Three reasons to collect AWS asset and configuration data to Snowflake
Today’s SnowAlert release includes prebuilt Data Connectors for AWS Config and asset inventory collection. While activity logs may be top of mind, you’ll be glad to have cloud configuration and asset data in your security analytics. Here are three good reasons why.
S3 buckets can host leaky websites
Did you get asked about the terabyte of sensitive data recently discovered in a misconfigured S3 bucket used by data management firm Attunity? If so, having your S3 configuration details in Snowflake would let you confirm that your files are not similarly accessible.
A related but less familiar risk is posed by S3 bucket websites. Stay ahead of the curve by querying your configuration data for any unauthorized S3 static websites that may be leaking sensitive data.
Windows servers pop up in Linux environments
Asset data can reveal the weak link within your AWS compute. For example, cloud environments that are predominantly Linux-based may contain a handful of Windows servers spun up for directory, database or testing purposes. These Windows servers might not be rogue but unless they’re hardened, patched and monitored then they are the ideal hideout for threat actors in your environment. Use EC2 asset data to track and protect compute instances without discrimination.
Tags enrich logs with context
Context is critical for high fidelity security analytics. Unfortunately, CloudTrail events are short on the contextual details needed for alerting on bad activity- or not alerting on what’s expected. Resource tags are the perfect source of context for AWS events.
For example, restoring EBS snapshots by attaching them to an EC2 instance can be a great way to recover lost files. But what if the disk snapshot is being attached to an instance controlled by a malicious insider? A SnowAlert rule joining between the event and configuration data can raise the alarm if the server isn’t tagged for “file-recovery”.
Getting Started
SnowAlert’s Data Connectors are quick and easy to configure. They include fields for entering your source details and they automatically configure Snowpipe to fetch data into your Snowflake warehouse.
Follow the SnowAlert documentation to get started with Snowflake for Security Analytics and share your feedback with us at snowalert@snowflake.com.
