
Amazon Web Services (AWS) Security Monitoring with Securonix
These days it is quite common for enterprises to run workloads in the cloud. However, as organizations make this transition security of the business-critical applications and data is a key challenge.
Monitoring the security events in your cloud infrastructure is critical in order to detect and mitigate cyber threats before they lead to a major cyber incident or a data breach.
AWS is a mature public cloud vendor with a large variety of services. Securonix integrates with AWS services in order to access event information, allowing for context determination and the clear identification of threats, threat hunting and automated incident response.


Solution Benefits
- Streamlined, direct API integration enables fast event gathering.
- Complete AWS log coverage, including Amazon Virtual Private Cloud (VPC), Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), login, and API events.
- Enrichment of data with additional context for threat modeling.
- Out-of-the-box bi-directional integrations for Amazon Simple Storage Service (S3), Amazon CloudWatch, and Amazon GuardDuty.
- Data Insights: Securonix for AWS enables you to visualize activities and changes in your AWS infrastructure with out-of-the-box dashboards and reports that can be easily customized.
Securonix Integration with AWS
Securonix security monitoring for AWS monitors various AWS components for signs of advanced threats and targeted attacks.
Securonix collects and analyses logs across various AWS activities including:
- Login events
- Amazon Elastic Compute Cloud (EC2) configuration events
- Elastic Load Balancing (ELB) logs
- Amazon Virtual Private Cloud (VPC) connection logs
- AWS Identity and Access Management (IAM) activities
- AWS CloudTrail API activity logs
- Amazon CloudWatch infrastructure logs
- Amazon GuardDuty alert integration
- Amazon Simple Storage Service (S3) cloud log aggregator


Common Use Case Scenarios
Securonix security monitoring for AWS enriches and correlates events from AWS with contextual data and event logs from other on-premises and cloud data sources in order to monitor for insider and cyber threat patterns.
Key use cases include:
- Unauthorized access such as a login from a rare IP or geolocation, a spike in failed logins, a land speed anomaly, or a malicious IP.
- Amazon EC2 configuration anomalies such as a spike in instance creation or deletion, suspicious admin activities, or a rare instance.
- Suspicious AWS IAM activity such as suspicious user creation, admin privilege changes, password policy changes, or rare privileged activity.
- Anomalous API connections including from a rare IP or geolocation, or a malicious IP address.
- Suspicious Amazon VPC traffic including port scans or connections on anomalous ports.
Threat Modeling by Correlating Alerts
Securonix threat models stitch together indicators of compromise across data sources – including AWS – in order to detect targeted attacks.
For example, when it comes to a cryptojacking attack, some indicators of compromise that Securonix can connect across data sources could include:
- A suspicious console login, such as a login from a rare location or a land speed violation found in the AWS console logs.
- A related permission elevation found in the AWS IAM logs.
- A spike in start instances in AWS or rare start instances found in the Amazon EC2 configuration logs.
- AWS CloudTrail logging being disabled according to the AWS IAM logs.


Data Insights
Securonix security monitoring for AWS enables you to visualize activities and changes in your AWS infrastructure with out-of-the-box dashboards and reports that can be easily customized.
AWS Validated Security Competency
Securonix has achieved Amazon Web Services (AWS) Security Competency status. This designation recognizes that Securonix has demonstrated technical proficiency and proven customer success in delivering SIEM as a service on the AWS platform.
Achieving AWS Security Competency differentiates Securonix as an AWS Partner Network (APN) member that offers specialized software designed to help organizations adopt, develop, and deploy complex security projects on AWS. To receive the designation, APN partners must possess deep AWS expertise and deliver solutions seamlessly on AWS.
