Skip to Content
Information

This site will undergo a brief period of maintenance on Friday, 18 December at 12:30 AM Central/12:00 PM IST. During a 30 minute window, site availability may be intermittent.

Event Driven Compliance


BMC Helix Cloud Security (BMC Helix) currently supports "Scheduled" compliance check of cloud resources (AWS, Azure, GCP) which means a user can configure a connector for the scheduled scan of cloud resources. Though scheduled compliance check can ascertain the correctness of security configurations of the cloud resources over time, it introduces a vulnerability window during which the non-compliant resources will remain undetected.

For example, if a cloud administrator has scheduled an AWS Cloud Connector with a schedule of 24 hours then, in that case, we may have vulnerable non-complaint resource sitting in the system for 24 hours.

Event Driven Compliance (EDC) will enable BMC Helix to scan for a newly discovered resource or changes made to an existing resource. With this capability in place, it will be ensured that any new resources deployed or existing resources modified in the cloud are compliant to the security configuration as per the latest CIS standards. Any change to a resource state will trigger a scan specific for that resource and flag it as non-compliant.

"When we create/update a resource in target AWS Account, its takes 12 to 15 min to generate an event in CloudWatch logs and next 5 min to get reflected on BMC Helix UI. Hence it can take upto 20 min (approx) for complete evaluation."

Pre-requisites

Before BMC Helix Cloud Security is configured for EDC, below steps must be carried out in target AWS accounts which need to be scanned for compliance.

Single Target AWS Account

You must perform below steps if you want to scan only a single target AWS account for EDC.

Information

NOTE: On a target AWS Account, user should have CloudWatchLogsFullAccess permission (policy) to create subscription filter.


1. Ensure that there is one cloud trail configured with default log group with name “DefaultLogGroup”. Cloud trail should be turned ON.

    Based on your requirement, you can configure it either to apply trail to all regions OR to apply to a specific region.

2. Ensure that cloudtrail is configured to send events containing API activity in your AWS account to a CloudWatch Logs log group.

3. Ensure that at least one AWS Cloud Connector is onboarded in BMC Helix pointing to target AWS account such that during onboarding “Event Driven” switcher is enabled.

    NOTE: Event driven compliance is currently available ONLY for AWS Cloud Connector.

4. Ensure that at least one collection cycle for the AWS cloud connector (onboarded above) is complete so that resources are visible in BMC Helix portal.

Enabling Event Driven Compliance for existing AWS Cloud Connector

If you have any existing AWS Cloud Connector and want to enable Event Driven Compliance for the same then you must perform below steps:

1. Log in to BMC Helix Cloud Security with your registered credentials.

2. Select Configure icon > Connectors.

3. From the Manage Connectors screen select the menu of the AWS cloud connector you want to edit and choose Edit.

Information

 NOTE: You can only edit an AWS Cloud Connector that is in the Disabled state.


4. On the Update a Connector page that displays, enable Event Driven switcher and click Save.

        image2019-8-15_1-30-59.png


5. Enable the connector & click on Evaluate Now for same connector to enable EDC.


Supported resources for AWS in EDC:

S3 Bucket

Security Group

IAM Password Policy

IAM Policy

Elastic Block Store (EBS)

Elastic Search (ES)

Relational Database Service (RDS)

CloudTrail

Key Management Service (KMS)

Virtual Private Cloud (VPC)

Elastic Compute Cloud (EC2)

Elastic Load Balancer (ELB)


Below resources are not supported in AWS :

IAM Support Policy is not supported in EDC as current framework doesn’t support it.


Limitation with EDC :

  1. For rule no. 4.2 and 4.3 of “CIS Amazon Web Services Three-tier Web Architecture Benchmark” policy, event subscription should be created for specific database instance rather than all the database instance in the AWS target account.
  2. In rule 6.17, 6.19 and 6.26 of “CIS Amazon Web Services Three-tier Web Architecture Benchmark” policy, update scenario won’t work as updating a resource effects other resources for which event filtering service is not aware. Current design does not handle such scenario.
  3. In rule 2.9 of “CIS Amazon Web Services Foundations Benchmark” policy, we are not capturing “DeleteFlowLogs” event because it doesn’t have resourceID and resourceName due to which EDC will be able to capture ONLY Non-compliant to Compliant state transition, but it will NOT be able to capture, Compliant to Non-compliant state transition.






 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Cloud Security