Monitoring and Logging mechanism for activities inside AWS EC2


Hi AWS, I have some windows service running on EC2 windows server and the challenge we are facing currently is if a service gets stopped or deleted accidentally by someone in the team it is hard to rectify as every user is using the same Administrator credentials to login into that given machine. However when I checked CloudTrail it records the events performed on AWS EC2 but not across the events occurring around windows services.

Also I know that Administrator access is not the appropriate access for everyone in the team as it increases the surface attack of risks and anyone can delete/modify the existing files and folders which is a security bottleneck. Also the servers are not tagged and in case we need to retire any old servers it is very hard to track.

I need to figure out a way where I can build some monitoring and logging mechanism within the server like file deletion, service started/stopped other than the general events happened on EC2. And also how can we implement DevSecOps to bring security along with compliance following the concept of Operational Excellence.

Please guide.

1 Answer

Here are some suggestions to address the concerns raised in the question:

  • To monitor services and log file deletions on EC2 Windows instances, you can configure the CloudWatch Logs agent to collect and send logs to CloudWatch Logs. This will provide visibility without needing administrator access on instances.
  • Use IAM roles with least privilege access instead of shared administrator credentials. Attach appropriate policies to allow specific actions without full administrator access.
  • Tag your EC2 instances with relevant metadata like environment, application etc. This will help track and filter instances for retirement or other managenent tasks.
  • Leverage AWS Config to monitor configuration changes and track configuration history. Configure notifications and remediation actions for non-compliant configurations.
  • Implement security best practices like regular vulnerability scans, patching, log monitoring etc. as part of the development and deployment process.
  • Integrate security checks and compliance validation as part of code reviews, testing and deployment pipelines. Address issues before code is deployed to production.
  • Use AWS security services like Secrets Manager, IAM roles, SSO etc. to manage credentials and access securely. Monitor access patterns and anomalies using AWS Security Hub.
profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions