Cloud Configuration Assessment is an InsightVM feature that provides a security-focused view into your cloud environment. Capabilities are centered around the ability to identify and remediate cloud misconfigurations, an increasingly important concern in today's ever-evolving world. Since the policies and settings that affect the security of a resource in the cloud can change in an instant, it is valuable to maintain visibility into the current state of all your resources.
Here, we will delve into how to enable Cloud Configuration Assessment to maintain an even more dynamic view of an AWS account through integrating with—and responding to—events from CloudTrail.
What Cloud Configuration Assessment in InsightVM does today
Cloud Configuration Assessment defaults to re-collecting data on and re-assessing resources at built-in intervals to update the state of their data every couple of hours. While this maintains a fairly accurate state of data for resources that do not change often (ex: an IAM policy in which content is only updated every few months), changes in resources that are created, deleted, and updated in the span of hours may not be reflected in Cloud Configuration Assessment until a few hours after the event in the account.
What is CloudTrail?
CloudTrail is a service to record and audit events that happen in an Amazon Web Services (AWS) account or organization. Actions taken, whether they be through using the Console, CLI, or other ways of interacting with resources, are all recorded as CloudTrail events, and a CloudTrail trail can be configured to deliver messages about those events to other services and applications. The trail can be configured to track events in specific regions, specific categories of events, etc., and provide more real-time visibility into changes to resources in the AWS account.
How does connecting CloudTrail to Cloud Configuration Assessment help?
Integrating with CloudTrail allows Cloud Configuration Assessment to dynamically respond to events that happen in an AWS account's environment. Cloud Configuration Assessment by default currently collects data on a daily schedule, pulling data for resources every two to 12 hours depending on type of resource. By configuring Cloud Configuration Assessment to use the CloudTrail integration, a customer is able to get a more real-time view of their environment. When CloudTrail is enabled, Cloud Configuration Assessment is able to retrieve those log events about changes in the account environment and update the data that it stores on the related resources.
For example, since data for S3 buckets is only scheduled to be re-collected every couple of hours, if a specific bucket's policy is updated a few minutes after data collection completes and the policy now has a new statement that allows public access for all actions, that policy update would not be reflected in Cloud Configuration Assessment until hours later when data for all S3 buckets is re-collected.
In the reverse situation, where the policy was previously failing a rule in Cloud Configuration Assessment but is remediated a few minutes after data collection on that resource is completed, that change would also not be reflected in InsightVM until data on that resource is collected again, and the finding would continue to be marked as a fail instead of quickly switching to a passing status.
However, if CloudTrail is enabled to track events in that AWS account and Cloud Configuration Assessment is configured to read the CloudTrail trail event messages for those events, then Cloud Configuration Assessment can react by quickly getting the current state of the S3 bucket so that the data in InsightVM is updated mere minutes later, instead of hours.
Also, if a resource like an EC2 instance is created or deleted and the integration with CloudTrail has not been enabled, the presence or absence of that resource in an AWS account will only be reflected in Cloud Configuration Assessment hours later. Enabling Cloud Configuration Assessment access to CloudTrail events would not only result in more timely updates on the state of individual resources, but also result in more timely updates of the overall view of which resources are currently deployed in an AWS account.
Configuring CloudTrail to be used with Cloud Configuration Assessment
To connect Cloud Configuration Assessment in InsightVM to CloudTrail, you will need to set up a CloudTrail trail in the specific AWS account or organization that you want visibility into, with the trail publishing events to an SNS topic that forwards those messages to an SQS queue. The SQS messages will contain the S3 location where the full event information document is stored. Then, the IAM role currently used to configure the AWS account connection for Cloud Configuration Assessment will need to be given permissions to access both the SQS queue and S3 bucket. Once you set up the trail, bucket, topic, and queue in your AWS account and your IAM role has been granted permissions to read from the queue and bucket, the queue ARN will need to be added to the existing account configuration for Cloud Configuration Assessment.
For more detailed, step-by-step instructions on connecting Cloud Configuration Assessment and CloudTrail, check out our help documentation.Interested in Cloud Configuration Assessment, but not yet an InsightVM customer? Sign up today for a free 30-day InsightVM trial to test it out for yourself!