks about the minimum password age, it needs to be set to more than one day, it says you can go up to a maximum of 999 days and it also gives a rationale behind the reasoning for this Finding, so there's a quite a lot of information there to get an understanding of why the Finding has been found and why there should be Recommendations to rectify it and then finally with regards to Recommendations, it does give a Recommendation on what you should do to resolve the issue and here it says you need to establish the recommended configuration, you need to set the following UI path to one or more days and then here, it's also given us the path as well, so it's very easy for us to get an understanding of what the issue is, why it's an issue and what we need to do to remediate the problem.
So, it's quite a lot of detail within the Findings. Let's close that one up and again, if we go through any other Finding, it'll be similar kind of information, again a Description, a rationale and a Recommendation as well.
So, if we look at some of the Medium Severities, so it's only found one Medium Severity issue here against the Linux box, so if we take a look at that, again we have the ARN, the Run Name, Target and template name and again, what's important is to know which Rules Package this has come from, so it's come from the Security Best Practices and against which Agent as well and the Finding here explains that it's configured to allow users to log in with root credentials over SSH, which increases the likelihood of a brute force attack and again it's given a Recommendation as to what to do to resolve the issue and it explains here a couple of commands to disable SSH root logins, so again, very good information, very useful and a Recommendation on how to resolve the problem.
So, let's take a look at if we've got any Low Findings and yes, we have a couple, we have one for Windows and one for Linux against Behavior Analysis, Runtime Behavior Analysis, so let's take a quick look. Again, all very similar information, we have the Rules Package there, the Agent and the Finding as well, it's saying that there are insecure protocols used to connect to the remote host and again, a Recommendation of replacing those insecure protocols with encrypted versions and if we look at the Linux Finding, we can also see here that it's the same issue, that insecure protocols were used to connect to the remote host.
So that's just a couple of Low Findings there, but if it was in a production environment, then you would definitely look to resolve all the High Severities first and then the Mediums and then work on the Lows afterwards and then finally we have Informational and we have a couple of items here for both boxes, Windows and Linux, so if we take a look at one of the Windows, let's see what it says here. It just explains in the Finding, that this agent was listening on TCP ports, but no connections were using those ports during the Assessment Run, so the Recommendation is to disable any network services, that we don't use, so we don't expose those ports and we can reduce the attack surface area of our deployment.
So again, these are just Informational, we can take action upon that, if we need to, but it's not a great risk to us.
What you can also do as well is download this information by clicking on this button here and it will export the data as a CSV file, so let's export all columns and take a look. So this opens the CSV file of a lot of the Findings information stood, Severity, Date, the actual Finding itself, which is the important part, which Targets these were found on and which template and against which Rules Package and again, we have the ARN Rule, agent ID, etc. So you might want to export some of those Findings into a CSV file to kind of work against them and maybe track them a little easier and pass this document around to other members within the team.
So let's go back to the console. So that's essentially it for Findings, they'll all be found on this left-hand side in this menu under Findings and then you can Filter them as required against specific Targets or templates or even Rules Packages as well, if you're just interested in a particular Rules Package, then you can just break those down individually.
Okay, then that's the end of the demonstration.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.