eBooks & Reports

O'Reilly's Automating Security in the Cloud

Issue link: https://resources.threatstack.com/i/872576

Contents of this Issue

Navigation

Page 27 of 32

If you are uploading periodic logs to your bucket, your application might need these logs for a week or a month after creation, and after that you might want to delete them. Some documents are frequently accessed for a limited period of time. After that, these documents are less frequently accessed. Over time, you might not need real-time access to these objects, but your organization or regulations might require you to archive them for a longer period and then optionally delete them later. You might also upload some types of data to Amazon S3 primarily for archival pur‐ poses, for example digital media archives, financial and healthcare records, raw genomics sequence data, long-term database backups, and data that must be retained for regulatory compliance. Conguration Management - an overview of AWS Cong Config provides you with a detailed inventory of your AWS resources and their cur‐ rent configuration, and continuously records configuration changes to these resour‐ ces (e.g., ingress/egress rules of security groups, Network ACL rules for VPCs, and the value of tags on Amazon EC2 instances). You can evaluate these configurations and changes for compliance with ideal configurations defined by AWS Config Rules. You can create AWS managed rules using pre-built templates created and managed by AWS, or create your own custom rules. Using AWS Config, you get an inventory of your AWS resources with all configura‐ tion details, determine how a resource was configured at any point in time, and get notified via Amazon SNS when the configuration of a resource changes, or when a rule becomes noncompliant. You can use the information provided by AWS Config for a variety of purposes, including auditing and compliance, change management, and troubleshooting. Continuously Record and Evaluate Congurations AWS Config automatically records a resource's configuration when it changes and evaluates any rules that are triggered by this change. You don't need to poll resource APIs or maintain your own external datastore. The configuration of the resource and its overall compliance against rules is presented in a dashboard. AWS Config takes the relationships among resources into account when recording changes. For example, if a new Amazon EC2 Security Group is associated with an Amazon EC2 Instance, AWS Config records the updated configurations of both the Amazon EC2 Security Group and the Amazon EC2 Instance. AWS Config also integrates with AWS CloudTrail, a service that records AWS API calls for your account and delivers API usage log files to you. If the configuration change of a resource was the result of an API call, AWS Config also records the AWS 26 | Chapter 4: Cloud Computing Foundational Security Leading Practices

Articles in this issue

view archives of eBooks & Reports - O'Reilly's Automating Security in the Cloud