Monitoring the security of a cloud environment like AWS is an important, but also complex task. There are a lot of build-in security tools in AWS, like AWS Security Hub, AWS Config or AWS Trusted Advisor. And there are also Third-Party-Tools like CloudTracker that helps you find overprivileged users, which can be used additionally to check your AWS environment. All these tools need a considerable amount of time to configure and evaluate. How about if you could also use external tools for this purpose?
The SaaS-platform AquaWave is a cloud native application protection platform. As illustrated in the following graphic, AquaWave protects the entire stack in the process of building and running cloud applications.
AquaWave provides support for numerous cloud platforms like AWS, Azure, Google Cloud and Oracle Cloud. In this article we will concentrate on AWS and a special product of Aqua Security, a company founded in 2015. Aqua Cloud Security Posture Management (CPSM) is part of the “Secure the Infrastructure”-area of AquaWave and a comprehensive solution for multi-cloud-security posture management.
Before we describe the features of CPSM in general and the details of the remediation features, we first have a look at two different editions of Aqua CSPM. As already mentioned, Aqua CPSM runs in a SaaS-mode in Aqua Wave. But there is also an open-source-edition named Cloudsploit, which you can host yourself. You find detailed installation and configuration instructions in Github.
The overall process of CPSM and Cloudsploit is as follows: first information about the configuration of the infrastructure in your AWS environment is collected by querying various APIs in your account. Subsequent the information will be analyzed to produce a report as output.
Features of CSPM
So, what are the key features of Aqua CSPM and how does CSPM compare to build-in AWS security tools?
The following list from the CSPM-documentation shows examples of findings, which CSPM can detect when scanning your environment:
- Misconfigured storage buckets exposed publicly
- Compute and database resources with unintended public access
- The use of encryption in transit and at rest across cloud services
- User policy definitions to ensure least-privileged access to resources
- Changes to critical resources such as firewall rules, logging groups, or account settings
- Activity in unused or unexpected cloud provider regions or locations
You may think, that there are also build-in-tools in AWS, that can assist you in detect those findings. Although this is correct, it can still make sense to use external tools like CSPM in addition to or as a supplement to these built-in tools for the following reasons:
- Fully managed tool: CSPM will receive platform updates automatically, that means you will benefit from the Aqua product updates with no additional configuration needed. The CSPM developers will update the product, when AWS adds new services or features.
- Multi-Cloud: If your company has cloud environments from different vendors (not only AWS), you need only one product, that can protect all environments.
- You can integrate third-party tools, such as Slack, Microsoft Teams or Splunk. Together with a REST API for custom use cases this gives you more flexibility than command line tools, where the output is only available on standard output (stdout). You can integrate Aqua CSPM in your overall system monitoring environment.
- Advanced reporting features and formats can generate output for different stakeholders.
- Remediations for manual or automated error correction.
Monitoring your cloud environment and looking for security violations is the first step when using tools like Aqua CSPM. But what happens when a security violation is detected? Of course you need a notification about the problem. Your administrators and other people in your organization must be informed about the finding. But the most important task is to close the security gap. Who must execute which actions? For this purpose Aqua has announced the general availability of CSPM Remediations for AWS in summer 2020.
Although CSPM will give you a list of information like scan reports, links to further documentation or integration with third-party tools like Slack for quick alerts when a security problem is detected, without remediations it is solely the responsibility of your employees to react correctly and quickly. Introducing remediations now gives you the ability to automatically remediate issues that are detected in your cloud environments.
Remediations can be divided into two groups:
- Manual remediations: Each finding in a report is followed by a new “Remediate” button. The administrator can decide to execute the remediation by clicking the button
- Automated remediations: Each finding will be remediated by the system immediately according to a policy, which has to be configured in advance.
By default, Aqua CSPM will not make any changes to your account. Instead you have to define a policy that grants the tool the explicit permission to make the changes. The option “manual remediations” needs this policy as well, but here the decision to execute the changes is up to the administrator.
Although there are already numerous build-in-tools for AWS Security, have a look at the Aqua tools. Don’t see Aqua products as competition, but as a complement to AWS build-in tools.
The Aqua platform is also mentioned in a Gartner report, where Gartner recommends that “SRM leaders looking to improve their cloud workload protection should: Consider a comprehensive cloud-native application protection platform that combines the needs mentioned above — container scanning, serverless scanning, CWPP and CSPM — in a single platform.”. The report names Aqua Security as one of three example vendors that converge CWPP (Cloud Workload Protection Platform) and CSPM capabilities.
In 2020 we started our partnership with Aqua Security. See our blog entry for more info, why you should enhance your cloud security arsenal with Aqua Security and A&B.
If you have any questions about the Aqua products in the context of AWS security, feel free to use our Contact Form.