Monitoring AWS Security Groups with UpGuard

Posted by UpGuard

UpGuard was initially designed to solve the problems we faced every day in the world of enterprise IT. Technical debt, documentation rot, and configuration drift consumed untold hours of our lives. UpGuard was designed to make those problems a thing of the past.

Our latest feature, however, was inspired by a problem we faced right now. UpGuard has three deployment options–multi-tenant SaaS, single tenant SaaS, and a virtual appliance–and for our growing number of STAs we needed a way to maintain visibility and consistency in AWS security groups. Amazon allows up to 100 security groups per VPC and up to 50 rules per group. With even basic user controls the geometric growth in configurations would make managing our security groups a nightmare. If only there was a platform that could simplify this process, perhaps by ingesting the configuration state of a cloud app and alerting us to changes...

Since that's exactly what UpGuard does, and we have already built out the infrastructure to monitor cloud applications, adding support for EC2 security groups was just a matter of drinking our own champagne.

Free DevOps and Security eBooks

First we created the aws_security_group template. Other users (like you) can clone it for use as is or with additional private modifications.


The next step was adding our AWS account to UpGuard . This step requires console access to get the AWS Region, AWS Access Key, and AWS Secret Key. If you can get that information, you can start monitoring your AWS nodes with UpGuard right away.

Now that UpGuard has access to AWS we can start creating policies to monitor configurations like security groups. Whenever we fire up a new STA we just select "create policy from scan," use the aws_security_group template, and the node's configurations are automatically mapped to the policy template. We can now be certain in the future that the inbound permissions align with what we specified. If it ever changes we will be notified. With this policy in place we have protection against malicious intruders as well as against the more mundane failures of communication and memory that weaken security and create unplanned work.


If you're using AWS and want to know what's going on in there–or if you want your team to be able to monitor for change without giving them full access–the aws_security_group template provides a simple, read-only solution for maintaining your system's integrity. And to learn more about settin up UpGuard to monitor EC2 instances, check out our two-part overview on using UpGuard with Amazon AWS EC2.  

Request a Free Demo

UpGuard Customers