Martech Company Strengthens AWS Security Through Standardization

Assessing needs

During the assessment phase of the engagement, NTT DATA AWS consultants worked with the client to review the current state of the security environment. They conducted a thorough gap analysis between its current and desired security states, reviewing everything from logging to networking and access management. From this analysis, consultants developed a detailed, custom roadmap that included a mutually agreed upon architecture design and a prioritized list detailing key technological decisions around a securely built landing zone, compliance monitoring, alerting, and in some custom cases, auto remediation.

Delivering the right solution

Using the roadmap created in the assessment, the NTT DATA AWS consulting team began the work to create a standard security posture across all AWS environments, while providing artifacts that can help the team replicate the process for future acquisitions. Using an Agile methodology, NTT DATA began the process of ensuring all applicable CIS rules were applied consistently to AWS accounts. Beginning with the foundation, they built an AWS landing zone account architecture, including the set up of Jenkins with proprietary libraries that establish a foundation for DevOps automation. NTT DATA also applied account identifiers that ensure the principle of least privilege is applied so that only authorized personnel can make changes.

Automating account hardening

The client wanted to ensure that existing AWS Accounts were consistently hardened to the same CIS standards and applied the same AWS security best practices. The account hardening process involves implementing several best practices and configuration changes for different AWS services. AWS CloudFormation templates automated the hardening of AWS accounts; the primary AWS CloudFormation template for hardening does its work by invoking other templates that, in turn, execute different configuration changes in the account. Through these nested AWS CloudFormation templates, hardening was achieved and maintained with:

• AWS Config configuration recorders were enabled, allowing the service to capture changes to system configurations, saving them as configuration items (CIs). AWS Config also allows the client’s team to create and store its desired configuration state and associated rules. AWS Config is integrated with a ServiceNow CMDB which stores all AWS resource CIs.
• Bespoke IAM Groups and rules for roles like developer, incident response, DevOps, and more. These custom roles ensure that least privilege access is enforced.
• Default VPCs removed and replaced with VPCs with proper security and auditing controls.
• Hardened password policy, ensuring that stringent password policies are in place and enforced.
• AWS CloudTrail provides AWS account auditing through a stored event history that makes it easier to audit for CIS compliance while detecting unexpected account activity. Across all regions, AWS CloudTrail automatically pushes its event log to an audit bucket and CloudWatch Logs. The NTT DATA consultants also created an SNS alert for CloudWatch alarms, that notifies the client when an account deviates from its expected configuration.
• A CIS Level 2 template that ensures the secure configuration of hardened images.

To further automate the process, the teams worked together to build a Jenkins-powered pipeline job that executes different jobs in stages to harden an account. Jenkins ensures the secure creation and distribution of Amazon Machine Images (AMIs) across various AWS accounts, providing the data required to launch secure instances. It also creates S3 buckets for DevOps and auditing, applies CIS Foundation benchmark rules and enables Amazon GuardDuty for threat detection.

LogRhythm, an information and event management tool, is integrated as part of the account hardening so that any new or existing AWS account is consistently created to allow LogRhythm access to logs of that account.

Through a fully automated security process, the company standardized for Level 2 CIS hardening across its AWS accounts, implemented with a CIS compliance dashboard for easy monitoring and ongoing management.

Improving file integrity monitoring

The martech firm also sought to harden its Amazon infrastructure with the help of file integrity monitoring (FIM). As part of a best practice security regime as recommended by CIS Critical Security Control 3.5, FIM helps identify and explain system changes, flagging unexpected change for follow-up. In this way, organizations can keep their systems in a known good state while creating an audit trail for compliance purposes.

Rethinking storage with Amazon S3 buckets

NTT DATA’s AWS consulting team began this portion of the project with Amazon Simple Storage Service (S3) buckets, the cloud provider’s public cloud storage. Each time an operation is taken on an S3 object, it creates a data event. Detailed information – like who, when, what, and where – can accompany these data events. To capture and log S3 data events, NTT DATA enabled S3 Object Level Logging which works in tandem with AWS CloudTrail.

Maintaining compliance with AWS CloudTrail

Powered by a logged event history, AWS CloudTrail is Amazon’s service for compliance auditing and flagging unusual activity in AWS accounts. The solution records S3 data events such as GetObject, DeleteObject, and PutObject, into an AWS CloudTrail Audit account log for increased visibility and to provide a historical record for compliance reporting. This allows the security team to run S3 object level logging as part of its account hardening jobs to ensure all previously created S3 buckets have the necessary security measures in place.

Validating log file integrity

While recording events into AWS CloudTrail logs is a necessary first step, to ensure log integrity, file integrity monitoring is necessary. And AWS CloudTrail file integrity validation provides evidentiary-grade log files. With the integrity of log files validated and compliance ensured, the company has a detective control in place that satisfies audit and legal requirements.

Security at scale

To ensure that the security system scales, the consulting team employed automation that validates weekly the integrity of log files from S3 buckets. This allows the security team to provide reports, as needed. Moreover, integrity failure notifications are automatically forwarded via SNS to an Active Directory group, the SecOps team, for further investigation – and to avoid noisy alerting. Last, an evidence trail of the automations was created, proving that the integrity validation job itself ran, giving the SecOps team a recorded history of the validation job.

Building cloud foundations benefits

The martech firm’s proactive security control standardization efforts have helped it attain hardened AWS systems and accounts. Moreover, AWS CloudTrail file integrity validation has helped it achieve evidentiary-grade logs that meet legal and regulatory requirements. In this way, the company can reconcile its S3 object level changes, quickly flagging unexpected events to the security team for further investigation, and remediation when needed.

In addition, the company now has an established, defendable security position within its AWS environment, complete with a security best practice framework supported by Level 2 CIS benchmarks. This standardized security posture allows the company to securely onboard future acquisitions while streamlining auditability. Moreover, with guard rails and custom auto remediation in place, the development team can innovate at the speed of the market, knowing that AWS security is consistently achieved.