AWS is a massive collection of services, ranging from networking, compute, and storage to machine learning, analytics, and anything else that could be useful for a company running its product in the cloud. But aside from these well-known services, there are also various features—with new ones coming out continuously—that can help you handle different aspects of your cloud.
AWS Organizations is an extremely powerful tool used by many in order to centralize your AWS account management. This includes controlling groups of AWS accounts, managing compliance and architecture, centralizing workflows and the policies that apply to them, and much more. With the added visibility when using AWS Organizations, security and costs are more transparent.
The good news is, there are many tools you can integrate with AWS Organizations in order to improve the transparency control of your cloud environment – even more. In this article, we’ll be going over a few of these features.
AWS S3 Storage Lens
Storage is one of the most-used services in the cloud, rivaled only by computing power. But there is more to storing data than just dumping it in an S3 bucket, even with the proper S3 storage tools. As we store more and more objects and as storage requirements in the cloud change, there’s a tendency to veer away from proper data management. This means that the structure of subfolders or a naming convention, for example, might become less than ideal.
Simply put, as complexity and storage grow, things can get out of hand, leaving you with a storage solution that is perhaps functional but also very confusing. This will ultimately lead to excessive storage costs, as you might not be utilizing proper storage tiers. For example, instead of moving some less-used data to cold storage like AWS Glacier or at least an Infrequent Access S3 tier, you could be over-utilizing the Standard tier, which costs more while providing you with no additional benefits.
To combat such a scenario (which are unfortunately commonplace today), AWS released S3 Storage Lens, a feature to help you with cloud storage analysis. S3 Storage Lens provides organization-wide visibility—by being integrated with AWS Organizations—into stored data, using various metrics (there are some 30 different ones available) and trends. With these, you can look for cost inefficiencies and anomalies.
S3 Storage Lens provides recommendations for you as well, which is always a nice helping hand, especially if you are not too proficient with AWS Cloud or do not have a team of dedicated people to hop on the task. And if you are looking to do some calculations yourself, there is a detailed dashboard where you can aggregate the data based on various parameters (like region, bucket, accounts, etc.). This data is also stored in an S3 bucket in raw format if you want to ingest it for further analysis.
S3 Storage Lens also gives you a dashboard with 15 different metrics for free. You can opt to upgrade to the advanced tier to receive advanced metrics and recommendations, including more than 30 usage and activity metrics, contextual recommendations, and prefix aggregations, but this costs $0.20 per million objects monitored per month. The advanced tier does also include 15 months of data retention, activity metrics, and prefix-level aggregation.
AWS Security Hub
AWS provides you with a multitude of different tools and features to alert you on potential threats and misconfigurations or to simply notify you that a desired threshold on a metric has been surpassed (e.g., high CPU utilization on your production server).
But the problem is that many of these alerts are spread across each service. So you have Systems Manager, GuardDuty, Firewall Manager, Amazon Inspector, etc., each with its own set of alerts.
To avoid continuously going back and forth between all of these, AWS offers Security Hub, a centralized place where you can organize, aggregate, and prioritize your security alerts and other findings. With various automated security checks, AWS Security Hub monitors your cloud environment; plus, you can use Amazon Detective to investigate these findings and rely on CloudWatch event rules to send these findings to various incident management tools.
AWS Security Hub additionally uses Security Checks and Finding Ingestion Events. The former provides you with prepackaged security standards (such as PCI DSS, CIS, etc.), with Security Hub leveraging AWS Config to record configurations. These Security Checks cost $0.0010 per check for the first 100,000 checks/account/region/month, with the AWS price dropping the more you use them.
On the other hand, Finding Ingestion Events that are linked to Security Hub’s Security Checks are completely free, and they work by AWS Security Hub simply ingesting data from various AWS services you’re already utilizing.
AWS License Manager
Software license management can be a tedious task, especially in larger enterprises where you are most likely to have multiple vendor licenses such as Oracle, SAP, IBM, and Microsoft, as well as many others. Keeping track of these licenses can be a problem in itself, but you also need to ensure that you are not breaching any terms of your license agreements. With AWS License Manager, you get customized licensing rules that replicate the terms of your various agreements, helping you avoid any licensing breaches.
AWS License Manager will not only notify you about potential violations but also prevent you from, for example, launching an instance if that is something that is out of the scope of your license. Basically, AWS License Manager drastically reduces the chance of non-compliance and, with this, the additional cost that would follow—a nice benefit, as overcharges are not really uncommon today. Also, moving away from spreadsheets or custom notifications to a managed solution can save you a great deal of time.
AWS License Manager comes at no additional cost, which makes it a must-use feature in any cloud environment that depends on various vendor licenses.
AWS Audit Manager
Auditing plays an important role in ensuring security and compliance in the cloud. But auditing is also an exhausting task that takes away time that could be better spent elsewhere. That is why you need to consider a feature like AWS Audit Manager. With it, you can greatly simplify risk assessment and compliance by continuously auditing your cloud usage. This will in turn help you ensure that you are up to industry standards with much less effort.
AWS Audit Manager is fully automated and works by collecting evidence across your entire organization (one or more accounts if needed). This is especially important for large cloud environments where the audit process can scale up to a level that is hard to keep track of. Audit Manager uses these data to create a report by mapping your AWS resources to the various industry standards and regulations (GDPR, PCI DSS, CIS, etc.); this can of course be customized for your specific needs. Ultimately this reporting will allow you to simply assess if your activities, policies, etc, are as they should be. So whether you are looking for internal risk assessment or the automation of auditing in the cloud or are getting ready to report to your stakeholders, AWS Audit Manager is the tool for the job.
Audit Manager charges you per each resource assessment; there is no minimum fee or upfront commitment required. Each resource assessment generates one piece of evidence, whether it is user activity (collected from AWS CloudTrail), a compliance check result (from AWS Security Hub or AWS Config), or an EBS snapshot of a resource configuration (captured directly from AWS), with a cost of $1.25 per 1,000 Audit Manager resource assessments per account per region.
Summing it up
AWS is continuously adding new features and services to their cloud portfolio. The four that we reviewed in this article are only a part of what can be found on AWS, but they are very beneficial tools for many companies running their business in the cloud today.
AWS S3 Storage Lens is great for anyone who stores large amounts of data in the cloud, which is almost everyone these days. AWS Security Hub helps you centralize alerts in one place, ensuring that you don’t miss anything important. AWS License Manager is great for anyone who relies on various vendor licensing, making sure that no breach or overcharge occurs. And AWS Audit Manager greatly simplifies auditing processes, helping you maintain required industry standards.
Some of these features are free, some produce additional cost, but all of them are definitely worth looking into.
Need a health check?
Are you fully taking advantage of the tools available for security, data protection, cost savings and optimization of your AWS workloads? Book a FREE health check with our team to help you review your storage and savings options and help you plan out a long term compliant and cost optimized AWS backup and AWS disaster recovery plan.