AWS IAM

We would like to detect unusual config changes that can potentially cause production outage.

Such as, SecurityGroup new allow/deny rule, AuthZ policy change, Secret key/certificate rotation, IP subnet add/drop. The problem is the source of all of these activities is different, i.e., AWS IAM, Amazon EC2, internal prod services, envoy sidecar, etc.

Which of the technology would be best suitable to detect only IMP events (not all activity) from various sources all workload running on AWS and also Splunk Cloud?

In a 2015 AWS case study, Richard Crowley, Director of Operations said “with traditional IT, it would take weeks or months to contend with hardware lead times to add more capacity. Using AWS, we can look at user metrics weekly or daily and react with new capacity in 30 seconds.”

Slack needed to pick an infrastructure partner that could support the exponential growth they were experiencing. AWS is the cloud provider that supplied them with i2.xlarge Amazon Elastic Compute Cloud (Amazon EC2) instances for their LAMP stack, Amazon Simple Storage Service (Amazon S3) for user's file uploads and static assets, and ELB to Load Balance workloads across their EC2 instances.

For security, Slack went with Amazon Virtual Private Cloud (VPC) for controlling security groups and firewall rules and AWS Identity and Access Management (IAM) for controlling user credentials and roles.

In 2018, Slack signed an agreement with AWS to spend at least $50 million a year over five years, for a total of at least $250 million, according to the company’s filing with the SEC for a public stock listing (via CNBC)