Do any folks here install any open source or paid ...
# awsm
Matt Gowie
02/17/2021, 3:52 PMDo any folks here install any open source or paid product for server hardening / security monitoring software on their EC2 instances? I have a client going through PCI / SOC2 and there have been requests from the auditing team to validate that we have security monitoring tooling installed on all servers. The client primarily runs applications on EKS Fargate so we hand-wave around this for the most part, but there are a couple EC2 instances in each environment account to support a bastion and system resources running on EKS Node Groups. All are using the base, up-to-date Amazon Linux 2 AMIs.
Looking for any recommendations around something simple to satisfy this requirement. Also, I’d be completely happy to hear that the community consensus is “Hey you should just hand-wave around that”.
a
Andrew Roth
02/17/2021, 3:54 PMClamAV
m
Matt Gowie
02/17/2021, 3:55 PMYeah, that’s the one tool that I’ve seen used in this space. Question for you: Do you actually find it useful that you install that or is it just a checked box?
☝️ 1
a
Andrew Roth
02/17/2021, 4:05 PMI guess it goes along with the saying “it is better to have it and not need it, then need it and not have it”
👍 1
p
PePe Amengual
02/17/2021, 6:39 PMthere is a bunch of Enterprise where this type of softwares are mandatory, we installed some at EA what were bakes on the images
👍 1
m
Matt Gowie
02/17/2021, 8:25 PMEA as in Electronic Arts? Is that where you work Pepe?
p
PePe Amengual
02/17/2021, 8:55 PMI used to work there
🐕 1
c
Chris Fowles
02/17/2021, 9:39 PMthe only commercial platform i'd come close to recommending is trend micro's deep security - but i'd only recommend that if something like ClamAV doesn't tick the boxes required - and that recommendation is quite a few years old now
👍 2
m
Matt Gowie
02/17/2021, 9:55 PMI’m either going to with ClamAV OR I have a spike to investigate AWS Inspector and that has an “Inspector Agent” model which you can run on your instances, which I’m now interested in as well.
Matt Gowie
02/17/2021, 9:55 PMThanks for weighing in gents.
p
Patrick Joyce
02/18/2021, 11:53 AMI use inspector, you can then do auto remediation and such based off findings using ssm
👌 1
p
PePe Amengual
02/18/2021, 5:54 PMInspector is an aws thing?
p
Patrick Joyce
02/18/2021, 5:54 PMYea
Patrick Joyce
02/18/2021, 5:55 PMI have a lambda that auto triggers an inspector assessment on all newly created ec2s and if they don't meet a certain threshold it gets terminated or marked for termination as well as sns notifications etc
p
PePe Amengual
02/18/2021, 5:59 PMThat Is pretty cool
aws 1
terraform party 1
b
btai
02/24/2021, 6:42 PMwe investigated a few vendors (paloalto twistlock, aquasec, stackrox) and went with Stackrox as it was the cheapest of the three yet they still checked all our boxes for container security monitors for certain benchmarks (CIS, SOC2, HIPAA, etc.), kubernetes security best practice checks on running containers and intrusion detection. None of the vendors in this space are cheap though.