IBM Security QRadar

 View Only

IBM QRadar and AWS Best Practices - AWS VPC, AWS IAM, and AWS Security Groups

By Patrick Routh posted Tue October 01, 2019 03:55 PM


Effectively Secure your AWS environments with IBM QRadar


Where do I begin?

 Tip# 1: Decide on QRadar deployment strategy – selecting a primary home for QRadar

QRadar offers impressive deployment flexibility which enables customers to choose the ideal model to meet their diverse business and security needs. There are 4 primary deployment models that customers can implement to secure resources across the enterprise, including AWS environments: On Premises, Hybrid, Cloud, SaaS

On Premises
QRadar SIEM deployments on-premises are able to collect event and flow logs from AWS applications and services like AWS CloudTrail, Amazon CloudWatch, and Amazon GuardDuty via REST API. With the QRadar Console and Event Processors located in a customer or partner managed datacenter, this deployment can collect security data without external installs.
QRadar On Prem Deployment - AWS collectionQRadar On Prem Deployment - Optimizing AWS Collection with Amazon CloudWatch
QRadar also has the ability to extend its deployment footprint into the cloud enabling customers to install virtual QRadar appliances in AWS or other cloud platforms. The AWS Marketplace provides a single-click install method for QRadar customers to bring their own license and deploy QRadar appliances in AWS.
A common scenario is a customer choosing to deploy a single Managed Host appliance, like an Event Collector, in an AWS region to collect service, application, and infrastructure logs. Those logs are compressed, parsed, and coalesced at the source before transferring the data out of AWS and on premises.
There are many different available options for customers to deploy QRadar appliances both on premises and in the cloud for efficient collection of events and network traffic flows from AWS.
QRadar Hybrid Deployment - Event Collector in AWS
QRadar can be virtually deployed on virtual machines running on IaaS cloud platforms like AWS. Cloud-first businesses are able to run an entire QRadar deployment in the cloud or across multiple clouds in an efficient way to provide security across a diverse enterprise. Customers can choose a primary cloud environment or region to run and manage a QRadar Console and position Processors, Collectors, and Data Nodes around the center. You should choose to deploy a Console in the cloud environment and region where most of your data resides.
QRadar Cloud Deployment - AWS
SaaS – QRadar on Cloud
QRadar on Cloud delivers the advanced security analytics capabilities of QRadar as a service, hosted on the IBM Cloud. While a dedicated IBM DevOps team operates and manages the Console and Processors, customers are able to either collect AWS logs via REST API or choose to deploy Data Gateway appliances in AWS to collect from external cloud environments. Data Gateway appliances are a supported QRadar Managed Host that can be deployed in AWS via the QRadar listings on the AWS Marketplace. AWS is one of many cloud platforms that QRadar supports and plans to support in the future.
 QRadar on Cloud - Multi-Cloud Collection

Tip #2: Construct your virtual private clouds (VPC) in AWS

When designing your VPCs, we suggest that you position your QRadar Data Nodes and Event Processors in same subnet as your Console. The goal here is to reduce the layers between QRadar appliances to decrease latencies and operational complexities in your AWS environment.

Tip #3: Implement Multiple VPCs in AWS

 If you choose to create more than one VPC in AWS and deploy multiple QRadar Event Collectors in these subnets, we suggest that you implement VPC Peering as the connection path between the ECs.

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. Inter-region VPC peering connections are supported in AWS (AWS source: What is VPC Peering?)


Bonus Tip: For Managed Security Service Providers in AWS
A great way to connect Managed Security Service providers (MSSPs) operating QRadar to their customers is to use VPC Peering to customer operated virtual private cloud subnets.


Additional AWS Resources

AWS VPC Design

AWS VPC Quick Start – Architecture


How do I leverage AWS Identity and Access Management with QRadar?

It is very important to design and continuously enforce security policies in your cloud environments. AWS IAM is a native service that helps customers to protect cloud users and workloads on the Amazon Web Services platform.


Tip #1: Restrict access to QRadar hosts and network configuration

Tip #2: Create IAM Roles for Amazon EC2 Instances allowing you to securely distribute credentials
AWS IAM Roles for EC2 Instances
Creating a Role to Delegate Permissions to an IAM User
Granting a User Permission to Switch Roles

IBM Knowledge Center Resources
QRadar's Amazon S3 REST API Protocol
QRadar's Amazon Web Services Protocol
Creating an IAM role for AWS Lambda
Configuring AWS VPC Flow Logs
Assume Role in AWS

Tip #3: Implement AWS Cross-account access for all enterprise AWS accounts – assume roles
When cross-account access is applied, you do not have to manage keys in QRadar.
Setting up Cross-Account access using AWS IAM

AWS Best Practices

  • Restrict use of root account
  • Access key rotation
  • Multi-Factor Authentication
  • Develop a least-privilege access model
  • Do not share account credentials or access keys
  • Use AWS Managed Policies and/or Security Groups to assign permissions to IAM users
  • Frequently review IAM permissions
  • Enforce strong password policies for users, roles, and resources
  • Use IAM Roles for custom apps running on EC2 Instances
  • Remove unused or old IAM users/credentials
  • Set IAM Policy conditions to protect critical data
  • Monitor user activity to identify anomalous activity


Additional AWS Resources

How to Rotate Access Keys for IAM Users

AWS Multi-Factor Authentication

Granting Least Privilege

AWS IAM Managed Policies

How to enforce strong passwords in AWS

Use Roles for Applications that run on Amazon EC2 Instances

Remove Unnecessary Credentials

AWS IAM JSON Policy Elements: Conditions

How do I use AWS VPC Security Groups to harden my QRadar deployment in AWS?

Creating Security Groups essentially implements virtual firewall rules for instances in AWS, including QRadar hosts. When you launch a VPC, you can create up to 5 security groups for a single instance in a subnet. Customers are able to add rules that control the inbound and outbound traffic to AWS instances limiting access to only those IPs that you designate. Network Access Control Lists can also be created to augment security group policies and further enforce access in your AWS accounts.


IBM Point of View

Be as restrictive as possible!
Do not create open internet connections to QRadar hosts
Only open Port 22 and Port 443 but keep both locked down to only whitelisted IP addresses
Using a VPN - if access from dynamic or unknown IP addresses is required, we recommend the use of a VPN rather than allowing direct access from public addresses


Additional AWS Resources

AWS VPC Security Groups

AWS Network ACLs

Network to Amazon VPC Connectivity Options


Patrick Routh
Offering Manager - QRadar Cloud Security