AWS Security

Additional Information: See the Security Guidance topic from AWS for current best practices in securing your AWS resources.

Security Overview

For information on security of the SentryOne platform solution, please see the SentryOne Security section.

Security Questions

Are there any requirements for using root credentials for access?

  • No, this is not necessary for the SentryOne solution on AWS.
  • See the AWS documentation topic on The AWS Account Root User for more information.

How are all IAM policies, S3 bucket policies, and other security policies (e.g. SQS, SNS, etc.) vetted to ensure that there is no unintended exposure of sensitive data to the public?

  • We do not create any of these policies as part of our deployment.

Are there any resources that are intentionally publicly available?

  • The EC2 image is created with RDP ports open so that you may access the image.

How do I create IAM Roles and Policies that are scoped down for minimal access?

How do I authenticate with AWS using IAM user credentials or roles?

  • The VM created as part of the SentryOne offering can be secured using IAM like any other EC2 machine.
  • See the What is IAM? topic from AWS documentation for more information.

Are there any keys, secrets, or rotation policies used in this deployment?

How do I manage VPNs when using AWS?

How do I set my connection to trust server certificates?

How do I encrypt the network traffic between the SentryOne components?

How do I create EC2 security groups and VPC access control lists?

How do I perform any necessary data encryption configuration (e.g. S3 SSE, EBS encryption, LUKS, etc.)?

  • This is not necessary as we do not create any of these as part of our deployment.
  • For information on applying SQL Server data encryption methods, see the SQL Server Encryption topic at Microsoft Docs.
    • This includes guidance on choosing an encryption algorithm, Transparent Data Encryption (TDE), SQL Server database encryption keys, Always Encrypted, SQL Server certificates and asymmetric keys, and more.

How do I create any necessary risk audit mechanism (e.g. CloudTrail, S3 Access Logs)?

How do I tag resources?

What do I need to know about the purposes of IAM Roles and IAM Policies created for this solution?

  • We do not create any of these as part of the SentryOne solution. 
  • For more information on IAM Roles and IAM Policies in general, see the IAM Roles topic in AWS documentation.

How do I change the Monitoring Service Logon Account credentials?

  • Refer to the Monitoring Service Logon Account article for information on using the Service Configuration Utility to update the stored credentials of the SentryOne monitoring service.