Post-Onboarding for AWS cloud accounts

This section covers assessment validation & governance configuration for your Cloud accounts.

Add cloud accounts into CoreStack. You can see accounts listed as part of the account governance dashboard. You can check if CoreStack has valid permission to assess the data from cloud account and complete the governance configurations. During on-boarding, you can create following resources:

1. Cloud Trail: This feature allows you to log, monitor, and retain account activity related to actions across your AWS infrastructure.

   CoreStack requires a Cloud Trail to be available in each of your AWS regions. Cloud Trail is available with the resources running on your account. CoreStack will fetch all the users, account and resources related activity from Cloud Trail and publish in operation posture in CoreStack. You may select an existing trail or create a new trail. Such new trails created may attract additional charges.

   (Note: The first trail is free of cost. Any additional trail may involve charges).

2. S3 Buckets: As part of the cloud trail configurations, S3 buckets are also created in the respective AWS regions to collect the logs. Cloud Trail will keep all logs and activity in respective S3 bucket. We can create a new S3 bucket or choose an existing S3 bucket for storing the trail log files.

• a) For existing trail, there are no new buckets created.
• b) To create a new trail, the corresponding S3 Bucket will be created and there will be a charge associated with it.

3. CloudWatch: This is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.

   CloudWatch can monitor AWS resources such as EC2 instances, DynamoDB tables and RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate. Alarms will be created for selected metrics for various resource types supported by CoreStack.

   Post on-boarding, you will see the list of metrics for each resource type. You can define monitoring thresholds and alerts in CoreStack.

4. GuardDuty: GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.

   CoreStack requires a GuardDuty to be available in each of your preferred AWS regions. CoreStack will fetch all identified threat by GuardDuty and publish in Security posture in CoreStack. You may select an existing GuardDuty to be used or choose the option to create a new GuardDuty.

   (Note: Creating new GuardDuty instances may attract additional charges.)

5. Inspector: Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

   Assessment target needs to be enabled in AWS console to group the AWS EC2 instances to run the assessment. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. CoreStack requires an Inspector to be available in each of your preferred AWS regions. CoreStack will fetch all identified vulnerabilities by Inspector and publish in Security posture in CoreStack.

   You may select an existing Inspector to be used or choose the option to create a new Inspector in AWS console and then select the new Inspector when made available in CoreStack.

   (Note: Creating new Inspector instances may attract additional charges.)

📘

Note:

CoreStack currently supports the Inspector Classic version. However, the other version will also be supported soon.

Assessment validation for onboarded AWS account in CoreStack:

• Click View under Actions and select View Settings.
• Click Assessment Validation and Select Operations and Click Re-Validate.
  This will validate if assigned permission to CoreStack is intact.
• On Successful validation will reflect as permission Allowed.
• Perform the same validation for Security & Cost pillar.

Governance configuration for Onboarded AWS account:

Configuring Operation Pillar in CoreStack for onboarded Account

• Click View under Actions and select View Settings.
• Click Governance Configuration and Select Operations.
• Expand Activity logs and Click Configure.
• Select ‘Create New / use Existing’ based on cloudtrail availability in onboarded
  cloud account and click Next.
• Select desired Region and Cloudtrail for selected region.
• Click Validate and Save.
• Click Finish.
• Expand Alerts and click configure .
• Select Create Sample Alert and click Next.
• Click Validate and Next.
• Add respective email address/Webhook/MS Teams Webhook for alert notification.
• Click Finish.

Configuring Security Pillar in Corestack for onboarded Account

• Click Governance Configuration and select Operations.
• Expand Threat Management and click Configure.
• Select Create New / Check existing configuration based on AWS GuardDuty
  availability in onboarded cloud account and click Next.
• Select desired Region and click Validate.
• Click Save & Finish.
• Expand Vulnerability Assessment and configure.
• Select Check Existing Configuration and click Next.
• Select desired Region and click Validate.
• Select Save & Finish.
• Expand Notification Settings and configure notification list based on your
  requirements. Click Save & Apply.

Configuring Cost Pillar in CoreStack for onboarded Account

Enable Cost Anomaly. This will alert us if any deviation of cost from the baseline settings.

• Click Governance Configuration and Select Cost.
• Expand Cost Anomaly.
• Enable Cost Anomaly and configure notification list of Email address or
  Webhook.
• Click Save & Apply.