Security Guard

Security Guard wizard is designed to enable setting up additional security services for projects activated in AWS. They are arranged into three levels, with each new level including the previous one, enhanced by a specific feature.

The wizard is available on the Cloud Dashboard and can be used by project key staff (Project manager, Project Coordinator, Delivery manager)

For more detailed information on project security in AWS and other external Cloud Providers, please see the Maestro User Guide
For the detailed info on the security regulations in EPAM Cloud, see EPAM Cloud Security Policy.

  • Choose Security Level

    On this page, you can select the security level for the specific Project/Region combination, and review or update it:

    1. Select project: Select the project where the security level should be reviewed

    2. Select zone: Select the AWS region where the security level should be reiewed:

    3. Current settings: Review the currents settings in brief.

    4. Project security level: Select the security level to review or to be set. The following options are available:
    - Basic - the default security level, including MFA for IAM users, VPC, SSO (STS for Amazon) authentication by project role, and basic weekly security checks.
    - Standard - includes the basic features plus AWS Inspector.
    - Advanced - includes the basic features, AWS Inspector, expanded by VPC Flow Logs and AWS GuardDuty.

    To review the details of the security settigns, click the Details button
    To set up a new security level, or update the current settings, click Modify.

    Please note: setting up Standard and Advanced security level can increase the project monthly cost.

  • Basic Security Level

    The security services and tools enabled on this level, are provided by default and for free, and are available as soon as the project is activated in AWS.

    The Basic security level cannot be disabled or modified.

  • Standard Security Level

    The Standard Security level includes all the basic features, and adds AWS Inspector which regularly scans the applications within your project VMs for potential vulnerabilities. The scans are performed on the instances marked by specific tags.

    When you switch to the Standard Security Level via the Security Guard Wizard, you need to specify the following:

    1. The tags by which the instances to be checked are identified.

    2. The rules packages, according to which the checks are to be performed. The rules packages are prepared by AWS and include checks according to the security best practices.

    3. The execution schedule. You can specify one of the standard periods (daily, weekly, etc., or set up a custom Cron expression given according to AWS Cron rules).

    When the Standard Security Level is activated, EPAM Orchestrator initiates the AWS Inspector activation.

    Please note:
    -AWS Inspector needs specific agents to be installed on the VMs. Currently, these agents are to be installed manually, according to the instructions provided here.
    - The AWS Inspector is a paid service, billed for agent-assessments (where an agent-assessment is one check performed on one VM). The detailed pricing info is available on this page.

  • Advanced Security Level

    The Advanced Security Level includes the tools and services of the other levels, and is empowered by VPC Flow Logs and AWS GuardDuty services.

    The VPC Flow Logs service allows to collect and store network flow logs, while AWS GuardDuty analyzes them to detect actual and potential issues, and is the core of the Advanced Security Level.

    AWS GuardDuty enables intelligent detection of threats by analyzing thousands of events described in AWS CloudTrail, VPC FlowLogs, and DNS logs.

    When you activate the Advanced Security Level with the Security Guard Wizard, you need to specify the following parameters::

    1. Select the FlowLogs Configuration - whether the flow logs should be collected on VPC, subnet or network interface level.

    2. Select the IDs of the subnets that are to be affected.

    When you complete the setup, the VPC FlowLog is activated, and the CloudWatch logs start to be collected in the OrchestratorWorkGroup flow log group. After that, within several hours, the GuardDuty service gets activated.

    Please note:
    - The Advanced Security Level activation also includes the activation of AWS Inspector, if it has not been activated before.
    - VPC FlowLog and AWS GuardDuty services are billed ones. Please visit the AWS Guard Duty Pricing and Amazon CloudWatch pricing pages for more details. .

  • Confirm Security Updates

    On this step, you can review the planned changes in the securoity changes, before applying them.

    Click Apply to apply the updates, or Prev to change the settings.

  • Results

    On this page, you can review the results of the security changes on your project.