Securing a cloud infrastructure is a complicated process due to the scale of modern cloud deployments. Relying on systems administrators to manually configure and maintain the security settings of systems is error-prone and inefficient. Fortunately, the trend toward SOAR (Security Orchestration, Automation, and Response) has improved how admins approach cloud security. Powerful automation tools allow a small team to effectively secure a large fleet of servers.

For example, consider vulnerability scanning. While manual testing is important, automated vulnerability scans can quickly and frequently look for known vulnerabilities across many systems. 

The complexity of modern cloud security can make the topic feel unapproachable. To make cloud security automation less intimidating, this article will guide you through these topics: 

• The key elements of cloud security automation
• How to automate cloud security, including:
  • Step-by-step guide through automating security for AWS
  • Code snippets of relevant commands
  • Screenshots of relevant UIs and configurations
• How to implement these steps on other cloud platforms

Key elements of cloud security automation

Cloud security is a broad topic, and there are a variety of ways to approach automating it. However, some fundamental practices make a big impact and set the foundation for other good practices.

Cloud security practice	Description
Deployment	Deployment should be done with automated tools like Ansible that make your security infrastructure auditable via infrastructure-as-code.
Asset tagging	Cloud providers offer interfaces for tagging and tracking different machines so you can organize them and manage them collectively.
Vulnerability scanning	Rather than waiting for pentesters to look around, automated scans can find vulnerabilities in code before it is even pushed to production.
Threat detection	Modern security automation strategies like SOAR involve orchestrating suites of tools to manage your security infrastructure and find threats with minimal necessary interaction from human analysts.

How Cloud Security Automation works

Securing cloud infrastructure is tedious and error-prone due to the many layers of technology involved. Consider different layers of the attack surface for a typical cloud deployment:

• Web application
  • Frontend
  • Database
  • API
• VPN (Virtual Private Network) for remote workers
• Backup servers
• Email server for marketing campaigns

This list goes on and on. Cloud security is not a single topic but a multi-layered mesh.

Cloud security is multi-faceted, making it challenging to manage manually (source)

The complexity of cloud infrastructure makes it ripe for automation, resulting in many tools and services to make it easier.

How to automate security on a cloud deployment

Let’s go through the elements of cloud security automation presented in the summary earlier and look at how they apply to an actual cloud deployment.  For this example, we’ll use Linux systems running on AWS, but the principles are the same for other operating systems and cloud providers. 

    1.Deployment

In traditional security engineering, the technician would log into a system and change the configurations to be more secure. Over time, this process could be automated with a Bash script. In modern cloud operations, engineers leverage powerful tools to implement infrastructure as code (IaC). Infrastructure is described in a code repo from which it can be built and deployed automatically.

If the configuration requires change, the code in the repo is changed, and the infrastructure is redeployed. When applied to normal infrastructure management, this is the philosophy of DevOps. Taking a step further to add managing security configurations and security infrastructure, this is DevSecOps.

DevSecOps applies the DevOps philosophy to security infrastructure. (Source)

Ansible is a popular infrastructure-as-code software suite. We can use Ansible to automate the setup of a SIEM (security information and event management) on our cloud environment. First, download the Ansible ELK (​​Elasticsearch, Logstash, and Kibana) playbook here. Next, follow the instructions in the README for installing ELK with the playbook. Finally, you are ready to deploy:

$ ansible-playbook site.yml
PLAY [Deploying Web Server] ************
 
TASK [Gathering Facts] **********************
[...]

We can check that the ELK stack is running by visiting the web API at http://localhost:9200.

Wonderful! This allows us to perform log analysis, network monitoring, and other crucial security tasks without requiring much human oversight. You can now customize the SIEM (Security information and event management) to meet your organizational needs.

    2. Asset tagging

Keeping track of cloud assets is hard. You could do it the old-fashioned way, with a manually updated spreadsheet. However, the spreadsheet can easily fall out of sync with the actual status of systems in production.

The solution is asset tagging.

AWS allows you to add multiple descriptive tags to any resource. (Source)

Using this functionality, you can quickly find all machines that meet specific criteria. For example, imagine a new vulnerability affects a specific version of Ubuntu. You can use tags to get all of the machines running Ubuntu and apply a patch to them.

For a more thorough exploration of asset tagging on AWS, check out the official Tagging AWS resources docs.

    3. Vulnerability scanning

Once your infrastructure is organized as a codebase (infrastructure-as-code), you can easily integrate vulnerability scanning tools. For example, you can use GitHub code scanning to detect dependencies with known vulnerabilities automatically. More sophisticated tools like Snyk warn you about likely security issues throughout your code.

As a security engineer, you can set this up without writing additional code.

Snyk offers a visual interface for monitoring codebases for vulnerabilities. (Source).

This combines well with asset tagging because you can create custom vulnerability scanning strategies for different asset categories. Your vulnerability scanning playbooks should map 1-1 to the different tags in your asset tagging inventory.

    4. Threat detection

The most exciting developments in cloud security automation relate to SOAR, which includes automated detection and response to attacks. To reiterate, SOAR stands for Security Orchestration, Automation and Response. This approach builds on SOC and SIEM technology to automate security management as much as possible.

This includes strategies such as

• Integrations with a wide variety of data sources
• Automated incident response
• Playbooks and Repeatability (making security work automatable)
• Detecting intrusion attempts in real-time

This enables security software to go beyond mere defense to rooting out and finding attackers using sophisticated technology.  For example, Devo SOAR offers a no-code interface for creating playbooks that integrate with every major cloud provider. However, what sets these tools apart is the use of machine learning and artificial intelligence.

Learn more about how AI powers modern threat detection in our companion article, Intrusion Detection AI.

Of course, intrusion detection is not the only aspect of SOAR that benefits from current trends in machine learning. Security analytics are also changing dramatically with the introduction of algorithms that find complex correlations that would be invisible to most human analysts.

Devo and other modern SOAR solutions use ML to power analytics. (Source).

Best of all, these solutions integrate easily with any modern cloud provider and operating system. The SOAR solution should easily connect to the kinds of tools mentioned in the previous steps. In essence, the purpose of the SOAR is to bring these tools together through a single, manageable orchestration mechanism through which monitoring, detection, and so on can easily be maintained and automated.

Using other non-AWS platforms

The above principles apply to any cloud provider, operating system, and software stack. Of course, the specific steps and commands involved will vary.

You can find instructions for automating security on different cloud providers using the resources below.

• GCP:  How to Automate Security in Google Cloud?
• Azure: Microsoft learn – Overview of automated investigations
• Firebase: Get started with Firebase Security Rules

Different operating systems support different tools and infrastructure for automating security. The biggest gap is between Windows and Unix-based systems. If you want to automate security for cloud systems using an operating system other than Linux, consult the appropriate resource below.

• Windows: Microsoft Power Automate security documentation
• MacOS: Automated Secure Configuration Guidance for macOS
• FreeBSD: Automating Network Infrastructures with Ansible on FreeBSD

Of course, the specific tools we chose to demonstrate the concepts in this article exist within a diverse ecosystem. There are many SIEM solutions besides the ELK stack, for example. Below we offer some resources for learning to implement cloud security automation principles using other tech stacks.

• SIEMs: The Buyer’s Guide to Next Gen SIEMs
• SOAR: SOAR Tools
• IaC: Infrastructure as Code in a DevSecOps World

Conclusion

A modern cloud deployment’s complexity presents unique challenges for security engineers. That difficulty is precisely why automation is so crucial – configuring everything manually has a high margin of error. Automating the tedious work of securing cloud infrastructure frees security pros to focus on finding new strategies for defending your organization.