Real-time

CloudSploit hooks into the AWS event bus via CloudWatch Events. If something risky happens, you'll know about it within 30 seconds.

Configurable

Users can customize risk-level, acceptable behavior, trusted IPs, and more to ensure results are custom-tailored to their account.

Intelligent

With access to thousands of event streams, CloudSploit is able to detect and respond to suspicious behavior on a global scale.

When would you find out if a malicious user was created in your AWS account?

Hours later? Days? Never? We believe it should be within seconds. The same is true for any action that has security implications:

  • CloudTrail disabled
  • Security groups changed
  • New SSH keys trusted
  • VPC peering connections initiated
  • MFA devices deactivated
  • Logs deleted or modified
  • Root user console signins



Get notified if a security group is changed from a suspicious IP on a weekend.

Your business has complex rules that affect its security policies. Your security solution should understand those rules.

  • Trusted IP addresses
  • Expected time ranges
  • Root user activity
  • Cross-account access
  • MFA device requirements



Detect the security needle in the event-stream haystack.

Large accounts may see hundreds of thousands of API calls per hour. CloudSploit helps find the one API call that might compromise your account.

CloudSploit is one of the only security services that connects to CloudWatch Events. CloudWatch Events integrates with CloudTrail and serves as the notification point for every API call. Other services that only query CloudTrail Logs may take up to 10 minutes to detect new calls; Events is notified within seconds.




New signatures are generated in real-time as more accounts are connected.

Bob's AWS account is experiencing an elevated level of suspicious activity from questionable IPs. Wouldn't it be great if Alice's account could be monitored for similar calls?

If Bob and Alice are both CloudSploit users, they can! CloudSploit uses its access to a massive network of events to create attack signatures in real-time and protect all of its users.

The larger the CloudSploit network grows, the more intelligent it becomes.




Frequently Asked Questions

Our support team can answer any other questions that our help page can't.

How do I configure CloudSploit Events?

Setup is simple. You launch a CloudFormation template that creates CloudWatch rules in your account. These rules are triggered when specific API calls are made and the event content is immediately sent to CloudSploit for processing via an SNS message. CloudTrail must be enabled.

How is a security determination made?

CloudSploit uses a variety of factors, both account specific and globally applied, to determine the security impact of an API call. For example, security group changes are analyzed for suspicious IP ranges and may only be triggered in some contexts. However, the "cloudtrail:StopLogging" API call will always trigger an alert.

What kinds of risks can CloudSploit Events detect?

CloudSploit can detect a near-infinite number of potential risks. Examples include CloudTrail being modified, stopping the delivery of logs, changes made to ConfigService, new user accounts being created with excessive permissions, suspicious IP addresses attempting to sign into the console, failed login attempts, updates to security groups, creation of new SSL certificates or trusted SSH keys, changes to IAM users, removal of MFA device requirements, API calls made without MFA, changes to the account password policy, activity during blacklisted hours, activity from unknown IP addresses, and many more.

Does CloudSploit Events cost extra?

Events are available with all Premium Plans at no extra charge, as long as CloudSploit processes fewer than 500k events per month. However, AWS charges for the resources that are created in your account. Specifically, you will be charged for SNS endpoints ($0.50/region/million calls), and CloudWatch Events delivery ($1.00/region/million calls). 99% of users will see less than a $5 increase from AWS per month.

What kind of information does CloudSploit collect?

CloudSploit processes and stores the AWS API call. This includes the AWS region, caller ARN, IP address, user agent, and API call body. The contents of the body vary depending on the call made. You can view event samples from AWS here.

Can I choose what events are sent to CloudSploit?

Yes. You have complete control over which AWS API calls are sent to CloudSpoit. You can simply adjust the CloudFormation template to only send events you have approved. This can be done on a per-region and per-service level. Keep in mind that this may affect CloudSploit's ability to detect potentially malicious API calls.

How does CloudSploit use the information it collects?

First, CloudSploit never shares your AWS account data in any way, shape, or form. Part of the advantage of CloudSploit Events is that we have access to millions of events from around the world. We use these events to improve the security of every user. For example, if we detect repeated failed login attempts against an AWS account, we can use that attack signature to alert other accounts in which we detect the same activity. We will never expose any information about your account, or even the fact that you exist as a customer. All information is strictly used for security determination.

Does CloudSploit Events work in every region?

CloudSploit is limited to regions where AWS CloudWatch Events is operational. Currently, that includes every public region except ca-central-1 (Canada) and eu-west-2 (London). Each region operates independently, and you will need to launch a CloudFormation template containing the SNS and Events resources in each region you wish to use. CloudSploit strongly recommends running Events in every available region, so that activity in unused regions is not missed.

Ready to test your security?

Sign up and begin scanning within minutes

Get Started