Contextual Cloud Security Checks with Astra Alerts

Traditional CSPM or cloud security monitoring platforms run checks across various cloud resources. The challenge however, becomes evident when scans are run across thousands of cloud resources and false positives start mounting resulting in alert fatigue. “Astra Alerts” – Cy5’s extension to traditional CSPM checks and alerting solves for exactly this.

Before we get started, let’s take a look at a simple example.

Suppose we have a use case of finding all the EC2 Instances across our AWS accounts that have a public IP Address attached to them, are in a public subnet and have excessive permissions attached to them through an IAM role.

How would you typically solve this?

We’ll come back to this later but let’s quickly look at how a CSPM solution works.

Cloud Security Posture Management (CSPM)

A CSPM platform is a cloud security tool that is used to discover resource misconfigurations across multiple cloud environments.

Simple, right?

How this tool works is it collects metadata (configurations like encryption, tags etc.) for each resource present in the cloud and reserves the same metadata with its resource.

So, in the end, you are left with a large lake of data, containing resources of different kinds along with their metadata, all unrelated to each other.

How do we correlate cloud resources and their metadata?

Let’s get back to our use case.

EC2 Instances with public IP address and public subnet and over-provisioned IAM policies.

Seems like we are touching more than three different resource types.

One might think that for each EC2 instance, we can simply check if:

  1.  It has a public IP address, then
  2. Check the route table properties that whether the route table attached to the subnet in which the instance is deployed has ‘igw’ attached, and
  3. Then if the role attached to the instance is permissive in nature

This is just one use case. You might have a bunch of similar use cases.

Doing this doesn’t make any sense when you already have all the data but you still need to dig deep whenever you find a new resource associated with another one.

What if we tell you that there is a way to relate all this data derived from different resource types to each other?

This is what Astra Alerts does.

Astra Alerts

Astra Alerts is able to correlate metadata of various resources in the cloud such that their relationships can be established and evaluated together.

Take a look at the below relationships, for instance:

astra alerts cy5

 

Astra Alerts can evaluate these and churn out alerts such as:

 

Astra Alert View

Conclusion

As public cloud adoption and complexities increase, security teams would always be faced with a task to reduce noise and optimise operations. Astra Alerts is one such step to achieving that and separate the cloud security configuration issues that really matter from the noise.