- Have my API credentials been compromised?
- Have I configured my security groups securely?
- Has anyone created new user accounts?
- Are new instance types being used in my environment?
- Where are my teammates accessing amazon from?
Integration with your environment is primarily driven by how much of To answer these questions you will gather data from your environment that will then be analyzed by USM for AWS you wish to use, there is no issue with performing any or all of these tasks individually over time. The more operational information that can be integrated into AlienVault USM the better security analysis and alerting AlienVault USM can provide. The ideal deployment would to detect malicious activity and suspicious behavior. At it's best the following information will be collected from your environment.
- Monitor the AWS CloudTrail Log
- Monitor ELB Access Logs
- Monitor S3 Access Logs
- Monitor the operational logs for any critical software packages deployed. For example - HTTP Servers, Database Servers, etc.
- Monitor the OS-level logs for any critical instances
- Perform asset profiling on your instances to monitor installed software packages, running processes and services
- Perform periodic vulnerability assessments