Introduction
Today OneLogin is thrilled to announce our new integration with Amazon EventBridge. Customers that use both OneLogin and Amazon Web Services (AWS) CloudWatch can take advantage of this integration to monitor activities, alert on threats and execute event-based workflows across their OneLogin and AWS environments. As an Advanced APN Partner with a Security Competency, OneLogin is a trusted IAM platform for AWS customers building out an identity management strategy as part of AWS’s Shared Responsibility Model. We are excited to collaborate with AWS on this initiative building upon our existing capabilities to provide secure, unified access to cloud and on-premises environments.
What are Amazon CloudWatch & EventBridge?
Amazon CloudWatch is a popular service within the AWS ecosystem that provides a native AWS tool for monitoring, alerting and reacting to events. The tool is built with a DevSecOps mindset and intended for developers, system operators, and IT managers overseeing and securing their organization’s AWS resources, applications, and services.
Amazon EventBridge is a new extension for the Amazon CloudWatch service, providing APIs for AWS CloudWatch Events that allow SaaS providers, like OneLogin, to inject events for their customers to process inside AWS. These events can then be monitored, alerted and reacted upon just like any other event generated in the AWS ecosystem.
What is OneLogin for Amazon EventBridge?
The new OneLogin for Amazon EventBridge integration allows organizations to stream events data from OneLogin to their Amazon CloudWatch instances and build custom identity workflows that combine OneLogin and AWS events and actions.
What are best practices for identity automation?
Our purpose-built integration delivers comprehensive identity-automation capabilities for increased security and productivity across your OneLogin and AWS environments. Here are a few real examples and best practices you can apply in your environment.
Example 1: Trigger notifications and automate security workflows for suspicious behavior
Leverage CloudWatch rules to trigger alerts for high-risk or failed authentication requests across all applications integrated with OneLogin, which for many organizations includes hundreds of applications including their most business-critical applications.
Example 2: Automate onboarding and offboarding of users to AWS
Configure CloudWatch rules to trigger workflow activities for provisioning and deprovisioning of user access, including terminating ongoing live sessions, invalidating API access keys and transferring of ownership of AWS resources currently owned by the offboarded user.
Best Practices
In our conversations with customers, especially modern organizations with strong DevSecOps mindset, we have seen common ideas and techniques for building robust and effective security monitoring using OneLogin and Amazon EventBridge:
-
Collect all data
Security monitoring requires a historical and holistic view. You want to collect all information as early as possible so that at a later stage when new/additional requirements emerge the historical data is available for further analysis. The OneLogin integration with Amazon EventBridge streams all events, so it is an easy task to start collection all data. That is a great starting point. -
Start experimenting with monitoring and workflow
Once you collect all the data, start to experiment with business logic in stages. Begin with a pilot. Identify one critical workflow that is well understood and that has a high impact on your organization and try to implement just that one. With the combination of OneLogin and Amazon EventBridge, you can easily start experimenting by focusing on one event type without over-engineering or trying to achieve too early all possible goals. -
Responsive security for your cloud
Security events require immediate attention. Try to implement closed-loop workflows that quickly respond to developing security situations with as minimal latency as possible. OneLogin integration with Amazon EventBridge is based on near real-time streaming of security events. This provides the opportunity to build timely alerts and reactive measures for security events. -
See the big picture
Effective security monitoring requires a holistic view. Start by aggregating multiple event-streams across your DevSecOps environment. With the OneLogin-Amazon EventBridge integration, you can leverage any of OneLogin’s comprehensive set of identity events integrated with AWS native events and as well as integrated with other event sources in your environment, providing the needed holistic view to identify and react to security events effectively. -
Never stop iterating
Active monitoring is not a static project. The business environment continuously changes, compliance and risk requirements continue to evolve and new insight requires new measures to better monitor your environment. The nimble nature of a cloud-native infrastructure of OneLogin and AWS, where no software component is installed, provides the foundation for an agile approach to security monitoring.
How does it work?
The integration is completely cloud-based, so no software installation of any kind is needed. The integration includes a new Event Broadcaster for Amazon EventBridge that is easily configured from the OneLogin admin console. Amazon CloudWatch event-bus and event-rules are configured from the AWS console or the AWS command-line. With these few simple tasks, AWS teams can enable event streaming from their OneLogin environment to their Amazon CloudWatch environment.
Events, in JSON format, are sent in near real-time and include a complete audit trail of activities in the OneLogin environment. Event types include event reporting on user activities, login activities, MFA events, provisioning and deprovisioning activities, policy definition, configuration changes, and more. For more information, see Event Resource and Types.
Try it for yourself
The new OneLogin for Amazon EventBridge provides AWS customers with unparalleled visibility and control over their combined OneLogin and AWS environment, extending the boundaries of unified access management and identity security to the next level.
The integration is available today, July 11th, 2019, as part of an Early Preview program. Customers interested in enabling the integration in their environment can register for the Early Preview program.
