CloudAcademy

Monitor Amazon CloudWatch Security Logs for failed SSH attempts

The hands-on lab is part of these learning paths

Security - Specialty Certification Preparation for AWS

course-steps 21 certification 1 lab-steps 11

Solutions Architect – Associate Certification Preparation for AWS - Feb 2018

course-steps 28 certification 6 lab-steps 23

Lab Steps

keyboard_tab
lock
Logging in to the Amazon Web Services Console
lock
Confirming CloudWatch Agent Setup, CloudWatch Log Group and Log Stream creation
lock
Creating an SNS Topic for SSH failures
lock
Creating a Subscription and subscribing to the SSH failure Topic
lock
Creating an Alarm for SSH failures

Ready for the real environment experience?

DifficultyBeginner
Duration1h 30m
Students165

Description

Lab Overview

Clearly security is a huge issue for the technical sector, and public cloud is no exception to that. If you Google "top cloud security concerns" one of the top articles is from Information Week titled 9 Worst Cloud Security Threats. The section on Account or Service Traffic Hijacking states:

An intruder with control over a user account can eavesdrop on transactions, manipulate data, provide false and business-damaging responses to customers, and redirect customers to a competitor's site or inappropriate sites.

This Lab is germane to the quote above. In this Lab you will configure an EC2 instance to use the CloudWatch agent so it can deliver the security log file to Amazon CloudWatch. A CloudWatch Log Group and Log Stream will be automatically created for you. By monitoring the security log file for a specific type of potential breach (based on a pattern), CloudWatch will proactively send an email notification to your email. You will also configure Amazon Simple Notification Service (SNS) as the communication channel for the notification.

Although this Lab focuses on failed SSH attempts, there is a broader application that should be recognized, including how CloudWatch can be utilized in many different ways for many different logs or infrastructure metrics. 

Lab Objectives

Upon completion of this lab you will be able to:

  • Configure an EC2 instance to use the CloudWatch log agent
  • Verify the log agent status
  • Locate a few key security related log files and view them on the EC2 instance
  • Create an Simple Notification Service (SNS) topic
  • Subscribe to an SNS topic
  • Use CloudWatch to monitor a log stream for a specific pattern (invalid SSH users) and send a notification via SNS

Lab Prerequisites

You should be familiar with:

  • Basic security, log file and SSH concepts
  • Using the Linux command line is not required by helpful

Lab Environment

Before completing the lab instructions the environment will look as follows:

  • An EC2 instance with the CloudWatch Log Agent configured and running 
  • A custom IAM Role with a Policy that allows the EC2 instance to communicate with Amazon CloudWatch

After completing the lab instructions the environment should look similar to:

About the Author

Students13260
Labs14

Greg has been a consistent high performer for pioneering technologies in the wireless web industries with an illustrious career that is testament to his breadth of knowledge. Dabbling with MS Azure, at Cloud Academy, Greg really thrives on evangelizing the benefits of Amazon Web Services. A dedicated and passionate professional who learns new and emerging technologies quickly, Greg always ensures the highest quality and calibre of everything he produces.