At Cloudticity, we are constantly iterating to provide ever greater levels of security, compliance, and overall service. Lately, you may have noticed an increased number of requests from our technical team to review your accounts for proper tagging, open ports, and other concerns. This is due to a concerted effort to embark on a deeper dive into your accounts to identify and remediate the next level of all issues (not just critical), including identifying any gaps in coverage created by the introduction of new AWS services or requirements. We have complete our initial review and now are working on remediating any findings. Some remediations require working with you to determine a proper course, while others require development of new checks and workflows. Our goal is to have both of these completed by the end of this month.
Oxygen continuously monitors your environment for proper tagging, which is essential to identify critical things like resources that store, process, or transmit PHI. While our policy has been do periodic reviews of your account to identify any resources missing the proper tags, we are now taking the next step and generating realtime alerts whenever a resource is created without proper tagging. Alerts will be generated whenever EC2 instance, EBS volumes, S3 buckets, or RDS instances are created without the o2:phi
tag. You will see these alerts will appear as automatically-generated support tickets that are sent to your identified technical contact's email address.
At Cloudticity, we've built an extensive set of management automations using EC2 Systems Manager. This means that the EC2 Systems Manager agent (called the "SSM agent") is a prerequisite for Oxygen to monitor and manage EC2 instances. As with untagged resources, our policy has been to monitor for SSM installation problems and periodically remediate any issues found. This month we are enabling realtime alerting for any instances not reporting as managed in AWS Systems Manager. The alerts show up as support tickets from us, sent to the same technical contact email address used for other Oxygen alerts. The Cloudticity support team will work with you to remediate any issues found.
We have identified a use case that may cause Autoscaling Groups (ASGs) to become out of sync with the instances that are running. Once an instance is patched with the latest OS and security updates, it is no longer in sync with the AMI that is driving the ASG. If a scaling event occurs after the OS patching is complete, any new instances will be launched from the prior AMI, and will not have the latest OS patches. The same issue may present itself for CodeDeploy deployments. To resolve this issue, we developed a service that subscribes (using CloudWatch Rules) to a successful SSM OS patching event and a successful CodeDeploy deployment. Once any of the CloudWatch Rules fire, the service automatically creates a new AMI from the latest instance and updates the ASG to use the new AMI. If a scaling event occurs after the OS patching is complete (or CodeDeploy deployment is complete), the newly launched instance will have the latest OS patches and/or code since it was launched from an AMI that was built using an instance that had the most recent OS patches or application code. If you are interested in this service please reach out to Cloudticity support for more details, or to schedule installation.