AWS Security: Monitoring Services Health Status with Python
Intro AWS Security Model
If you have been in the IT industry for a while, you have probably noticed that the cloud is rapidly changing the way software is developed, deployed, and utilized. Amazon Web Services (AWS) has been at the forefront of this evolution and one of the market leaders of infrastructure as a service.
Furthermore, from a security aspect, many of the hard lessons learned from securing traditional on-premise data centers do not directly apply or translate to cloud infrastructure such as AWS.
Thus, when organizations decide to go through the cloud migration, many of the security controls that existed in an on-premise don’t correlate directly to a cloud model.
AWS responsibility “Security of the Cloud”
AWS operates under the shared responsibility model. What this means is that security responsibilities are shared between AWS as a platform and the customers. AWS takes many precautions to keep your data secure. However, AWS’s extensive documentation makes it abundantly clear which responsibilities lie with AWS and which ones are the customers.
The cloud relies heavily on the sharing of computer resources, physical infrastructure, and even personnel. The phrase “shared responsibility model” implies that there is a crossover when it comes to responsibilities of security in the cloud.
A good understanding and knowledge of what these responsibilities entail are very important to build more robust and adequately protected software systems in the cloud. Furthermore, It’ll help define what you can or need to do to ensure that you are building software and infrastructure that meets the security requirements and compliance demands of your organization.
AWS has a scalable and highly available global infrastructure that spans multiple regions, with multiple Availability zones (AZs) in each region. you can learn more at regions-availability-zones.
At a high level, the AWS shared responsibility model guarantees the security and resilience of their cloud infrastructure (servers, data centers, network hardware, etc.) while the customer is responsible for the security of the resources which exist in the AWS cloud environment. Learn more here. The followings are a couple of examples of how AWS shared responsibility model applies to the resources or services offered:
- Load Balancer — AWS Application Load Balancer (ALB). AWS is responsible for the security, maintenance, and availability of the physical infrastructure of the ALB used in this application’s architecture. AWS’s responsibilities end when it comes to configuration and routing rules of the load balancer. If the intention of the ALB is to provide load balancing to internal (intranet) resources and it is accidentally configured to be open to the entire internet, which falls on the operator (customer).
- Web Application Server — Application running on an EC2 (cloud server) instance. AWS takes responsibility for the underlying infrastructure of EC2 instances. This includes physical security, patching low-level hardware, and even fire suppression. The application that exists on the EC2 server is the responsibility of the customer. This means application vulnerabilities, software patching, and access control are not the responsibility of AWS.
- Database — MySQL Database deployed on an EC2 instance. The EC2 instance hosting the database has the same responsibilities as mentioned above with the web application server with one caveat: If the data stored in the database is on the EC2 instance itself, it is the responsibility of the customer managing the database to protect the data adequately. This includes access control, encryption at rest and in transit, and securing backups.
Intro to Boto
Simply put, Boto is a Python package that provides programmatic connectivity to Amazon Web Services (AWS). Boto allows you to write scripts that manage complex setups or automate simples tasks in AWS. It also provides support for other public services such as Google Storage, besides private cloud systems like Eucalyptus, OpenStack, and Open Nebula.
- At the moment, Boto supports more than 50 Amazon services. You can find a complete and current list on the Python.org website.
- Boto3 is the latest version of Boto, which is considered to be the Amazon Software Developers Kit (SDK) for Python.
AWS publishes our most up-to-the-minute information on service availability on the AWS Service Health page. You can check it any time to get current status information or subscribe to an RSS feed to be notified of interruptions to each individual service.
So, I recently wrote a python script that checks for updates on those RSS Feeds and display incidents, maintenances, and general messages during an incident reported on the AWS platform.
The script parses data from RSS Feeds that expose data and information shown on AWS Service Health.
With this script you can locally monitor any region or services of your choice and have have it hoocked to your orgnation system monotoring. My script can be used as plugin in Nagios.
Nagios is an open source monitoring system for computer systems. It was designed to run on the Linux operating system and can monitor devices running Linux, Windows, and Unix operating systems (OSes). Nagios software runs periodic checks on critical parameters of application, network and server resources.
Running the script
To run the script; provide the following arguments:
- All services status (Global, N. Virginia, Ohio): To check the status for all Global service, N. Virginia and Ohio region. Simply run the script without an argument.
- Get Global AWS services status:
- Get AWS services status for N. Virginia:
- Get AWS services status for Ohio:
- Get Status of a specific AWS service:
You might also like How to Monitor Office 365 Services