AWS cloud management APIs: Don’t overlook a key security component
Xceedium has enhanced Xsuite to include protection for the Amazon Web Services management APIs that advanced cloud customers use to monitor and configure their AWS environments. The latest version of Xsuite now includes a privileged API proxy-enabling access control, monitoring, and auditing for scripts and tools accessing AWS management APIs.
Xsuite’s new API Proxy extends the security and auditing capability Xsuite already provides for instances running on AWS and the AWS Management Console. With the advent of software defined infrastructure, many advanced organizations are bypassing the web-based AWS management console and automating operational tasksÂÂÂÂ-utilizing AWS SDKs for Python, PHP, and others, and DevOps tools (e.g., Chef or Puppet) that call AWS’ REST-based management APIs. Xsuite now provides an extra layer of protection so AWS customers can control access, monitor, and audit exactly what scripts are doing.
The AWS management console, and its associated APIs, powers a system capable of altering an organization’s underlying cloud infrastructure in seconds. It enables organizations to monitor, control, configure, and scale their environments like never before.
This management system reinforces the need for customers to adopt a “shared responsibility security model.” With the shared responsibility model, customers must understand the risks, how to utilize AWS security features, and what additional security and audit controls are necessary to mitigate risks and meet compliance mandates. The Xsuite AWS API Proxy was designed to deliver the extra protection and auditing enterprise customers require.
The Xsuite AWS API Proxy enables customers to:
- Impose a single point of access control, monitoring, and audit for all activity associated with the AWS Management Console and its underlying REST API set
- Enforce role-based API access control on scripts interacting with the management plane for AWS Public, Government, and VPC clouds
- Create a full bi-directional audit trail of all API calls and responses
- Attribute AWS API activity to a specific user without requiring customers to add and maintain users in the AWS Identity and Access Management (IAM) system
- Use alternative credentials that are only valid with the Xsuite AWS API Proxy and cannot be used with AWS services directlyÂÂ-ensuring all privileged API calls are controlled and logged
- Vault and manage the credentials used by scripts to access AWS APIs and eliminate the practice of sharing these important keys.
The Xsuite AWS API Proxy is licensed and configured through the Xsuite policy management engine. The API Proxy capability is deployed as separate Amazon Machine Instances (AMIs) and leverages AWS auto scaling to meet performance requirements and support the dynamic environments advanced AWS customers are implementing.